Skip to main content

Okta

Dremio supports Okta as an enterprise identity provider. Okta administrators can enable single sign-on (SSO) authentication using Okta as the trusted third party.

Prerequisites

Configuring OIDC SSO in Okta requires:

Supported Features

Dremio supports the following Okta SSO features:

  • Service provider-initiated (SP-initiated) SSO: Dremio uses the OpenID Connect (OIDC) protocol for SP-initiated SSO. When users provide their email address to log in to Dremio, Dremio sends an authentication request to Okta. Okta then authenticates the user's identity, and the user is logged in to Dremio.

  • SCIM: Dremio also allows you to take advantage of Okta's System for Cross-domain Identity Management (SCIM) provisioning feature and manage Dremio user access from Okta. After you configure Okta for OIDC SSO in this guide, see SCIM with Okta to configure SCIM provisioning.

Configure OIDC SSO

To configure Okta OIDC SSO for Dremio users:

  1. In Okta, navigate to Applications > Applications and click Browse App Catalog.

  2. Type Dremio in the search field and select Dremio from the list of search results.

  3. Click Add Integration.

  4. (Optional) Type a custom label in the Application label field.

  5. Select your Dremio control plane region from the Region dropdown menu: US or EU.

  6. Click Done. Okta creates the Dremio application and displays the application's Assignments tab.

  7. Click the Sign On tab.

  8. Copy and save the client ID and client secret listed under OpenID Connect. The client ID and client secret are sensitive information and should be kept secure. You will use them to configure authentication in Dremio later in this procedure.

  9. Click the OpenID Provider Metadata link to open the OpenID configuration for the application.

  10. Copy and save the URL value for the issuer key at the top of the OpenID configuration. You will use it to configure authentication in Dremio later in this procedure.

  11. In the Dremio console, click Settings in the side navigation bar and select Organization settings.

  12. Select Authentication in the organization settings sidebar.

  13. In the Enterprise section, click Add Provider to open the Add Provider dialog.

  14. In Step 1, select Okta from the dropdown menu.

  15. In Step 3, enter the issuer URL, client ID, and client secret information that you copied from Okta in the corresponding fields.

  16. Click Add. After the page loads, you should see Okta as an authentication provider in the Enterprise section.

  17. Click the Enabled toggle to activate the Okta authentication provider.

Okta is now configured as an enterprise authentication provider. Log in with Okta appears in the list of login options for your Dremio users.

Assign People and Groups to the Dremio Application

Follow the instructions in the Okta documentation to assign people or assign groups to the Dremio application to ensure that users can use Okta for SSO login. The users you assign, whether individually or through their membership in an assigned group, can use Log in with Okta immediately.

Use privileges and roles to manage user access to objects in Dremio.

Use Okta SSO to Log In to Dremio

Any Okta user who is assigned to the Dremio application can log in with Okta immediately. To use Okta SSO to log in to Dremio:

  1. Open the Dremio login page.

  2. Type your email address in the Email field and click Continue.

  3. Click Log in with Okta.

  4. When you are redirected to the Okta website for authentication, enter your Okta username and password and click Sign In.

Okta authenticates your identity and redirects you to Dremio, which then logs you in.

To configure Okta's SCIM provisioning feature and use Okta to manage access for Dremio users, see SCIM with Okta.

Revoke Okta SSO Login for a User or Group

To revoke users' access to Okta SSO login for Dremio:

  1. In Okta, open your Dremio application and select the Assignments tab.

  2. In the left menu, under Filters, select People to deactivate a user or Groups to deactivate a group of users.

  3. Find the row for the user or group you want to deactivate and click the X on the right side of the row.

  4. In the confirmation dialog that appears, click OK.

Starting immediately, the deactivated users cannot use Okta OIDC SSO to log in to Dremio. To completely delete Dremio users, you must also manually remove their user accounts in Dremio.

Troubleshoot

This section describes some things to keep in mind about OIDC SSO in Okta.

  • To add the Dremio application in Okta and configure OIDC SSO, you must be a super administrator in the Okta organization.
  • If you revoke a user's access to use Okta SSO login in Okta, the user can still log in to Dremio with their Dremio username and password. To completely delete the user so that they cannot log in to Dremio at all, you must manually remove their user accounts in Dremio.

Configure Okta with SCIM

System for Cross-domain Identity Management (SCIM) automates the synchronization of user accounts between your identity provider (IdP) and Dremio, eliminating the need for manual user management. When configured, your IdP securely sends user credentials to Dremio via SCIM, automatically creating accounts for new users as needed. These users can then log in to Dremio according to your organization's authentication policies.

