Skip to main content

Configuring a Generic OpenID Connect Identity Provider Enterprise

Dremio supports generic OpenID Connect (OIDC) authentication protocol as an enterprise identity provider. OIDC provider administrators can register a Dremio application and use it to enable single sign-on (SSO) and allow users to log in using an OIDC provider as the trusted third party.

note

To configure Microsoft Entra ID or Okta as an identity provider, see Microsoft Entra ID as an Identity Provider or Okta as an Identity Provider.

Dremio also allows you to use System for Cross-domain Identity Management (SCIM) provisioning to manage Dremio user access from your OIDC provider. After you configure your provider for OIDC SSO, refer to your OIDC provider's documentation to configure SCIM. See SCIM with a Generic OpenID Connect Provider to use SCIM provisioning in Dremio.

Prerequisites

Configuring SSO in a generic OIDC provider requires:

  • Privileges in the OIDC provider that permit you to add, configure, and register applications.
  • The CONFIGURE SECURITY organization-level privilege or membership in the ADMIN role in a Dremio Enterprise account.

Configure OIDC SSO

To configure OIDC SSO for Dremio users:

  1. In Dremio, on the organization page, click the Settings Gear icon that represents the Organization settings. icon next to the organization name.

  2. Click the Authentication tab in the left sidebar.

  3. In the Enterprise section, click Add Provider to open the Add Provider dialog.

  4. In Step 1, select OpenID Connect (OIDC) in the dropdown menu.

  5. Copy and save the Redirect URL listed in Step 2. The redirect URL is sensitive information and should be kept somewhere private. You will need it to register a Dremio application in your OIDC provider portal in the next step.

  6. In your OIDC provider portal, register Dremio as an application.

  7. Copy and save the client ID and client secret for your OIDC provider. The client ID and client secret are sensitive information and should be kept somewhere private. You will use them to configure authentication in Dremio later in this procedure.

  8. Copy and save the issuer value from the OIDC configuration. You will use it to configure authentication in Dremio later in this procedure.

  9. In Dremio, in Step 3 of the Add Provider dialog, enter the issuer URL, client ID, and client secret that you copied from your OIDC provider portal in the corresponding fields.

  10. Click Add. After the page loads, you should see your OIDC provider in the Enterprise section.

  11. Click the Enabled toggle to activate your OIDC provider.

OIDC as an enterprise identity provider is now configured. The Log in with SSO button appears in the list of log-in options for your Dremio users.

Use SSO to Log in to Dremio

Any user who is assigned to the Dremio application in your OIDC provider can log in with SSO immediately. To use SSO to log in to Dremio:

  1. Open the Dremio login page.

  2. Type your email address in the Email field and click Continue.

  3. If you belong to more than one Dremio organization, select the organization to log in to.

  4. Click the Log in with SSO button.

  5. When you are redirected to your OIDC provider for authentication, enter your username and password.

The OIDC provider authenticates your identity and redirects you to Dremio, which then logs you in.

note

To configure SCIM provisioning to manage access for Dremio users, see SCIM with a Generic OpenID Connect Provider.

Revoke SSO Login for a User or Group

To revoke users' access to SSO login for Dremio:

  1. In your OIDC provider's portal, navigate to the Dremio application.

  2. Open the assignment settings for the Dremio application.

  3. Find the user or group whose access you want to revoke and follow your OIDC provider's procedures to revoke access.

Starting immediately, the deactivated users cannot use OIDC SSO to log in to Dremio.

caution

To completely delete Dremio users, you must also manually remove their user accounts in Dremio.

Troubleshooting

This section describes some things to keep in mind about OIDC SSO.

  • Refer to your OIDC provider's documentation to ensure that you have privileges that permit you to add the Dremio application in your OIDC provider and configure OIDC SSO.

  • If you revoke a user's access to use SSO login, the user can still log in to Dremio with their Dremio username and password. To completely delete the user so that they cannot log in to Dremio at all, you must manually remove their user accounts in Dremio.