Configuring SSO in AWS Edition enterprise
This topic describes how to configure Dremio AWS Edition for authentication with Azure Active Directory or for Single Sign On (SSO) Authentication with an Identity Provider using OpenID.
Requirements
To use Azure Active Directory or OpenID, Dremio’s webserver must have web server encryption enabled. For more information, see Configuring Wire Encryption.
Configuring Azure Active Directory Authentication
You must do the following changes in azuread.json and dremio.conf files for configuring SSO:
-
Add the following properties in the
Properties to add to azuread.json fileazuread.jsonfile:{ "oAuthConfig": { "clientId": "<clientId>", "clientSecret": "<clientSecret>", "redirectUrl": "https://<dremio.host>:9047/sso", "authorityUrl": "https://login.microsoftonline.com/<directory.id>/v2.0", "scope": "openid profile offline_access", "jwtClaims": { "userName": "preferred_username" } } }Where:
clientId: It appears on the Overview screen of your application. This property is also called application ID. AclientIdis applicable to the context where you acquire a token using one of the OAuth flows that Azure AD supports. The application ID is same for single application object that corresponds to an application.clientSecret: It is the secret that was created in the Setting Up Azure AD section.redirectUrl: It is the redirect URI that was created in the Setting Up Azure AD section.directory.id: It appears on the Overview screen of your application. This property is also called tenant ID.
-
Uncomment these two lines in the
Lines to uncomment in dremio.conf filedremio.conffile.services.coordinator.web.ssl.enabled: true services.coordinator.web.ssl.auto-certificate.enabled: true -
Add the following configuration in the
Configuration to add to dremio.conf filedremio.conffile.services: { coordinator.enabled: true, coordinator.web.auth.type: "azuread", coordinator.web.auth.config: "/opt/dremio/conf/azuread.json" }
Configuring OpenID Authentication
To configure Single Sign On with an Identity Provide over OpenID, perform the following steps:
-
Configure the dremio.conf file to include the following configuration.
Configuration to add to dremio.conf fileservices.coordinator.web.auth.type: "oauth" services.coordinator.web.auth.config: "/path/to/oauth.json" -
Create an oauth.json file with the following properties.
Configuration to add to oauth.json file{ "clientId": "clientId", "clientSecret": "clientSecret", "redirectUrl": "http://dremioHost:9047/sso", "authorityUrl": "authorityUrl", "scope": "openid profile email", "jwtClaims": { "userName": "$nameField" }, "parameters": [ { "name": "access_type", "value": "offline", ... } ] }The following table describes the oauth.json file properties.
Parameter Description clientId It is based on the OpenID provider. clientSecret It is based on the OpenID provider.NOTE: In Dremio 24+, clientSecretcan be encrypted using thedremio-admin encryptCLI command.redirectUrl The URL where Dremio is hosted. The URL must match the redirect url set in the OpenID Provider. authorityUrl The location where Dremio can find the OpenID discovery document. For example, Google’s location is `https://accounts.google.com/.well-known/openid-configuration` and the authorityUrl therefore to use is `https://accounts.google.com`, the base location of the well-known directory. scope It is based on the OpenID provider. jwtClaims Maps fields from the JWT token to fields Dremio requires. The only field currently required is userName, which you should set to the field in JWT that contains the user’s username. For example, this can be `email` if you want the usernames in Dremio to be the user’s email address. parameters Optional - any additional parameters required by the OpenID providers.