Create a Dremio Instance with SSO

Prerequisites

• You have a STACKIT customer account: Create a customer Account
• You have a STACKIT user account: Create a user account
• You have a STACKIT project: Create a project
• You have admin access to your Identity Provider and can register new applications.

Single Sign-On to Access Dremio

Dremio can be configured to allow users to login into the Dremio Console using their Identity Provider (IdP) accounts.

STACKIT Dremio currently supports two types of Identity Providers:

• Microsoft Entra ID
• OpenID Connect

This guide focuses on how to configure a new STACKIT Dremio instance with SSO enabled through an OpenID Connect IdP.

Register Dremio as a Client

In order to receive the client credentials required to configure Dremio with SSO authentication enabled, first you must register it as an new client in your Identity Provider (IdP).

While the exact details required by each IdP may vary, the following details are common and likely to be requested during registration.

• Client Name: This can be anything you would like to name your Dremio instance as a client of your IdP.
• Client Type: Most IdPs support public and confidential clients, depending on their ability to safely store a client secret. Dremio behaves as a confidential client.
• Redirect URL: The target URL used to redirect an authenticated user.

Providing a Redirect URL

The exact value of the redirect URL will not be known until the Dremio instance is created. The redirect URLs follow the pattern https://<DREMIO_INSTANCE_ID>.dremio.<STACKIT_REGION>.onstackit.cloud/sso, and the Dremio instance ID is a UUID generated during creation.

If your IdP supports not registering any redirect URLs during client registration, it is recommend to do so, otherwise use a placeholder value. Most IdPs allow users to register new redirect URLs after the initial registration of the client.

Creating a Dremio instance

To order a Dremio instance, navigate to the Dremio section in the STACKIT Portal and click on Create Dremio.

You will be directed to the Dremio creation wizard, where you can provide the details about your Dremio instances.

For the sake of this guide, select the following:

• For Instance name, select the name of the instance you would like to use.
• Optionally add a description to the Description field.
• For Identity provider type, select OAuth.
• For Authority URL, specify the location of the OpenID discovery document. For example, Google’s location is https://accounts.google.com/.well-known/openid-configuration, so the Authority URL would be https://accounts.google.com.
• Add the Client ID and Client Secret generated by the IdP upon client registration to their respective fields.

Dremio maps the IdP account’s email address to the name of the internal Dremio user created after first login. If you would like to change this behavior, specify the name of the field you want mapped in the Jwt claims user name field.

Once you have finished adding the required details, click on Order fee-based.

As soon as the instance creation starts, you should have access to the instance ID, which can be used to register the correct redirect URL in the IdP. The URL follows the pattern https://<DREMIO_INSTANCE_ID>.dremio.<STACKIT_REGION>.onstackit.cloud/sso.

For more details about the how to configure OIDC authentication for Dremio, refer to the official OpenID Identity Providers documentation.

Login to Dremio with SSO

In order to access the Dremio Console go to the Overview section, and follow the Go to Dremio link, under the General information section. You should see the option to login with SSO, clicking on it should take you to your IdP’s login page.