System for Cross-domain Identity Management (SCIM) is used to integrate identity providers (IdP) with Dremio for external user management. When properly configured, IdPs send the credentials of assigned users securely via SCIM to your Dremio organization, automatically creating user accounts if they do not already exist. These new users, also referred to as external users, may then log in to Dremio according to the policies set by your credential manager.
You cannot reset or change an external user’s email address or password from Dremio as this is governed by your organization’s identity manager. If you delete an external user from Dremio, the identity provider will automatically re-add their account the next time that user attempts to log in. To properly revoke access to Dremio, follow the steps for Microsoft Azure Active Directory (AAD) or Okta.
- SCIM endpoint(s) created (specifically for Azure Active Directory or Okta)
The following configurations must be utilized:
- Version: SCIM 2.0+
- Connector Authentication Method: Header Auth
- Sign-on Option: Secure Web Authentication
Configuring Azure Active Directory with SCIM
Microsoft Azure AD may be configured to securely provision external users on Dremio using SCIM. This process is accomplished as described on Microsoft’s documentation portal.
Configuring Okta with SCIM
Before configuring SCIM, you must have Okta integrated with Dremio. Once integrated, you must then configure Okta with SCIM.