Skip to main content

Generic OpenID Connect

Dremio supports the generic OpenID Connect (OIDC) authentication protocol as an enterprise identity provider. OIDC provider administrators can register a Dremio application and use it to enable single sign-on (SSO) and allow users to log in using an OIDC provider as the trusted third party.

note

To configure Microsoft Entra ID or Okta as an identity provider, see:

Dremio also allows you to use System for Cross-domain Identity Management (SCIM) provisioning to manage Dremio user access from your OIDC provider. After you configure your provider for OIDC SSO, refer to your OIDC provider's documentation to configure SCIM. See SCIM with a Generic OpenID Connect Provider to use SCIM provisioning in Dremio.

Prerequisites

Configuring SSO in a generic OIDC provider requires:

Configure OIDC SSO

To configure OIDC SSO for Dremio users:

  1. In Dremio, on the organization page, click Settings on the left navigation bar, then select Organization settings.

  2. Select Authentication in the organization settings sidebar.

  3. Click Add Provider to open the Add Provider dialog.

  4. In Step 1, select OpenID Connect (OIDC) from the dropdown menu.

  5. Copy and save the Redirect URL listed in Step 2. The redirect URL is sensitive information and should be kept secure. You will need it to register the Dremio application in your OIDC provider portal in the next step.

  6. In your OIDC provider portal, register Dremio as an application.

  7. Copy and save the client ID and client secret for your OIDC provider. The client ID and client secret are sensitive information and should be kept secure. You will use them to configure authentication in Dremio later in this procedure.

  8. Copy and save the issuer value from the OIDC configuration. You will use it to configure authentication in Dremio later in this procedure.

  9. In Dremio, in Step 3 of the Add Provider dialog, enter the issuer URL, client ID, and client secret that you copied from your OIDC provider portal in the corresponding fields.

  10. Click Add. After the page loads, you should see your OIDC provider in the Enterprise section.

  11. Click the Enabled toggle to activate your OIDC provider.

OIDC as an enterprise identity provider is now configured. Log in with SSO appears in the list of login options for your Dremio users.

Use SSO to Log In to Dremio

Any user who is assigned to the Dremio application in your OIDC provider can log in with SSO immediately. To use SSO to log in to Dremio:

  1. Open the Dremio login page.

  2. Type your email address in the Email field and click Continue.

  3. If you belong to more than one Dremio organization, select the organization to log in to.

  4. Click Log in with SSO.

  5. When you are redirected to your OIDC provider for authentication, enter your username and password.

The OIDC provider authenticates your identity and redirects you to Dremio, which then logs you in.

To configure SCIM provisioning to manage access for Dremio users, see SCIM with a Generic OpenID Connect Provider.

Revoke SSO Login for a User or Group

To revoke users' access to SSO login for Dremio:

  1. In your OIDC provider's portal, navigate to the Dremio application.

  2. Open the assignment settings for the Dremio application.

  3. Find the user or group whose access you want to revoke and follow your OIDC provider's procedures to revoke access.

Starting immediately, the deactivated users cannot use OIDC SSO to log in to Dremio.

To completely delete Dremio users, you must also manually remove their user accounts in Dremio.

Configure a Generic OpenID Connect Provider with SCIM

System for Cross-domain Identity Management (SCIM) automates the synchronization of user accounts between your identity provider (IdP) and Dremio, eliminating the need for manual user management. When configured, your IdP securely sends user credentials to Dremio via SCIM, automatically creating accounts for new users as needed. These users can then log in to Dremio according to your organization's authentication policies.

Before you can configure SCIM provisioning, you must configure a generic OIDC provider as an enterprise identity provider in Dremio. Follow the instructions in Generic OpenID Connect Identity Provider to integrate a Dremio application in a generic OIDC provider for single sign-on (SSO) in Dremio. When that is done, follow this guide to configure SCIM for secure user provisioning.

Prerequisites

Configuring SCIM provisioning requires:

Configure SCIM Provisioning

The steps required to configure and enable SCIM provisioning vary for different OIDC providers. Follow the instructions in your OIDC provider's documentation.

Use a Dremio PAT as the API Token or Secret Token value when you configure authentication for SCIM requests in your OIDC provider's portal.

US Control Plane 
https://scim.dremio.cloud/scim/v2
EU Control Plane 
https://scim.eu.dremio.cloud/scim/v2

After SCIM provisioning is configured and enabled, you can create users, update user attributes, and deactivate users in Dremio from your OIDC provider's portal.

Create Users

After you configure SCIM provisioning, Dremio automatically creates a new Dremio user account for anyone you assign to the Dremio application in your OIDC provider who does not already have an account. New Dremio users can log in to Dremio with SSO immediately, and administrators can view their user accounts in Dremio.

  • New users are automatically members of the PUBLIC role in Dremio.
  • User email addresses are controlled by your OIDC provider rather than Dremio. If a user's email address changes, you must create a new user in your OIDC provider and assign them to the Dremio application. Then, the user can use the new email address to log in to Dremio as a new user.

Update User Attributes

With SCIM provisioning configured, updates to user attributes in your OIDC provider are propagated to the user account in Dremio.

The first name and last name attributes are mapped to user accounts in Dremio. After you configure SCIM provisioning and allow user attributes to be updated, you can change these user attributes in your OIDC provider to update the corresponding user information in Dremio.

Deactivate Users

When you revoke a user or group in your OIDC provider, the affected users cannot use OIDC SSO to log in to Dremio. After you configure SCIM provisioning and deactivate users, they become inactive in Dremio and cannot log in to Dremio at all with SSO.

To completely delete Dremio users, you must also manually remove their user accounts in Dremio.

Troubleshoot

This section describes some considerations about OIDC SSO and SCIM provisioning with the Dremio application in your OIDC provider.

  • SCIM provisioning

    • Dremio does not allow username updates. If you change a user's username in your OIDC provider after the user is assigned to the Dremio application, the OIDC provider sends a request to update the username in Dremio. Dremio denies the request because Dremio username changes are not allowed.

    • Changing an existing user's primary email address in the OIDC provider has no effect on the user's account in Dremio. To permit a user to authenticate to Dremio with the new email address, add the user to your OIDC provider as a new person using the new email address. Then, assign the new user to the Dremio application (either individually as a person or by adding them to an assigned group). The OIDC provider creates a new Dremio user who can use SSO to log in to Dremio with the new email address.

  • OIDC SSO

    • Refer to your OIDC provider's documentation to ensure that you have privileges that permit you to add the Dremio application in your OIDC provider and configure OIDC SSO.

    • If you revoke a user's access to SSO login, the user can still log in to Dremio with their Dremio username and password. To completely delete the user so that they cannot log in to Dremio at all, you must manually remove their user accounts in Dremio.