Configuring SSO

This topic describes how to configure Dremio for Single Sign On (SSO) Authentication with an identity provider (IdP) using OpenID.

Enterprise Edition only

Warning

Dremio does not allow switching between authentication modes: SSO vs. Dremio authentication. If you are switching from Dremio authentication to SSO authentication (or vice versa), you must reinstall Dremio (which results in losing all VDSs, reflections, etc.) and specify your chosen authentication method then.

Requirements

To use Azure Active Directory or OpenID, Dremio’s webserver must have web server encryption enabled. See the Web Server Encryption section in Configuring Wire Encryption for more information.

Azure Active Directory Authentication

Setting Up Azure AD

To setup and configure Azure AD,

  1. In Azure AD, navigate to the App registrations section and create a new App registration for the Azure AD instance with your name and the account type.
  2. Click on New Registration.
  3. Complete the Register an application by adding name, supported account types, and redirect URI
    (https://{dremio.host}:9047/sso), and press Save. Note that the URI is specified when you configure Dremio.
  4. Click on the app name that you registered to navigate to the app details screen.
  5. Navigate to the Certificates & secrets section, click on New client secret,
  6. Provide a client secret description and expiration, click on Add. Be sure to copy the secret and store it safely as it won’t be visible after leaving the page.
  7. Navigate to API permissions, click on Add a permission, and then click on Microsoft Graph.
  8. Select Application permissions.
  9. Under Select permissions, search for Directory.Read.all, click on the Directory.Read.all permission box and click Add permission. This permission is required for Dremio to read from the Azure AD. Ensure that this permission status is green for Dremio to read from the Azure AD.

Configuring Dremio for Azure AD

When configuring Dremio for Azure directory, you modify the dremio.conf and azuread.json files. These modified files must be copied to the /conf directory on all coordinator nodes.

Important

To enable Azure Active Directory support, all coordinator nodes must be configured prior to deploying the Dremio cluster.

To configure Dremio for Azure Active Directory:

  1. Edit the dremio.conf file, and add the following properties:
    services: {
      coordinator.enabled: true,
      coordinator.web.auth.type: "azuread",
      coordinator.web.auth.config: "azuread.json"
    }
    
  2. Edit the azuread.json file, add the following properties:
    {
      "oAuthConfig": {
        "clientId": "<clientId>",
        "clientSecret": "<clientSecret>",
        "redirectUrl": "https://<dremio.host>:9047/sso",
        "authorityUrl": "https://login.microsoftonline.com/<directory.id>/v2.0",
        "scope": "openid profile offline_access",
        "jwtClaims": {
          "userName": "preferred_username"
        }
      }
    }
    
    • clientId: It appears on the Overview screen of your application. This property is also called application ID. A clientId is applicable to the context where you acquire a token using one of the OAuth flows that Azure AD supports. The application ID is same for single application object that corresponds to an application.
    • clientSecret: It is the secret that was created in the Setting Up Azure AD section.
    • redirectUrl: It is the redirect URI that was created in the Setting Up Azure AD section.
    • directory.id: It appears on the Overview screen of your application. This property is also called tenant ID.
  3. Ensure to copy the modified dremio.conf and azuread.json files to every coordinator node in the Dremio cluster.

Important

The LDAP configuration in the dremio.conf and azuread.json files must exist and match on all coordinator nodes.

Using Azure’s Managed Storage Identities

Dremio supports using Azure’s Managed Storage Identities feature to retrieve the secret when running inside Azure. This feature can be used if you want to avoid storing the secret in plain text.

To setup Azure’s Managed Storage Identities:

  1. Create an Azure Keyvault and create a new secret. The Azure Key vault asks for a name and the value (which will be the secret generated for the application).
  2. Go to the Access policies section for the Key Vault and add the Azure Active Directory application. Make sure that you give it Get permissions for Secrets.
  3. Change the azuread.json value for clientSecret to the following URI:
      ...
      "clientSecret": "azure-vault+https://{keyvault.name}.vault.azure.net/#{secret.name}",
      ...
    
    Note: This special URI tells Dremio to access the Key Vault located at https://{keyvault.name}.vault.azure.net and load the secret named {secret.name}. The KeyVault value is on the Overview page under DNS Name.

OpenID Authentication

To configure Single Sign On with an Identity Provide over OpenID, perform the following steps:

  1. Configure the dremio.conf file to include the following configuration.
services.coordinator.web.auth.type: "oauth"
services.coordinator.web.auth.config: "/path/to/oauth.json"
  1. Create an oauth.json file with the following properties.
{
  "clientId": "clientId",
  "clientSecret": "clientSecret",
  "redirectUrl": "http://dremioHost:9047/sso",
  "authorityUrl": "authorityUrl",
  "scope": "openid profile email",
  "jwtClaims": {
    "userName": "email"
  },
  "parameters": [
    {"name": "access_type", "value": "offline"},
    ...
  ]
}

The following table describes the oauth.json file properties.

Parameter Description
clientId It is based on the OpenID provider.
clientSecret It is based on the OpenID provider.
redirectUrl The URL where Dremio is hosted. The URL must match the redirect url set in the OpenID Provider.
authorityUrl The location where Dremio can find the OpenID discovery document. For example, Google’s location is https://accounts.google.com/.well-known/openid-configuration and the authorityUrl therefore to use is https://accounts.google.com, the base location of the well-known directory.
scope It is based on the OpenID provider. openid scope is always required, other scopes can vary by provider.
jwtClaims Maps fields from the JWT token to fields Dremio requires. The only field currently required is userName, which you should set to the field in JWT that contains the user’s username.
parameters Optional - any additional parameters required by the OpenID providers.

