On this page

    Configuring SSO in AWS Edition

    This topic describes how to configure Dremio AWS Edition for authentication with Azure Active Directory or for Single Sign On (SSO) Authentication with an Identity Provider using OpenID.

    Note

    This is an Enterprise Edition feature and requires upgrading to the Enterprise Edition of Dremio AWS.

    Requirements

    To use Azure Active Directory or OpenID, Dremio’s webserver must have web server encryption enabled. For more information, see Configuring Wire Encryption.

    Configuring Azure Active Directory Authentication

    note:

    To know more about Azure AD, see Azure Active Directory Authentication

    You must do the following changes in azuread.json and dremio.conf files for configuring SSO:

    1. Add the following properties in the azuread.json file:

      {
        "oAuthConfig": {
            "clientId": "<clientId>",
            "clientSecret": "<clientSecret>",
            "redirectUrl": "https://<dremio.host>:9047/sso",
            "authorityUrl": "https://login.microsoftonline.com/<directory.id>/v2.0",
            "scope": "openid profile offline_access",
            "jwtClaims": {
              "userName": "preferred_username"
            }
          }
      }
      

      Where:

      • clientId: It appears on the Overview screen of your application. This property is also called application ID. A clientId is applicable to the context where you acquire a token using one of the OAuth flows that Azure AD supports. The application ID is same for single application object that corresponds to an application.
      • clientSecret: It is the secret that was created in the [Setting Up Azure AD]((../../../../security/sso-config/#setting-up-azure-ad) section.
      • redirectUrl: It is the redirect URI that was created in the [Setting Up Azure AD]((../../../../security/sso-config/#setting-up-azure-ad) section.
      • directory.id: It appears on the Overview screen of your application. This property is also called tenant ID.
    2. Uncomment these two lines in the dremio.conf file.

      services.coordinator.web.ssl.enabled: true
      services.coordinator.web.ssl.auto-certificate.enabled: true
      
    3. Add the following configuration in the dremio.conf file.

      services: {
        coordinator.enabled: true,
        coordinator.web.auth.type: "azuread",
        coordinator.web.auth.config: "/opt/dremio/conf/azuread.json"
      }
      

    Configuring OpenID Authentication

    To configure Single Sign On with an Identity Provide over OpenID, perform the following steps:

    1. Configure the dremio.conf file to include the following configuration.

      services.coordinator.web.auth.type: "oauth"
      services.coordinator.web.auth.config: "/path/to/oauth.json"
      
    2. Create an oauth.json file with the following properties.

      {
       "clientId": "clientId",
       "clientSecret": "clientSecret",
       "redirectUrl": "http://dremioHost:9047/sso",
       "authorityUrl": "authorityUrl",
       "scope": "openid profile email",
       "jwtClaims": {
         "userName": "$nameField"
       },
       "parameters": [
        {"name": "access_type", "value": "offline"},
        ...
      ]
      }
      

      The following table describes the oauth.json file properties.

      ParameterDescription
      clientIdIt is based on the OpenID provider.
      clientSecretIt is based on the OpenID provider.
      redirectUrlThe URL where Dremio is hosted. The URL must match the redirect url set in the OpenID Provider.
      authorityUrlThe location where Dremio can find the OpenID discovery document. For example, Google’s location is `https://accounts.google.com/.well-known/openid-configuration` and the authorityUrl therefore to use is `https://accounts.google.com`, the base location of the well-known directory.
      scopeIt is based on the OpenID provider.
      jwtClaimsMaps fields from the JWT token to fields Dremio requires. The only field currently required is userName, which you should set to the field in JWT that contains the user’s username. For example, this can be `email` if you want the usernames in Dremio to be the user’s email address.
      parametersOptional - any additional parameters required by the OpenID providers.