Configuring SSO in AWS Edition Enterprise
This topic describes how to configure Dremio AWS Edition for Single Sign On (SSO) authentication with Microsoft Entra ID or an OpenID identity provider.
AWS Edition does not support scale-out coordinators. For deployments requiring multiple coordinators, consider migrating to Dremio Enterprise on Kubernetes.
Requirements
To use Microsoft Entra ID or OpenID, Dremio's webserver must have web server encryption enabled. For more information, see Configuring Wire Encryption.
Configuring Microsoft Entra ID Authentication
To know more about Microsoft Entra ID, see Microsoft Entra ID Authentication
You must do the following changes in azuread.json and dremio.conf files for configuring SSO:
-
Add the following properties in the
Properties to add to azuread.json fileazuread.jsonfile:{
"oAuthConfig": {
"clientId": "<clientId>",
"clientSecret": "<clientSecret>",
"redirectUrl": "https://<dremio.host>:9047/sso",
"authorityUrl": "https://login.microsoftonline.com/<directory.id>/v2.0",
"scope": "openid profile offline_access",
"jwtClaims": {
"userName": "preferred_username"
}
}
}Where:
clientId: Appears on the Overview screen of your application. This property is also called application ID. AclientIdis applicable to the context where you acquire a token using one of the OAuth flows that Microsoft Entra ID supports. The application ID is same for single application object that corresponds to an application.clientSecret: The secret that was created in the Setting Up Microsoft Entra ID section.redirectUrl: The redirect URI that was created in the Setting Up Microsoft Entra ID section.directory.id: Appears on the Overview screen of your application, also called tenant ID.
noteIn Dremio 24 and later,
clientSecretcan be encrypted using thedremio-admin encryptCLI command. -
Uncomment these two lines in the
Lines to uncomment in thedremio.conffile.dremio.conffileservices.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: true -
Add the following configuration in the
Configuration to add to thedremio.conffile.dremio.conffileservices: {
coordinator.enabled: true,
coordinator.web.auth.type: "azuread",
coordinator.web.auth.config: "/opt/dremio/conf/azuread.json"
}
Configuring OpenID Authentication
To configure Single Sign On with an Identity Provider over OpenID, perform the following steps:
-
Configure the
Configuration to add to thedremio.conffile to include the following configuration.dremio.conffileservices.coordinator.web.auth.type: "oauth"
services.coordinator.web.auth.config: "/path/to/oauth.json" -
Create an oauth.json file with the following properties.
Configuration to add to oauth.json file{
"clientId": "clientId",
"clientSecret": "clientSecret",
"redirectUrl": "http://dremioHost:9047/sso",
"authorityUrl": "authorityUrl",
"scope": "openid profile email",
"jwtClaims": {
"userName": "$nameField"
},
"parameters": [
{
"name": "access_type",
"value": "offline",
...
}
]
}The following table describes the oauth.json file properties.
Parameter Description clientId It is based on the OpenID provider. clientSecret It is based on the OpenID provider.
NOTE: In Dremio 24+,clientSecretcan be encrypted using thedremio-admin encryptCLI command.redirectUrl The URL where Dremio is hosted. The URL must match the redirect url set in the OpenID Provider. authorityUrl The location where Dremio can find the OpenID discovery document. For example, Google’s location is https://accounts.google.com/.well-known/openid-configurationand the authorityUrl therefore to use ishttps://accounts.google.com, the base location of the well-known directory.scope It is based on the OpenID provider. jwtClaims Maps fields from the JWT token to fields Dremio requires. The only field currently required is userName, which you should set to the field in JWT that contains the user’s username. For example, this can be emailif you want the usernames in Dremio to be the user’s email address.parameters Optional - any additional parameters required by the OpenID providers.
