Skip to main content

SCIM Enterprise

System for Cross-domain Identity Management (SCIM) allows you to integrate identity providers (IdPs) with Dremio for external user management. When properly configured, IdPs send the credentials of assigned users securely via SCIM to your Dremio organization, automatically creating new user accounts if needed. These new users, also referred to as external users, may then log in to Dremio according to the policies set by your credential manager.

caution

You cannot reset or change an external user's email address or password from Dremio because these tasks are governed by your organization's credential manager. If you delete an external user from Dremio, the IdP automatically re-adds the user's account the next time that user attempts to log in. To properly revoke access to Dremio, follow the steps for Microsoft Entra ID or Okta.

Rate Limits

To provide a consistent experience, Dremio uses rate limits for SCIM provisioning requests.

If a SCIM provisioning request is rejected due to rate limits, Dremio sends the HTTP status code 429 Too Many Requests. Dremio does not send a retry-after response header with 429 responses.

Organization-Wide Rate Limits

Request TypeLimit (Requests per Minute)
Writes (POST, PUT, PATCH, DELETE)600
Reads (GET)1000

User and Group Rate Limits

Request TypeLimit (Requests per Minute)
Retrieve a user or group (GET)300
Create, update, or delete a user or group (POST, PUT, PATCH, DELETE)180

Concurrency Limits

Dremio allows one update to a user or group at a time. While the update is in progress, Dremio locks the user or group and rejects concurrent requests to update the same user or group.

Configure Microsoft Entra ID with SCIM

You can use Microsoft Entra ID to securely provision external users in Dremio with SCIM. See SCIM Provisioning with Microsoft Entra ID for more information and instructions.

Configure Okta with SCIM

Dremio supports the Okta SCIM provisioning feature, which allows you to automatically create Dremio user accounts if they do not already exist, update user attributes in Dremio, and deactivate user accounts, all from Okta.

Before you can configure Okta SCIM provisioning, you must configure Okta as an IdP in Dremio. Follow the instructions in Okta as an Identity Provider to integrate the Dremio Cloud application in your Okta organization and add Okta as an OpenID Connect (OIDC) IdP in Dremio.

After you configure Okta as an IdP, you can configure Okta to use SCIM for secure user provisioning.