Configure Okta as an Identity Provider Enterprise
This page describes how to use the new Dremio Cloud application to configure OIDC SSO in Okta. For information about the former method using a custom application, read Okta Custom Application Workflow.
Dremio supports Okta as an enterprise identity provider. Okta administrators can use the Dremio Cloud application to enable single sign-on (SSO) authentication and allow users to log in to Dremio using Okta as the trusted third party.
Prerequisites
Configuring OIDC SSO in Okta requires:
- Super Administrator access in Okta.
- The CONFIGURE SECURITY organization-level privilege or membership in the ADMIN role in a Dremio Enterprise account.
Supported Features
Dremio supports the following Okta SSO features:
- Service provider-initiated (SP-initiated) SSO: Dremio uses the Open ID Connect (OIDC) protocol for SP-initiated SSO. When users provide their email address to log in to Dremio, Dremio sends an authentication request to Okta. Okta then authenticates the user's identity and the user is logged in to Dremio.
Dremio also allows you to take advantage of Okta's System for Cross-domain Identity Management (SCIM) provisioning feature and manage Dremio user access from Okta. After you configure Okta for OIDC SSO in this guide, follow Configure SCIM Provisioning with Okta to use SCIM provisioning.
Configure OIDC SSO
To configure Okta OIDC SSO for Dremio users:
-
In Okta, navigate to Applications > Applications and click the Browse App Catalog button.
-
Type
Dremio
in the search field and select Dremio Cloud in the list of search results. -
Click the Add Integration button.
-
(Optional) Type a custom label in the Application label field.
-
Select your Dremio control plane region from the Region dropdown menu: US or EU.
-
Click Done. Okta creates the Dremio Cloud application and displays the application's Assignments tab.
-
Click the Sign On tab.
-
Copy and save the client ID and client secret listed under OpenID Connect. The client ID and client secret are sensitive information and should be kept somewhere private. You will use them to configure authentication in Dremio later in this procedure.
-
Click the OpenID Provider Metadata link to open the OpenID configuration for the application.
-
Copy and save the URL value for the
issuer
key at the top of the OpenID configuration. You will use it to configure authentication in Dremio later in this procedure. -
In Dremio, on the organization page, click the Settings icon next to the organization name.
-
Click the Authentication tab in the left sidebar.
-
In the Enterprise section, click Add Provider to open the Add Provider dialog.
-
In Step 1, select Okta in the dropdown menu.
-
In Step 3, enter the issuer URL, client ID, and client secret information that you copied from Okta in the corresponding fields.
-
Click Add. After the page loads, you should see Okta as an authentication provider in the Enterprise section.
-
Click the Enabled toggle to activate the Okta authentication provider.
Okta is now configured as an enterprise authentication provider. The Log in with Okta button appears in the list of log-in options for your Dremio users.
Assign People and Groups to the Dremio Cloud Application
Follow the instructions in the Okta documentation to assign people or assign groups to the Dremio Cloud application to ensure that users can use Okta for SSO log-in. The users you assign, whether individually or through their membership in an assigned group, can use the Log in with Okta button immediately.
Use privileges and roles to manage user access to objects in Dremio.
Use Okta SSO to Log in to Dremio
Any Okta user who is assigned to the Dremio Cloud application can log in with Okta immediately. To use Okta SSO to log in to Dremio:
-
Open the Dremio login page.
-
Type your email address in the Email field and click Continue.
-
Click the Log in with Okta button.
-
When you are redirected to the Okta website for authentication, enter your Okta username and password and click Sign In.
Okta authenticates your identity and redirects you to Dremio, which then logs you in.
To configure Okta's SCIM provisioning feature and use Okta to manage access for Dremio users, follow Configure SCIM Provisioning with Okta.
Revoke Okta SSO Login for a User or Group
To revoke users' access to Okta SSO login for Dremio:
-
In your Dremio Cloud application in Okta, click the Assignments tab.
-
In the left menu, under Filters, select People to deactivate a user or Groups to deactivate a group of users.
-
Find the row for the user or group you want to deactivate and click the X on the right side of the row.
-
In the confirmation dialog that appears, click OK.
Starting immediately, the deactivated users cannot use Okta OIDC SSO to log in to Dremio.
To completely delete Dremio users, you must also manually remove their user accounts in Dremio.
Troubleshooting
This section describes some things to keep in mind about OIDC SSO in Okta.
-
To add the Dremio Cloud application in Okta and configure OIDC SSO, you must be a super administrator in the Okta organization.
-
If you revoke a user's access to use Okta SSO login in Okta, the user can still log in to Dremio with their Dremio username and password. To completely delete the user so that they cannot log in to Dremio at all, you must manually remove their user accounts in Dremio.
If you have other issues when configuring OIDC SSO in Okta with the Dremio Cloud application, contact Support.