Strategy One

Integrate Strategy with Microsoft Entra ID OIDC Single Sign-On for Dremio

Starting in MicroStrategy ONE (December 2024), you can use the Dremio JDBC driver to implement OIDC Single Sign-On with Microsoft Entra ID.

Prerequisites

To use a JSON Web Token (JWT) issued by an OpenID Connect (OIDC)-conformant authorization server to establish JDBC connections to Dremio, a Dremio JDBC driver is required but is not shipped with Strategy. To utilize this functionality, download the latest version of the Dremio JDBC driver and add it under the %MicroStrategyInstallationPath%\install\JDBC folder.

Configure Your Application in Microsoft Entra ID

  1. Configure a Microsoft Entra ID application for Dremio OAuth to add the additional permission for Dremio.

    For more information, see Quickstart: Register an Application with the Microsoft Identity Platform.

  2. In the left pane of your new application, click Authentication.

  3. In the left pane, click Certificates & secrets under Manage.

  4. In Client secrets, click New client secret.

  5. Enter values in Description and Expires.

  6. Click Add and note the client secret value. You will need this value in future steps.

  7. In the left pane, click Expose an API under Manage.

  8. Click Add a scope.

  9. Type a Scope name.

    The scope name is used in the Dremio OAuth connection.

  10. Type an Admin consent display name and Admin consent description.

  11. Click Save.

  12. In the left pane, click API permissions and click Add a permission.

  13. Click the My APIs tab and select your application.

  14. Select the checkbox next to your custom scope and click Add permissions.

  15. In the left pane, click Authentication.

  16. In Configure platforms, add the client app you use to redirect.

    For example, add Web for Strategy Library and Mobile and desktop applications for Strategy Workstation. Add http://localhost as the sample redirect URI for later use.

Integrate Dremio with Microsoft Entra ID

For more information on enabling OAuth in Dremio, see External Token Providers.

  1. Log in to the Dremio cloud console and go to Organization Settings.

  2. In the left pane, click External Token Providers.

  3. Click Add Provider and type the following IdP details:

    • Name: A unique name for the External Provider.

    • Audience: The claim that identifies the recipient of the JSON Web Token. To find this value:

      1. In Microsoft Entra ID, go to your application.

      2. Click Manage and Expose API.

      3. Copy the value in Application ID URI.

    • User Claim Mapping: The claim that corresponds to the username in Dremio. You can use upn.

    • Issuer URL: The claim that identifies the principals issued to the JSON Web Token.

    • JWKS URL: Optional. The URL where the signing key set for the JSON Web Token is located.

    See the following example token generated by Microsoft Entra ID:

  4. Create a Dremio user to map in Microsoft Entra ID.

Strategy Configuration

Create a Data Source Using OIDC Single Sign-On Authentication Mode

  1. Open the Workstation window.

  2. Connect to an environment.

  3. Create an IAM object using Manage OAuth Enterprise Security with Identity and Access Management (IAM) Objects:

    • Use the Client ID and Client Secret from your Microsoft Entra ID application.

    • For Scope, use the following format: api://<client id>/<scope name>. This value can be found in your Entra ID application under Expose an API.

  4. In the Navigation pane, click , next to Data Sources.
  5. Choose Dremio.

  6. Expand the Default Database Connection drop-down list and click Add New Database Connection.

  7. Type a Name.

  8. Expand the Driver drop-down list and choose the com.dremio.jdbc.Driver driver that you manually installed in Prerequisites.

  9. Type a HostName.
  10. Expand the Authentication Mode drop-down list in the Basic tab, choose OIDC Single Sign-On.
  11. Expand the Authentication Service drop-down list and choose the IAM objects you created above or to create a new IAM object, click Add New Authentication Service.
  12. Click Save.
  13. In the Add Data Source dialog, type a Name and Database Version, and optionally choose Projects for further data manipulation.
  14. Click Save.

Create and Map Users to Entra ID

  1. Open the Workstation window.

  2. Connect to an environment.

  3. In the Navigation pane, click Users and Groups.

  4. Click next to All Users.

  5. Type a Full Name, Email Address, Username, and other optional fields.
  6. In the left pane, click Privileges and select the checkbox next to the following privileges:
    • Access data from Databases, Google BigQuery, Big Data, OLAP, BI tools
    • Create and edit database instances and connections
    • Create and edit database logins
    • Create configuration objects
    • Create dataset in Workstation
    • Configure project data source
    • Monitor Database Connections
    • Use Workstation
  7. In the left pane, click Authentication.

  8. In Trusted Authentication Request User ID, type the Entra ID user's email address.

  9. Click Save.

Configure OIDC

For more information, see Enable OIDC Authentication for Strategy Library.

  1. Open Workstation and connect to your environment using standard authentication and administrator credentials.

  2. Right-click your connected environment and choose Configure OIDC under Configure Enterprise Security.

  3. In Step 2: Select an identity provider, choose Azure from the drop-down list.

  4. In Step 3: Azure Configuration, copy the Strategy Library URI and Workstation URI into the mobile and desktop application's sign-in redirect URIs in the Entra ID application you created in Configure Your Application in Microsoft Entra ID.

  5. In Microsoft Entra ID, click Manifest under Manage in the left pane.

  6. Click the Microsoft Graph App Manifest or AAD Graph App Manifest tab and click Download.

  7. In Strategy Workstation, upload the manifest file in Step 4: Strategy Configuration.

  8. Click Save.

  9. Restart the web server.

Single Sign-On with OIDC

  1. Open the Workstation window.

  2. Connect to an environment.

  3. Right-click the environment and choose Environment under Edit.

  4. Select Default OIDC and click Continue.

  5. A browser displays. Log in using your Microsoft Entra ID credentials.

  6. Use a Strategy Administrator account to assign privileges to the new user.

    You do not need to perform this step if you mapped a Strategy user to an Entra ID account and granted privileges.

  7. In the Navigation pane, click next to Datasets.

  8. Choose a Project and select Data Import Cube.

  9. Click OK.

  10. Choose the data source you created.

    The namespaces and tables display.