Configuring Okta with SCIM Enterprise
The Dremio Cloud application for Okta uses System for Cross-domain Identity Management (SCIM) to integrate Okta with Dremio for managing external users. When properly configured, Okta sends the credentials of assigned users securely via SCIM to your Dremio organization and automatically creates Dremio user accounts if they do not already exist. Okta also automatically updates user attributes in Dremio and deactivates Dremio user accounts.
Before you can configure SCIM provisioning, you must configure Okta as an identity provider (IdP) in Dremio. See Okta as an Identity Provider to integrate the Dremio Cloud application in your Okta organization and add Okta as an OpenID Connect (OIDC) single sign-on (SSO) IdP in Dremio. When that is done, follow this guide to configure Okta to use SCIM for secure user provisioning.
Prerequisites
Configuring SCIM provisioning in Okta requires:
- Super Administrator access in Okta.
- The CONFIGURE SECURITY organization-level privilege or membership in the ADMIN role in a Dremio Enterprise account.
- A Dremio personal access token (PAT).
You must configure Okta as an identity provider using the Dremio Cloud application before you proceed with SCIM provisioning.
Supported Features
Dremio supports the following Okta SCIM provisioning features:
- Create Users: Automatically create a new user account in Dremio for Okta users who are assigned to the Dremio Cloud application, whether they are assigned individually or as members of a group that is assigned to the application.
- Update User Attributes: Automatically update user information in Dremio when a user's profile information is updated in Okta.
- Deactivate Users: Prevent users from logging in to Dremio when they are deactivated in Okta.
- Group Push: Push Okta groups and their members to Dremio to automatically create Dremio roles and members.
Configure SCIM Provisioning
To configure and enable SCIM provisioning in Okta:
-
Confirm that you have configured Okta as an identity provider using the Dremio Cloud application.
-
In Okta, navigate to Applications > Applications.
-
Find the Dremio Cloud application in the list of applications and click to open it.
-
Click the Provisioning tab.
-
Click the Configure API Integration button.
-
Select Enable API integration.
-
Enter the Dremio PAT in the API Token field.
-
Click the Test API Credentials button. You should see a confirmation message that the connection was verified successfully.
-
Click Save. Okta displays the Provisioning to App page.
-
Click Edit.
-
Select Enable for the Create Users, Update User Attributes, and Deactivate Users items.
-
Click Save.
SCIM provisioning is now configured and enabled. You can create new users, update user attributes, and deactivate users in Dremio, all from Okta.
Create Users
After you configure Okta's SCIM provisioning and enable the Create Users option, Dremio automatically creates a new Dremio user account for anyone you assign to the Dremio Cloud application who does not already have an account. New Dremio users can log in to Dremio with Okta SSO immediately, and administrators can view their user accounts in Dremio.
New users are automatically members of the PUBLIC role in Dremio.
User email addresses are controlled by Okta rather than Dremio. If a user's email address changes, you must create a new user in Okta and assign them to the Dremio Cloud application. Then, the user can use the new email address to log in to Dremio as a new user.
Update User Attributes
With SCIM provisioning configured, updates to user attributes in Okta are propagated to the user account in Dremio. Follow the instructions in the Okta documentation to edit user attributes.
The First name and Last name attributes are mapped to user accounts in Dremio. After you configure Okta's SCIM provisioning and enable the Update User Attributes option, you can change these user attributes in Okta to update the corresponding user information in Dremio.
Deactivate Users
When you revoke a user or group in Okta, the affected users cannot use Okta OIDC SSO to log in to Dremio. After you configure Okta's SCIM provisioning and enable the Deactivate Users option, deactivated users become inactive in Dremio and cannot log in to Dremio at all, whether with Okta OIDC SSO or username and password.
To completely delete Dremio users, you must also manually remove their user accounts in Dremio.
Group Push
If you enable the group push feature, Okta pushes your designated groups to Dremio as roles and populates the roles with the Okta group's members. Follow the instructions in the Okta documentation to enable group push.
Before you enable group push, make sure to follow Okta's instructions to assign the group to the Dremio Cloud application.
Use Okta to manage any roles you create with group push. Any changes you make to a role or its membership in Dremio are immediately overwritten by the next push from Okta. Making changes in Dremio can result in synchronization errors.
To remove a Dremio role created by group push, unlink the pushed group in the Dremio Cloud application. Unlinking the pushed group deletes the corresponding role in Dremio but does not delete the group members' Dremio user accounts.
Troubleshooting
This section describes some things to keep in mind about SCIM provisioning in Okta with the Dremio Cloud application.
-
Group push is not supported for groups that do not have any members. Pushing a group that does not have any members will result in an error.
-
In Okta, it is possible to change a user's username. Dremio does not allow username updates. If you change a user's Okta username after the user is assigned to the Dremio Cloud application, Okta sends a request to update the username in Dremio. Dremio denies the request because Dremio username changes are not allowed.
-
Changing an existing user's primary email address in Okta has no effect on the user's account in Dremio. To permit a user to authenticate to Dremio with the new email address, add the user to Okta as a new person using the new email address. Then, assign the new Okta user to the Dremio Cloud application (either individually as a person or by adding them to an assigned group). Okta creates a new Dremio user who can use Okta SSO to log in to Dremio with the new email address.
-
If you remove a user from an assigned group and the user is still listed as ACTIVE in Dremio, check the Assignments tab in the Dremio Cloud application to make sure the user isn't separately assigned as a person. Okta only sends deactivate requests for users who are both unassigned as a person and removed from assigned groups.
If you have other issues when configuring SCIM user provisioning in Okta with the Dremio Cloud application, contact Support.