Before you can configure SCIM provisioning, you must configure Okta as an identity provider (IdP) in Dremio. See Okta as an Identity Provider to integrate the Dremio application in your Okta organization and add Okta as an OpenID Connect (OIDC) single sign-on (SSO) IdP in Dremio. When that is complete, follow this guide to configure Okta to use SCIM for secure user provisioning.

Prerequisites

Configuring SCIM provisioning in Okta requires:

Supported Features

Dremio supports the following Okta SCIM provisioning features:

  • Create Users: Automatically create a new user account in Dremio for Okta users who are assigned to the Dremio application, whether they are assigned individually or as members of a group that is assigned to the application.
  • Update User Attributes: Automatically update user information in Dremio when a user's profile information is updated in Okta.
  • Deactivate Users: Prevent users from logging in to Dremio when they are deactivated in Okta.
  • Group Push: Push Okta groups and their members to Dremio to automatically create Dremio roles and members.

Configure SCIM Provisioning

To configure and enable SCIM provisioning in Okta:

  1. Confirm that you have configured Okta as an identity provider using the Dremio application.

  2. In Okta, navigate to Applications > Applications.

  3. Find the Dremio application in the list of applications and click to open it.

  4. Click the Provisioning tab.

  5. Click Configure API Integration.

  6. Select Enable API integration.

  7. Enter the Dremio PAT in the API Token field.

  8. Click Test API Credentials. You should see a confirmation message that the connection was verified successfully.

  9. Click Save. Okta displays the Provisioning to App page.

  10. Click Edit.

  11. Select Enable for the Create Users, Update User Attributes, and Deactivate Users options.

  12. Click Save.

SCIM provisioning is now configured and enabled. You can create new users, update user attributes, and deactivate users in Dremio, all from Okta.

Create Users

After you configure Okta's SCIM provisioning and enable the Create Users option, Dremio automatically creates a new Dremio user account for anyone you assign to Dremio who does not already have an account. New Dremio users can log in to Dremio with Okta SSO immediately, and administrators can view their user accounts in Dremio.

  • New users are automatically members of the PUBLIC role in Dremio.
  • User email addresses are controlled by Okta rather than Dremio. If a user's email address changes, you must create a new user in Okta and assign them to the Dremio application. Then, the user can use the new email address to log in to Dremio as a new user.

Update User Attributes

With SCIM provisioning configured, updates to user attributes in Okta are propagated to the user account in Dremio. Follow the instructions in the Okta documentation to edit user attributes.

The First name and Last name attributes are mapped to user accounts in Dremio. After you configure Okta's SCIM provisioning and enable the Update User Attributes option, you can change these user attributes in Okta to update the corresponding user information in Dremio.

Deactivate Users

When you revoke a user or group in Okta, the affected users cannot use Okta OIDC SSO to log in to Dremio. After you configure Okta's SCIM provisioning and enable the Deactivate Users option, deactivated users become inactive in Dremio and cannot log in to Dremio at all, whether with Okta OIDC SSO or username and password.

To completely delete Dremio users, you must also manually remove their user accounts in Dremio.

Group Push

If you enable the group push feature, Okta pushes your designated groups to Dremio as roles and populates the roles with the Okta group's members. Follow the instructions in the Okta documentation to enable group push.

Before you enable group push, make sure to follow Okta's instructions to assign the group to the Dremio application.

Use Okta to manage any roles you create with group push. Any changes you make to a role or its membership in Dremio are immediately overwritten by the next push from Okta. Making changes in Dremio can result in synchronization errors.

To remove a Dremio role created by group push, unlink the pushed group in the Dremio application. Unlinking the pushed group deletes the corresponding role in Dremio but does not delete the group members' Dremio user accounts.

Troubleshoot

This section describes some things to keep in mind about SCIM provisioning in Okta with the Dremio application.

  • Group push is not supported for groups that do not have any members. Pushing a group that does not have any members will result in an error.
  • In Okta, it is possible to change a user's username. Dremio does not allow username updates. If you change a user's Okta username after the user is assigned to the Dremio application, Okta sends a request to update the username in Dremio. Dremio denies the request because Dremio username changes are not allowed.
  • Changing an existing user's primary email address in Okta has no effect on the user's account in Dremio. To permit a user to authenticate to Dremio with the new email address, add the user to Okta as a new person using the new email address. Then, assign the new Okta user to the Dremio application, either individually or by adding them to an assigned group. Okta creates a new Dremio user who can use Okta SSO to log in to Dremio with the new email address.
  • If you remove a user from an assigned group and the user is still listed as ACTIVE in Dremio, check the Assignments tab in the Dremio application to make sure the user isn't separately assigned as a person. Okta only sends deactivate requests for users who are both unassigned as a person and removed from assigned groups.