Skip to main content
Version: current [25.x]

Configuring SSO in AWS Edition Enterprise

This topic describes how to configure Dremio AWS Edition for Single Sign On (SSO) authentication with Microsoft Entra ID or an OpenID identity provider .

Requirements

To use Microsoft Entra ID or OpenID, Dremio's webserver must have web server encryption enabled. For more information, see Configuring Wire Encryption.

Configuring Microsoft Entra ID Authentication

note

To know more about Microsoft Entra ID, see Microsoft Entra ID Authentication

You must do the following changes in azuread.json and dremio.conf files for configuring SSO:

  1. Add the following properties in the azuread.json file:

    Properties to add to azuread.json file
    {
    "oAuthConfig": {
    "clientId": "<clientId>",
    "clientSecret": "<clientSecret>",
    "redirectUrl": "https://<dremio.host>:9047/sso",
    "authorityUrl": "https://login.microsoftonline.com/<directory.id>/v2.0",
    "scope": "openid profile offline_access",
    "jwtClaims": {
    "userName": "preferred_username"
    }
    }
    }

    Where:

    • clientId: Appears on the Overview screen of your application. This property is also called application ID. A clientId is applicable to the context where you acquire a token using one of the OAuth flows that Microsoft Entra ID supports. The application ID is same for single application object that corresponds to an application.
    • clientSecret: The secret that was created in the Setting Up Microsoft Entra ID section.
    • redirectUrl: The redirect URI that was created in the Setting Up Microsoft Entra ID section.
    • directory.id: Appears on the Overview screen of your application, also called tenant ID.
    note

    In Dremio 24 and later, clientSecret can be encrypted using the dremio-admin encrypt CLI command.

  2. Uncomment these two lines in the dremio.conf file.

    Lines to uncomment in dremio.conf file
    services.coordinator.web.ssl.enabled: true
    services.coordinator.web.ssl.auto-certificate.enabled: true
  3. Add the following configuration in the dremio.conf file.

    Configuration to add to dremio.conf file
    services: {
    coordinator.enabled: true,
    coordinator.web.auth.type: "azuread",
    coordinator.web.auth.config: "/opt/dremio/conf/azuread.json"
    }

Configuring OpenID Authentication

To configure Single Sign On with an Identity Provider over OpenID, perform the following steps:

  1. Configure the dremio.conf file to include the following configuration.

    Configuration to add to dremio.conf file
    services.coordinator.web.auth.type: "oauth"
    services.coordinator.web.auth.config: "/path/to/oauth.json"
  2. Create an oauth.json file with the following properties.

    Configuration to add to oauth.json file
    {
    "clientId": "clientId",
    "clientSecret": "clientSecret",
    "redirectUrl": "http://dremioHost:9047/sso",
    "authorityUrl": "authorityUrl",
    "scope": "openid profile email",
    "jwtClaims": {
    "userName": "$nameField"
    },
    "parameters": [
    {
    "name": "access_type",
    "value": "offline",
    ...
    }
    ]
    }

    The following table describes the oauth.json file properties.

    ParameterDescription
    clientIdIt is based on the OpenID provider.
    clientSecretIt is based on the OpenID provider.

    NOTE: In Dremio 24+, clientSecret can be encrypted using the dremio-admin encrypt CLI command.
    redirectUrlThe URL where Dremio is hosted. The URL must match the redirect url set in the OpenID Provider.
    authorityUrlThe location where Dremio can find the OpenID discovery document. For example, Google’s location is https://accounts.google.com/.well-known/openid-configuration and the authorityUrl therefore to use is https://accounts.google.com, the base location of the well-known directory.
    scopeIt is based on the OpenID provider.
    jwtClaimsMaps fields from the JWT token to fields Dremio requires. The only field currently required is userName, which you should set to the field in JWT that contains the user’s username. For example, this can be email if you want the usernames in Dremio to be the user’s email address.
    parametersOptional - any additional parameters required by the OpenID providers.

