Configuring a Generic OpenID Connect Provider with SCIM Enterprise
You can use System for Cross-domain Identity Management (SCIM) to integrate a generic OpenID Connect (OIDC) provider with Dremio for managing external users. When properly configured, the OIDC provider sends the credentials of assigned users securely via SCIM to your Dremio organization and automatically creates Dremio user accounts if they do not already exist. The OIDC provider also automatically updates user attributes in Dremio and deactivates Dremio user accounts.
Before you can configure SCIM provisioning, you must configure a generic OIDC provider as an enterprise identity provider in Dremio. Follow the instructions in Generic OpenID Connect Identity Provider to integrate a Dremio
application in a generic OIDC provider for single sign-on (SSO) in Dremio. When that is done, follow this guide to configure SCIM for secure user provisioning.
To configure SCIM for Okta or Microsoft Entra ID, see SCIM with Microsoft Entra ID or SCIM with Okta.
Prerequisites
Configuring SCIM provisioning requires:
- Privileges in your OIDC provider that permit you to register and configure applications.
- The CONFIGURE SECURITY organization-level privilege or membership in the ADMIN role in a Dremio Enterprise account.
- A Dremio personal access token (PAT) for a Dremio user who is a member of the ADMIN role.
You must configure a generic OIDC identity provider before you proceed with SCIM provisioning.
Configure SCIM Provisioning
The steps required to configure and enable SCIM provisioning vary for different OIDC providers. Follow the instructions in your OIDC provider's documentation.
Use a Dremio PAT as the API Token or Secret Token value when you configure authentication for SCIM requests in your OIDC provider's portal.
To configure SCIM provisioning, use the endpoint for your control plane.
US Control Planehttps://scim.dremio.cloud/scim/v2
https://scim.eu.dremio.cloud/scim/v2
After SCIM provisioning is configured and enabled, you can create users, update user attributes, and deactivate users in Dremio from your OIDC provider's portal.
Create Users
After you configure SCIM provisioning, Dremio automatically creates a new Dremio user account for anyone you assign to the Dremio
application in your OIDC provider who does not already have an account. New Dremio users can log in to Dremio with SSO immediately, and administrators can view their user accounts in Dremio.
New users are automatically members of the PUBLIC role in Dremio.
User email addresses are controlled by your OIDC provider rather than Dremio. If a user's email address changes, you must create a new user in your OIDC provider and assign them to the Dremio
application. Then, the user can use the new email address to log in to Dremio as a new user.
Update User Attributes
With SCIM provisioning configured, updates to user attributes in your OIDC provider are propagated to the user account in Dremio.
The first name and last name attributes are mapped to user accounts in Dremio. After you configure SCIM provisioning and allow user attributes to be updated, you can change these user attributes in your OIDC provider to update the corresponding user information in Dremio.
Deactivate Users
When you revoke a user or group in your OIDC provider, the affected users cannot use OIDC SSO to log in to Dremio. After you configure SCIM provisioning and deactivate users, they become inactive in Dremio and cannot log in to Dremio at all with SSO.
To completely delete Dremio users, you must also manually remove their user accounts in Dremio.
Troubleshooting
This section describes some things to keep in mind about SCIM provisioning with the Dremio
application in your OIDC provider.
-
Dremio does not allow username updates. If you change a user's username in your OIDC provider after the user is assigned to the
Dremio
application, the OIDC provider sends a request to update the username in Dremio. Dremio denies the request because Dremio username changes are not allowed. -
Changing an existing user's primary email address in the OIDC provider has no effect on the user's account in Dremio. To permit a user to authenticate to Dremio with the new email address, add the user to your OIDC provider as a new person using the new email address. Then, assign the new user to the
Dremio
application (either individually as a person or by adding them to an assigned group). The OIDC provider creates a new Dremio user who can use SSO to log in to Dremio with the new email address.