OIDC Authentication with LDAP Authorization
Dremio supports hybrid OIDC authentication with LDAP authorization (OIDC+LDAP), which allows you to authenticate users with OIDC and fetch user information, groups, and group memberships from LDAP. The way that Dremio authenticates with OIDC and fetches information from LDAP does not change. First, Dremio authenticates users with OIDC. From the OIDC flow, Dremio extracts the username from the ID token. Then, Dremio searches for the username and its group membership in LDAP.
LDAP users cannot log in to Dremio using their LDAP usernames and passwords. Username/password login only works for local users.
Follow these steps to configure OIDC+LDAP. Replace values in angle brackets with the correct values for your organization:
- Modify the
dremio.conffile to include the following configuration:
dremio.conf File
services.coordinator.web.auth.type: "oauth+ldap"
services.coordinator.web.auth.config: "</path/to/config.json>"
-
Create a
config.jsonfile in the/confdirectory. -
Add the
oAuthConfigandldapConfigobjects and properties in theconfig.jsonfile.Example Configuration PropertiesnoteThe properties in the
oAuthConfigandldapConfigobjects below are examples. Use the properties that are appropriate for your implementation.- For information about available properties for the
oAuthConfigobject, see the list of properties under OpenID Authentication. - For information about available properties for the
ldapConfigobject, see Configuring LDAP.
{
"oAuthConfig": {
"clientId": "<clientId>",
"clientSecret": "<clientSecret>",
"redirectUrl": "http://<dremio.host>:9047/sso",
"authorityUrl": "<Value of the issuer property in the OIDC Discovery Specification>",
"scope": "openid profile offline_access",
"jwtClaims": {
"userName": "<JSON Web Token field that contains the user’s username>"
}
},
"ldapConfig": {
"connectionMode": "<ANY_SSL | TRUSTED_SSL>",
"servers": [
{
"hostname": "<LDAP host>",
"port": <LDAP port>
}
],
"names": {
"bindDN": "<Distinguished Name for LDAP binding>",
"bindPassword": "<Password for bindDN>",
"baseDN": "<Distinguished Name for LDAP base>",
"userAttributes": {
"baseDNs": [
"OU=test,OU=ad,DC=drem,DC=io"
],
"searchScope": "<SUB_TREE | ONE | BASE>",
"id": "<LDAP user attribute to map as the user's username>",
"firstname": "<LDAP user attribute to map as first name>",
"lastname": "<LDAP user attribute to map as last name>",
"email": "<LDAP user attribute to map as email>"
},
"groupDNs": [
"<Distinguished Name for LDAP group>"
],
"groupMembership": "<memberOf value>",
"groupFilter": "<LDAP filter for validating groups>",
"autoAdminFirstUser": <true> | <false>,
"userGroupRelationship": "<USER_ENTRY_LISTS_GROUPS | GROUP_ENTRY_LISTS_USERS>"
}
}
} - For information about available properties for the
Upon successful OIDC authentication, the user's username is established as the value provided for the userName property in the oAuthConfig object in the config.json file. Dremio uses the user's username to query LDAP for the user's group membership information.
In the DN-based approach to configuring OIDC+LDAP, Dremio replaces the placeholder {0} with the user's username. For example:
"userDNs": ["cn={0},dc=staticsecurity,dc=dremio,dc=com"],
"userAttributes": {
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
}
In the attribute-based approach, Dremio looks for the LDAP user whose id value matches the user's username. For example, if you use the following configuration, Dremio looks for the LDAP user whose sAMAccountName matches their username:
"userAttributes": {
"baseDNs": [
"OU=test,OU=ad,DC=drem,DC=io"
],
"searchScope": "SUB_TREE",
"id": "sAMAccountName",
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
}
If OIDC authentication and the LDAP search both succeed, Dremio creates a user account with the username. If OIDC authentication is successful but the user's username does not exist in LDAP, the user cannot log in to Dremio.
The LDAP userFilter property works with OIDC+LDAP. You can also use the OIDC application configuration in your identity provider to limit who can authenticate to Dremio.