Configuring SSO in AWS Edition Enterprise
This topic describes how to configure Dremio AWS Edition for Single Sign On (SSO) authentication with Microsoft Entra ID or an OpenID identity provider .
Requirements
To use Microsoft Entra ID or OpenID, Dremio's webserver must have web server encryption enabled. For more information, see Configuring Wire Encryption.
Configuring Microsoft Entra ID Authentication
To know more about Microsoft Entra ID, see Microsoft Entra ID Authentication
You must do the following changes in azuread.json
and dremio.conf
files for configuring SSO:
-
Add the following properties in the
Properties to add to azuread.json fileazuread.json
file:{
"oAuthConfig": {
"clientId": "<clientId>",
"clientSecret": "<clientSecret>",
"redirectUrl": "https://<dremio.host>:9047/sso",
"authorityUrl": "https://login.microsoftonline.com/<directory.id>/v2.0",
"scope": "openid profile offline_access",
"jwtClaims": {
"userName": "preferred_username"
}
}
}Where:
clientId
: Appears on the Overview screen of your application. This property is also called application ID. AclientId
is applicable to the context where you acquire a token using one of the OAuth flows that Microsoft Entra ID supports. The application ID is same for single application object that corresponds to an application.clientSecret
: The secret that was created in the Setting Up Microsoft Entra ID section.redirectUrl
: The redirect URI that was created in the Setting Up Microsoft Entra ID section.directory.id
: Appears on the Overview screen of your application, also called tenant ID.
noteIn Dremio 24 and later,
clientSecret
can be encrypted using thedremio-admin encrypt
CLI command. -
Uncomment these two lines in the
Lines to uncomment in dremio.conf filedremio.conf
file.services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: true -
Add the following configuration in the
Configuration to add to dremio.conf filedremio.conf
file.services: {
coordinator.enabled: true,
coordinator.web.auth.type: "azuread",
coordinator.web.auth.config: "/opt/dremio/conf/azuread.json"
}
Configuring OpenID Authentication
To configure Single Sign On with an Identity Provider over OpenID, perform the following steps:
-
Configure the dremio.conf file to include the following configuration.
Configuration to add to dremio.conf fileservices.coordinator.web.auth.type: "oauth"
services.coordinator.web.auth.config: "/path/to/oauth.json" -
Create an oauth.json file with the following properties.
Configuration to add to oauth.json file{
"clientId": "clientId",
"clientSecret": "clientSecret",
"redirectUrl": "http://dremioHost:9047/sso",
"authorityUrl": "authorityUrl",
"scope": "openid profile email",
"jwtClaims": {
"userName": "$nameField"
},
"parameters": [
{
"name": "access_type",
"value": "offline",
...
}
]
}The following table describes the oauth.json file properties.
Parameter Description clientId It is based on the OpenID provider. clientSecret It is based on the OpenID provider.
NOTE: In Dremio 24+,clientSecret
can be encrypted using thedremio-admin encrypt
CLI command.redirectUrl The URL where Dremio is hosted. The URL must match the redirect url set in the OpenID Provider. authorityUrl The location where Dremio can find the OpenID discovery document. For example, Google’s location is https://accounts.google.com/.well-known/openid-configuration
and the authorityUrl therefore to use ishttps://accounts.google.com
, the base location of the well-known directory.scope It is based on the OpenID provider. jwtClaims Maps fields from the JWT token to fields Dremio requires. The only field currently required is userName, which you should set to the field in JWT that contains the user’s username. For example, this can be email
if you want the usernames in Dremio to be the user’s email address.parameters Optional - any additional parameters required by the OpenID providers.
OIDC Authentication with LDAP Authorization
Dremio supports hybrid OIDC authentication with LDAP authorization (OIDC+LDAP), which allows you to authenticate users with OIDC and fetch user information, groups, and group memberships from LDAP. The way that Dremio authenticates with OIDC and fetches information from LDAP does not change. First, Dremio authenticates users with OIDC. From the OIDC flow, Dremio extracts the username from the ID token. Then, Dremio searches for the username and its group membership in LDAP.
LDAP users cannot log in to Dremio using their LDAP usernames and passwords. Username/password login only works for local users.
Follow these steps to configure OIDC+LDAP. Replace values in angle brackets with the correct values for your organization:
- Modify the
dremio.conf
file to include the following configuration:
services.coordinator.web.auth.type: "oauth+ldap"
services.coordinator.web.auth.config: "</path/to/config.json>"
-
Create a
config.json
file in the/conf
directory. -
Add the
oAuthConfig
andldapConfig
objects and properties in theconfig.json
file.Example Configuration PropertiesnoteThe properties in the
oAuthConfig
andldapConfig
objects below are examples. Use the properties that are appropriate for your implementation.- For information about available properties for the
oAuthConfig
object, see the list of properties under OpenID Authentication. - For information about available properties for the
ldapConfig
object, see Configuring LDAP.
{
"oAuthConfig": {
"clientId": "<clientId>",
"clientSecret": "<clientSecret>",
"redirectUrl": "http://<dremio.host>:9047/sso",
"authorityUrl": "<Value of the issuer property in the OIDC Discovery Specification>",
"scope": "openid profile offline_access",
"jwtClaims": {
"userName": "<JSON Web Token field that contains the user’s username>"
}
},
"ldapConfig": {
"connectionMode": "<ANY_SSL | TRUSTED_SSL>",
"servers": [
{
"hostname": "<LDAP host>",
"port": <LDAP port>
}
],
"names": {
"bindDN": "<Distinguished Name for LDAP binding>",
"bindPassword": "<Password for bindDN>",
"baseDN": "<Distinguished Name for LDAP base>",
"userAttributes": {
"baseDNs": [
"OU=test,OU=ad,DC=drem,DC=io"
],
"searchScope": "<SUB_TREE | ONE | BASE>",
"id": "<LDAP user attribute to map as the user's username>",
"firstname": "<LDAP user attribute to map as first name>",
"lastname": "<LDAP user attribute to map as last name>",
"email": "<LDAP user attribute to map as email>"
},
"groupDNs": [
"<Distinguished Name for LDAP group>"
],
"groupMembership": "<memberOf value>",
"groupFilter": "<LDAP filter for validating groups>",
"autoAdminFirstUser": <true> | <false>,
"userGroupRelationship": "<USER_ENTRY_LISTS_GROUPS | GROUP_ENTRY_LISTS_USERS>"
}
}
} - For information about available properties for the
Upon successful OIDC authentication, the user's username is established as the value provided for the userName
property in the oAuthConfig
object in the config.json
file. Dremio uses the user's username to query LDAP for the user's group membership information.
In the DN-based approach to configuring OIDC+LDAP, Dremio replaces the placeholder {0}
with the user's username. For example:
"userDNs": ["cn={0},dc=staticsecurity,dc=dremio,dc=com"],
"userAttributes": {
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
}
In the attribute-based approach, Dremio looks for the LDAP user whose id
value matches the user's username. For example, if you use the following configuration, Dremio looks for the LDAP user whose sAMAccountName matches their username:
"userAttributes": {
"baseDNs": [
"OU=test,OU=ad,DC=drem,DC=io"
],
"searchScope": "SUB_TREE",
"id": "sAMAccountName",
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
}
If OIDC authentication and the LDAP search both succeed, Dremio creates a user account with the username. If OIDC authentication is successful but the user's username does not exist in LDAP, the user cannot log in to Dremio.
The LDAP userFilter
property works with OIDC+LDAP. You can also use the OIDC application configuration in your identity provider to limit who can authenticate to Dremio.