OIDC Authentication with LDAP Authorization

Dremio supports hybrid OIDC authentication with LDAP authorization (OIDC+LDAP), which allows you to authenticate users with OIDC and fetch user information, groups, and group memberships from LDAP. The way that Dremio authenticates with OIDC and fetches information from LDAP does not change. First, Dremio authenticates users with OIDC. From the OIDC flow, Dremio extracts the username from the ID token. Then, Dremio searches for the username and its group membership in LDAP.

LDAP users cannot log in to Dremio using their LDAP usernames and passwords. Username/password login only works for local users.

Follow these steps to configure OIDC+LDAP. Replace values in angle brackets with the correct values for your organization:

  1. Modify the dremio.conf file to include the following configuration:
Configuration Properties for the dremio.conf File
services.coordinator.web.auth.type: "oauth+ldap"
services.coordinator.web.auth.config: "</path/to/config.json>"
  1. Create a config.json file in the /conf directory.

  2. Add the oAuthConfig and ldapConfig objects and properties in the config.json file.

    note

    The properties in the oAuthConfig and ldapConfig objects below are examples. Use the properties that are appropriate for your implementation.

    • For information about available properties for the oAuthConfig object, see the list of properties under OpenID Authentication.
    • For information about available properties for the ldapConfig object, see Configuring LDAP.
    Example Configuration Properties
    {
    "oAuthConfig": {
    "clientId": "<clientId>",
    "clientSecret": "<clientSecret>",
    "redirectUrl": "http://<dremio.host>:9047/sso",
    "authorityUrl": "<Value of the issuer property in the OIDC Discovery Specification>",
    "scope": "openid profile offline_access",
    "jwtClaims": {
    "userName": "<JSON Web Token field that contains the user’s username>"
    }
    },
    "ldapConfig": {
    "connectionMode": "<ANY_SSL | TRUSTED_SSL>",
    "servers": [
    {
    "hostname": "<LDAP host>",
    "port": <LDAP port>
    }
    ],
    "names": {
    "bindDN": "<Distinguished Name for LDAP binding>",
    "bindPassword": "<Password for bindDN>",
    "baseDN": "<Distinguished Name for LDAP base>",
    "userAttributes": {
    "baseDNs": [
    "OU=test,OU=ad,DC=drem,DC=io"
    ],
    "searchScope": "<SUB_TREE | ONE | BASE>",
    "id": "<LDAP user attribute to map as the user's username>",
    "firstname": "<LDAP user attribute to map as first name>",
    "lastname": "<LDAP user attribute to map as last name>",
    "email": "<LDAP user attribute to map as email>"
    },
    "groupDNs": [
    "<Distinguished Name for LDAP group>"
    ],
    "groupMembership": "<memberOf value>",
    "groupFilter": "<LDAP filter for validating groups>",
    "autoAdminFirstUser": <true> | <false>,
    "userGroupRelationship": "<USER_ENTRY_LISTS_GROUPS | GROUP_ENTRY_LISTS_USERS>"
    }
    }
    }

Upon successful OIDC authentication, the user's username is established as the value provided for the userName property in the oAuthConfig object in the config.json file. Dremio uses the user's username to query LDAP for the user's group membership information.

In the DN-based approach to configuring OIDC+LDAP, Dremio replaces the placeholder {0} with the user's username. For example:

DN-Based Configuration Example
"userDNs": ["cn={0},dc=staticsecurity,dc=dremio,dc=com"],
"userAttributes": {
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
}

In the attribute-based approach, Dremio looks for the LDAP user whose id value matches the user's username. For example, if you use the following configuration, Dremio looks for the LDAP user whose sAMAccountName matches their username:

Attribute-Based Configuration Example
"userAttributes": {
"baseDNs": [
"OU=test,OU=ad,DC=drem,DC=io"
],
"searchScope": "SUB_TREE",
"id": "sAMAccountName",
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
}

If OIDC authentication and the LDAP search both succeed, Dremio creates a user account with the username. If OIDC authentication is successful but the user's username does not exist in LDAP, the user cannot log in to Dremio.

The LDAP userFilter property works with OIDC+LDAP. You can also use the OIDC application configuration in your identity provider to limit who can authenticate to Dremio.