Skip to main content

Configuring a Generic OpenID Connect Provider with SCIM Enterprise

You can use System for Cross-domain Identity Management (SCIM) to integrate a generic OpenID Connect (OIDC) provider with Dremio for managing external users. When properly configured, the OIDC provider sends the credentials of assigned users securely via SCIM to your Dremio organization and automatically creates Dremio user accounts if they do not already exist. The OIDC provider also automatically updates user attributes in Dremio and deactivates Dremio user accounts.

Before you can configure SCIM provisioning, you must configure a generic OIDC provider as an enterprise identity provider in Dremio. Follow the instructions in Generic OpenID Connect Identity Provider to integrate a Dremio application in a generic OIDC provider for single sign-on (SSO) in Dremio. When that is done, follow this guide to configure SCIM for secure user provisioning.

note

To configure SCIM for Okta or Microsoft Entra ID, see SCIM with Microsoft Entra ID or SCIM with Okta.

Prerequisites

Configuring SCIM provisioning requires:

note

You must configure a generic OIDC identity provider before you proceed with SCIM provisioning.

Configure SCIM Provisioning

The steps required to configure and enable SCIM provisioning vary for different OIDC providers. Follow the instructions in your OIDC provider's documentation.

Use a Dremio PAT as the API Token or Secret Token value when you configure authentication for SCIM requests in your OIDC provider's portal.

To configure SCIM provisioning, use the endpoint for your control plane.

US Control Plane
https://scim.dremio.cloud/scim/v2
EU Control Plane
https://scim.eu.dremio.cloud/scim/v2

After SCIM provisioning is configured and enabled, you can create users, update user attributes, and deactivate users in Dremio from your OIDC provider's portal.

Create Users

After you configure SCIM provisioning, Dremio automatically creates a new Dremio user account for anyone you assign to the Dremio application in your OIDC provider who does not already have an account. New Dremio users can log in to Dremio with SSO immediately, and administrators can view their user accounts in Dremio.

New users are automatically members of the PUBLIC role in Dremio.

note

User email addresses are controlled by your OIDC provider rather than Dremio. If a user's email address changes, you must create a new user in your OIDC provider and assign them to the Dremio application. Then, the user can use the new email address to log in to Dremio as a new user.

Update User Attributes

With SCIM provisioning configured, updates to user attributes in your OIDC provider are propagated to the user account in Dremio.

The first name and last name attributes are mapped to user accounts in Dremio. After you configure SCIM provisioning and allow user attributes to be updated, you can change these user attributes in your OIDC provider to update the corresponding user information in Dremio.

Deactivate Users

When you revoke a user or group in your OIDC provider, the affected users cannot use OIDC SSO to log in to Dremio. After you configure SCIM provisioning and deactivate users, they become inactive in Dremio and cannot log in to Dremio at all with SSO.

caution

To completely delete Dremio users, you must also manually remove their user accounts in Dremio.

Troubleshooting

This section describes some things to keep in mind about SCIM provisioning with the Dremio application in your OIDC provider.

  • Dremio does not allow username updates. If you change a user's username in your OIDC provider after the user is assigned to the Dremio application, the OIDC provider sends a request to update the username in Dremio. Dremio denies the request because Dremio username changes are not allowed.

  • Changing an existing user's primary email address in the OIDC provider has no effect on the user's account in Dremio. To permit a user to authenticate to Dremio with the new email address, add the user to your OIDC provider as a new person using the new email address. Then, assign the new user to the Dremio application (either individually as a person or by adding them to an assigned group). The OIDC provider creates a new Dremio user who can use SSO to log in to Dremio with the new email address.