OpenID Identity Providers Enterprise
This topic describes the configuration of Dremio for Single Sign-On (SSO) using an OpenID Connect (OIDC) identity provider. OpenID-based SSO handles authentication only; it does not query or retrieve user group memberships from the identity provider. User and group information is provisioned via SCIM.
Requirements
To use Microsoft Entra ID or OpenID, Dremio's web server must have web server encryption enabled. For more information, see the configuration of Transport Layer Security (TLS) for Dremio on Kubernetes or Dremio standalone clusters.
Configuring Dremio for OpenID
To configure Dremio to use an OpenID provider, perform the following steps:
-
Create a new
oauth.json
file that contains the configuration for your OpenID provider. See the OpenID Properties below. -
Adding your configuration:
- Kubernetes
- Standalone
-
Update the
coordinator.web.auth.type
configuration in yourvalues-overrides.yaml
with the valueoauth
. See the configuration of Identity Providers. -
Add the
oauth.json
file to your Dremio deployment. This can be done in one of two ways:Method 1 (Preferred)
Add the content of your JSON file into your
values-override.yaml
via thessoFile
option. This method is detailed in the Identity Provider section.Method 2
Perform a
helm install
with the--set-file coordinator.web.auth.ssoFile=<your-local-path>/oauth.json
option indicating the location of theoauth.json
file from step 1. See Deploying Dremio to Kubernetes for additional information.
-
Edit the
Example Dremio Services Configurationdremio.conf
file, and add the following properties:services: {
coordinator.enabled: true
coordinator.web.auth.type: "oauth"
coordinator.web.auth.config: "/path/to/oauth.json"
} -
Copy the modified
dremio.conf
andoauth.json
files to every coordinator node in the Dremio cluster. The location of theoauth.json
file is relative to the/conf
directory. The path to the file can be absolute; the file can live anywhere in the system.
OpenID Properties
The oauth.json
file contains the following properties about the OIDC provider.
{
"oAuthConfig": {
"clientId": "<clientId>",
"clientSecret": "<clientSecret>",
"redirectUrl": "http://dremioHost:9047/sso",
"authorityUrl": "<authorityUrl>",
"scope": "openid profile email",
"jwtClaims": {
"userName": "email"
},
"parameters": [
{ "name": "access_type", "value": "offline" },
...
]
}
}
OpenID providers are defined using the following properties:
Property | Description |
---|---|
authorityUrl | The location where Dremio can find the OpenID discovery document. For example, Google’s location is https://accounts.google.com/.well-known/openid-configuration , and the authorityUrl to use is https://accounts.google.com , the base location of the well-known directory. |
clientId | Provided by the OpenID provider. |
clientSecret | Provided by the OpenID provider. This secret can be encrypted using the dremio-admin encrypt CLI command |
jwtClaims | Maps fields from the JWT token to fields Dremio requires. The only field currently required is userName , which you should set to the JWT field containing the user’s username. |
parameters | Optional - any additional parameters the OpenID provider requires. |
redirectUrl | The URL where Dremio is hosted. The URL must match the redirect URL set in the OpenID Provider. If you use a load balancer, do not include :9047 in the redirectUrl . Instead, configure SSO at the load balancer and use only the load balancer's URL.
|
scope | A space-delimited list of scopes provided by the OpenID provider. openid scope is always required, other scopes can vary by provider. |
Configuring Dremio for Hybrid OpenID+LDAP
Dremio supports hybrid OIDC authentication with LDAP authorization (OIDC+LDAP), which allows you to authenticate users with an OIDC provider and fetch user information, groups, and group memberships from LDAP. First, Dremio authenticates users with OIDC. From the OIDC flow, Dremio extracts the username from the ID token. Then, Dremio searches for the username and its group membership in LDAP.
Users cannot log in to Dremio using their LDAP usernames and passwords. Username and password logins only work for local users. Follow these steps to configure OIDC+LDAP:
-
Create a new
config.json
file that contains your configuration for your OpenID provider with LDAP. See the OAuth+LDAP Properies below. -
Adding your configuration:
- Kubernetes
- Standalone
-
Update the
coordinator.web.auth.type
configuration in yourvalues-overrides.yaml
with the valueoauth+ldap
. See the configuration of Identity Providers for additional information. -
Add the
config.json
file to your Dremio deployment. This can be done in one of two ways:Method 1 (Preferred)
Add the content of your JSON file into your
values-override.yaml
via thessoFile
option. This method is detailed in the Identity Provider section.Method 2
Perform a
helm install
with the--set-file coordinator.web.auth.ssoFile=<your-local-path>/config.json
option indicating the location of theconfig.json
. See Deploying Dremio to Kubernetes for additional information.
-
Edit the
Example Dremio Services Configurationdremio.conf
file, and add the following properties:services: {
coordinator.enabled: true
coordinator.web.auth.type: "oauth+ldap"
coordinator.web.auth.config: "/path/to/config.json"
} -
Copy the modified
dremio.conf
andconfig.json
files to every coordinator node in the Dremio cluster. The location of theconfig.json
file is relative to the/conf
directory. The path to the file can be absolute; the file can live anywhere in the system.
OAuth+LDAP Properties
The config.json
file for OAuth+LDAP is a combination of OAuth and LDAP configurations.
- The properties in the
oAuthConfig
section are described above in OpenID Properties. - The properties in the
ldapConfig
section are described in LDAP Properties.
{
"oAuthConfig": {
"clientId": "<clientId>",
"...": "other fields"
},
"ldapConfig": {
"connectionMode": "PLAIN"
"...": "other fields"
}
}
Upon successful OIDC authentication, the user's username is established as the value provided for the userName
property in the oAuthConfig
object in the config.json
file. Dremio uses the user's username to query LDAP for the user's group membership information. In the DN-based approach to configuring OIDC+LDAP, Dremio replaces the placeholder {0}
with the user's username. For example:
"userDNs": ["cn={0},dc=staticsecurity,dc=dremio,dc=com"],
"userAttributes": {
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
}
In the attribute-based approach, Dremio looks for the LDAP user whose id
value matches the user's username. For example, if you use the following configuration, Dremio looks for the LDAP user whose sAMAccountName
matches their username:
"userAttributes": {
"baseDNs": [
"OU=test,OU=ad,DC=drem,DC=io"
],
"searchScope": "SUB_TREE",
"id": "sAMAccountName",
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
}
If the OIDC authentication and LDAP search are successful, Dremio creates a user account with the specified username. If OIDC authentication is successful but the username does not exist in LDAP, the user will be unable to log in to Dremio.
The LDAP userFilter
property works with OIDC+LDAP. You can also use the OIDC application configuration in your identity provider to limit who can authenticate to Dremio.