Administration

Logging in with SSO

When SSO is configured, you are redirected to Azure to login using SSO. Dremio also uses Azure Active Directory for directory services and to look up users and groups.

Backing up with SSO

When using a SSO configuration, you must use personal access tokens (PATs) as the SSO password. See Personal Access Tokens for information on enabling PATs.

$ ./dremio-admin backup -u se3@dremioqa.onmicrosoft.com -d /tmp
  password: 
  Backup created at /tmp/dremio_backup_2019-07-17_23.08, dremio tables 32, uploaded files 1

If you use your SSO password instead of your PAT as the password, you will see the following:

$ ./dremio-admin backup -u se3@dremioqa.onmicrosoft.com -d /tmp
password: 
Failed to create backup at /tmp:java.io.IOException: Status 500 (Internal Server Error): 
Something went wrong (more info: Cannot authenticate users when using Azure AD)

Deleting Users

Important

When deleting users from SSO, ensure that all Personal Access Tokens (PATs) are also deleted.

Power BI Authorization

This topic describes configuring authorization of Dremio with Azure Active Directory (Azure AD or AAD) to support the use of Power BI single-sign on (SSO). With this authorization option, Dremio is able to handle secure user authorization with an identity provider (IdP) using JSON Web Tokens (JWTs).

Requirements

Understanding Authentication Values

Dremio serves as a resource provider and authorization server in the event of SSO, when AAD is used as an authorization server for a client application. However, Azure AD may also serve as an external authorization server when configured in Dremio using the Power BI SSO functionality.

The following sections offer additional context regarding the values required to correctly enable this feature. Dremio specifically looks for the following JWT claims contained within jwtClaims on OAuth tokens received from a token provider:

{
"jwtClaims": {
    "AADTenantId":"2e989880-c1d7-5d47-0gbg-0411g",
    "userClaim":"preferred_username"
    }
}

The authorization process for these tokens is as described below:

  1. An admin enables Azure AD as a token provider using Dremio’s Power BI Authorization feature.
  2. A user connects to the client application, whereupon the user is sent to the external token provider.
  3. The token provider authorizes the user, obtains their consent, and returns an authorization code followed by a JWT to the client application.
  4. The client application exchanges the JWT for a Dremio token.
  5. The client application then uses the Dremio token to connect to the Dremio service.
  6. Dremio verifies the user using the token and grants access only to resources the user has permissions for.

Azure Active Directory Tenant ID

Azure AD utilizes a subscription-application trust relationship, which is used to authorize users with a service such as Power BI or Dremio. Each subscription assigns an organization a tenant ID, which is used to verify and validate users as trusted.

Dremio requires the following claim in associated tokens:

"AADTenantId": "2e989880-c1d7-5d47-0gbg-0411g"

Instructions for how to find your tenant ID may be found here.

User Claim Mapping

The User Claim Mapping field identifies the specific user the token is being used for, which should consist of their Dremio username. This is considered a private claim name, but is required from an IdP to identify a user’s permissions and access. The field in Dremio is used to identify whatever custom claim is attached to usernames depending on the provider, such as preferred_username.

Note

In order to use a token for user claims, the included username must already exist on Dremio.

From the example above, a user might appear as:

"preferred_username": "user123"

Configuring Power BI SSO

To identify the Azure application housing user information for Power BI users, Dremio needs the Azure tenant ID.

Perform the following steps to configure Power BI SSO:

  1. From Dremio, click the Settings (gear) icon at the bottom-left corner of the screen. Click Settings from the menu.

  2. On the Settings page, click Support from the left-hand menu.

  3. Under the Support Key section, enter auth.external-token-providers.enabled in the search bar on the right and click Show.

  4. Where the new support key appears at the top of the list of keys, click the Enable button.

  5. Click BI Applications > Authorization from the left sidebar.

  6. Select Enable single sign on for Power BI.

  7. For Azure Active Directory Tenant ID, enter the tenant ID of your Azure AD account. The tenant ID is described here.

  8. For User Claim Mapping, enter the claim’s name of the Azure AD token that maps to the Dremio username. The user claim is described here.

  9. Click Save.

  10. Grant Dremio access to your AAD tenant, if access to it was not already granted:

    a. Paste this URL into a web browser, where <tenant-ID> is the tenant ID and <host-url> is the hostname of your Dremio deployment:

    https://login.microsoftonline.com/<tenant-ID>/v2.0/adminconsent?client_id=429333a8-1521-4502-9101-6d4f2c1de644&scope=https://graph.microsoft.com/Calendars.Read https://graph.microsoft.com/Mail.Send&redirect_uri=<host-url>/sso&state=12345
    

    b. Follow the prompts from Microsoft by signing in with an account that you use to sign into Dremio.

    c. In the prompt titled Need admin approval, click “Have an admin account? Sign in with that account” and sign in with an admin account for your AAD tenant.

Disabling Power BI SSO

Perform the following steps to disable the Power BI SSO configuration:

  1. From Dremio, click the Settings (gear) icon at the bottom-left corner of the screen. Click Settings from the menu.
  2. Click BI Applications > Authorization from the left sidebar.
  3. Deselect Enable single sign on for Power BI to disable the single sign-on service if it is checked.
  4. Click Save.

Additional Information