Configure SCIM Provisioning with Okta
Okta is an identity management application that can be integrated with Dremio via System for Cross-domain Identity Management (SCIM). After it is configured, administrators can select authorized users in Okta, which are then automatically created in Dremio. Usernames must be set and managed from Okta.
SCIM
SCIM is a standard method for linking systems, such as Okta, to Dremio for user provisioning. When configured, Okta automatically sends the credentials of assigned users securely through SCIM to your Dremio server, which then user accounts. These new users can then log in to Dremio by using their Okta credentials.
You cannot reset or change an external user's password from Dremio as this is governed by your organization's identity manager.
Requirements
The following configurations must be utilized:
- Version SCIM 2.0
- Connector Authentication Method: Header Auth
You must have Super Administrator access in Okta to configure a SCIM app.
Configuring Okta with SCIM
The following sections outline the process of setting up Okta to communicate with Dremio with SCIM. This process is divided into sections, but should be completed chronologically.
1. Adding the SCIM App
- From the Okta interface, navigate to the Applications page.
- Click Browse App Catalog and search for
SCIM.
- Select
SCIM 2.0 Test App (Header Auth)
and then click Add from the app's page. - Enter an Application label and then click Next.
- From the Sign on Methods page, click the Secure Web Authorization radio button and then the Administrator sets username, user sets password.
- Click Done.
2. Starting SCIM Configuration
-
From the SCIM app screen, click on the Provisioning tab.
-
Select the Integration tab and then click Configure API Integration.
-
Click Enable API Integration.
-
Enter the URL to your Dremio server (preferably HTTPS) in the Base URL field with the following format:
Base URL format{http|https}://{hostname}:9047/scim/v2
3. Generating a Personal Access Token
Use a personal access token (PAT) as the API token in your Okta SCIM app. PATs are valid for 30 days by default and 180 days maximum.
After you obtain a PAT, complete the following steps in Okta:
- In the API Token field, enter your PAT. Use the format
Bearer <PersonalAccessToken>
(include a space afterBearer
) - Click Test API Credentials to ensure Okta can access your instance of Dremio. A green message should appear at the top of the screen saying the API
was verified successfully!
- Click Save.
4. Completing SCIM Configuration
- Navigate to the Provisioning tab, and then the To App sub-tab.
- Click the Edit button to the right of the Provisioning to App header.
- Select the Enable checkbox for Create Users, Update User Attributes, and Deactivate Users. Make any other selections as desired.
- Click Save.
SCIM is fully configured, which means users added from Okta will now be automatically created in Dremio.
Assigning Access to Dremio
Only users or groups granted access via the SCIM app will have an account automatically created in Dremio.
Assigning Users
To assign or grant users access to Dremio, perform the following steps:
- From the Okta interface, navigate to the Assignments tab.
- Click the Assign drop-down from the top-left corner of the screen and select Assign to People.
- Locate the desired users by scrolling or using the search bar.
- Click the Assign button next to the desired user.
- Scroll down and click Save and Go Back.
That user is now granted access to Dremio and an account is automatically created in the application. They may log in on Dremio immediately and administrators may view their account from the Users screen.
We recommend assigning privileges and roles to manage their access to objects in Dremio.
Assigning Groups
To assign or grant groups of users access to Dremio, perform the following steps:
- From the Okta interface, navigate to the Assignments tab.
- Click the Assign drop-down at the top-left corner of the screen and select Assign to Groups.
- Click Push Groups > Push Groups to push an Okta group to Dremio.
All users associated with the group will be synchronized in Dremio. The group will also synchronize with Dremio as a role with all group members assigned to the role.
Users associated with the group may log in on Dremio immediately and administrators may view their account from the Users screen.
We recommend assigning privileges to manage role members' access to objects in Dremio.
Revoking Access to Dremio
If you wish to revoke access to Dremio for specific users or groups, complete these steps.
- From the SCIM app, navigate to the Assignments tab.
- Click the Delete (X) button on the far right of the desired user's row.
The deleted user(s) may no longer log in on Dremio, however, this does not delete their account from Dremio.