Integrating Dremio with OKTA

Version Requirement:

This describes functionality only available in Dremio v18.X and later.

Okta is an identity management application that may be integrated with Dremio via SCIM. Once configured, administrators may select authorized users in Okta, which are then automatically created in Dremio. Their username and password must be set and managed from Okta.

SCIM

System for Cross-domain Identity Management (SCIM) is used as a standard method for linking systems like Okta to Dremio for user provisioning. When configured, Okta atuomatically sends the credentials of assigned users securely through SCIM to your Dremio server, automatically creating user accounts with passwords. These new users may then log in on Dremo using their previously-assigned Okta credentials.

Note:

You cannot reset or change an external user’s password from Dremio as this is governed by your organization’s identity manager.

If you delete an external user from Dremio, Okta will re-add their account the next time that user attempts to log in. To properly revoke access to Dremio, follow these steps.

Requirements

The following configurations must be utilized:

  • Version SCIM 2.0
  • Connector Authentication Method: Header Auth

Configuring Okta with SCIM

The following sections outline the process of setting up Okta to communicate with Dremio with SCIM. This process is divided into sections, but should be completed chronologically.

1. Adding the SCIM App

  1. From the Okta interface, navigate to the Applications page.
  2. Click Browse App Catalog and search for SCIM.
  3. Select SCIM 2.0 Test App (Header Auth) and then click Add from the app’s page.
  4. Enter an Application label and then click Next.
  5. From the Sign on Methods page, click the Secure Web Authorization radio button and then the Administrator sets username, user sets password.
  6. Click Done.

2. Starting SCIM Configuration

  1. From the SCIM app screen, click on the Provisioning tab.
  2. Select the Integration tab and then click Configure API Integration.
  3. Click Enable API Integration.
  4. Enter the URL to your Dremio server (preferably HTTPS) in the Base URL field with the following format:
{scheme}://{dremio_host}:9047/scim/v2

3. Generating Access Tokens

The following types of API tokens may be used:

  • Dremio admin access token (valid for 8 hours) with the format _dremioxxx
  • Dremio Personal Access token (valid for 90 days max) with the format bearer {PAT} ()

To obtain either of these tokens, please refer to the Personal Access Tokens help page.

Once you’ve obtained a token, complete the following steps:

  1. From the Okta screen, in the API Token field enter the text bearer (including a space after the word) and then paste the token.
  2. Click Test API Credentials to ensure Okta can access your instance of Dremio. A green message should appear at the top of the screen saying the API was verified successfully!
  3. Click Save.

4. Completing SCIM Configuration

  1. Navigate to the Provisioning tab, and then the To App sub-tab.
  2. Click the Edit button to the right of the Provisioning to App header.
  3. Select the Enable checkbox for Create Users, Update User Attributes, and Deactivate Users. Make any other selections as desired.
  4. Click Save.

SCIM is fully configured, which means users added from Okta will now be automatically created in Dremio.

Assigning Access to Dremio

Only users or groups granted access via the SCIM app will have an account automatically created in Dremio.

Assigning Users

To assign or grant users access to Dremio, perform the following steps:

  1. From the Okta interface, navigate to the Assignments tab.
  2. Click the Assign drop-down at the top-left corner of the screen and select Assign to People.
  3. Locate the desired users by scrolling or using the search bar.
  4. Click the Assign button next to the desired user.
  5. Scroll down and click Save and Go Back.

That user is now granted access to Dremio and an account is automatically created in the application. They may log in on Dremio immediately and administrators may view their account from the Users screen.

We reccommend assigning privileges and roles to manage their access to objects in Dremio.

Assigning Groups

To assign or grant groups of users access to Dremio, perform the following steps:

  1. From the Okta interface, navigate to the Assignments tab.
  2. Click the Assign drop-down at the top-left corner of the screen and select Assign to Groups.
  3. Click Push Groups > Push Groups to push an Okta group to Dremio.

All users associated with the group will be synchronized in Dremio. The group will also syncrhonize with Dremio as a role with all group members assigned to the role.

Users associated with the group may log in on Dremio immediately and administrators may view their account from the Users screen.

We reccommend assigning privileges to manage role members' access to objects in Dremio.

Revoking Access to Dremio

If you wish to revoke access to Dremio for specific users or groups, complete these steps.

  1. From the SCIM app, navigate to the Assignments tab.
  2. Click the Delete (X) button on the far right of the desired user’s row.

The deleted user(s) may no longer log in on Dremio, however, this does not delete their account from Dremio.