Set up single sign-on for your Databricks account console

Single sign-on (SSO) enables your Databricks account admins to authenticate to the account console using your organization’s identity provider. The account console is where you administer your Databricks account-level configurations, including workspace creation, delegated AWS access credentials, AWS storage configurations, and optional customer-managed VPCs.

Unlike SSO for workspace users, which requires SAML 2.0, account console SSO supports using either SAML 2.0 (Public Preview) or OpenID Connect (OIDC). Your identity provider (IdP) must support at least one of these protocols. If your IdP supports both OIDC and SAML 2.0, Databricks recommends that you use OIDC for account console authentication.

Once you have enabled SSO for account admins, all account admins are required to use SSO to log in to the account console. Only the account owner can log in using their username (email address) and password.

The behavior of the account console with SSO authentication varies on whether the user has the admin role in the identity provider response.

  • With the admin role, the user can access the admin features of the account console such as creating and modifying workspaces and workspace resources.

  • Without the admin role, the user is limited to non-admin actions such as viewing a list of workspaces that they can log into and links to access those workspaces.

Workspaces do not inherit account-level authentication settings. Workspace users must continue to authenticate to the workspace using each workspace’s workspace-level authentication settings, even if workspace-level SSO is configured for one or more workspaces in the account.

Note

To use account-level SSO, your account must be on the E2 version of the Databricks platform. All new Databricks accounts and most existing accounts are now E2. If you are unsure which account type you have, contact your Databricks representative.

Enable account single sign-on authentication using OIDC

  1. As an account owner or account admin, log in to the account console and click the Settings icon in the sidebar.

  2. Click the Single sign-on tab.

  3. From the drop-down at the top of this tab, select OpenID Connect.

  4. On the Single sign-on tab, make note of the Databricks Redirect URI value.

    Single sign-on tab when first opened
  5. Go to your identity provider and create a new client application (web), entering the Databricks Redirect URI value in the appropriate field in the identity provider configuration interface.

    Your identity provider should have documentation to guide you through this process.

  6. Copy the client ID, client secret, and OpenID issuer URL generated by the identity provider for the application.

    • Client ID is the unique identifier for the Databricks application you created in your identity provider. This is sometimes referred to as the Application ID.

    • Client secret is a secret or password generated for the Databricks application that you created. It is used to authorize Databricks with your identity provider.

    • OpenID issuer URL is the URL at which your identity-provider’s OpenID Configuration Document can be found. That OpenID Configuration Document must found be in {issuer-url}/.well-known/openid-configuration.

  7. Return to the Databricks account console Single sign-on tab and enter values you copied from the identity provider application to the Client ID, Client secret, and OpenID issuer URL fields.

    Single sign-on tab when all values have been entered
  8. Click Enable SSO to enable single sign-on for all users in your account. Now all account admins except for the account owner must use SSO to log in to the Databricks account console.

  9. Test account console login with SSO. Test with a user ID other than account owner.

    Single sign-on tab

Enable account single sign-on authentication using SAML (Public Preview)

Preview

This feature is in Public Preview.

The following instructions describe how to use SAML 2.0 to authenticate account console users other than the account owner. If your IdP supports both OIDC and SAML 2.0, Databricks recommends that you use OIDC for account console authentication.

  1. View the account console SSO page and copy the SAML URL:

    1. As an account owner or account admin, log in to the account console and click the Settings icon in the sidebar.

    2. Click the Single sign-on tab.

    3. From the drop-down at the top of this tab, select SAML 2.0.

    4. Copy the value in the Databricks SAML URL field. You will need the Databricks SAML URL for a later step.

      SSO SAML
  2. In another browser window or tab, create a Databricks application in your identity provider:

    1. Go to your identity provider (IdP).

    2. Create a new client application (web):

      • Use your identity provider’s documentation as needed.

      • For the SAML URL field (which might be called a redirect URL), use the Databricks SAML URL that you copied from the Databricks page.

    3. Copy the following objects and fields from your new Databricks application:

      • The x.509 certificate: A digital certificate provided by your Identity Provider for securing communications between Databricks and the Identity Provider

      • The single-sign-on (SSO) URL for your identity provider. This is the URL that initiates single sign-on with your identity provider. This is also sometimes referred to as the SAML endpoint.

      • The identity provider issuer: This is the unique identifier for your SAML identity provider. This is sometimes referred to as the Entity ID or Issuer URL.

    For examples, see Account console SAML application examples.

  3. Set your Databricks account to use your identity provider:

    1. Return to the browser tab or window with the the Databricks account console SSO page.

    2. Type or paste the following fields from your identity provider’s Databricks application: the single sign-on URL, the identity provider entity ID, and the x.509 Certificate.

    3. Click Enable SSO to enable single sign-on for all users in your account. Now all account admins except for the account owner must use SSO to log in to the Databricks account console.

    4. Test account console login with SSO. Test with a user ID other than account owner.

      Single sign-on tab

Account console SAML application examples

Configure account console SAML authentication with OneLogin

Follow these steps to create a OneLogin SAML application for use with Databricks account console.

  1. To get the Databricks SAML URL, as an account owner or account admin, log in to the account console. Click Settings in the sidebar and click the Single sign-on tab. From the picker, select SAML 2.0. Copy the value in the Databricks SAML URL field.

  2. In a new browser tab, log in to OneLogin.

  3. Click Administration.

  4. Click Applications.

  5. Click Add App.

  6. Search for SAML Custom Connector (Advanced) and click the result by OneLogin, Inc.

  7. Set Display Name to Databricks.

  8. Click Save. The application’s Info tab loads.

  9. Click Configuration.

  10. In Gather required information, set each of the following fields to the Databricks SAML URL:

    • Audience

    • Recipient

    • ACS (Consumer) URL Validator

    • ACS (Consumer) URL

    • Single Logout URL

    • Login URL

  11. Set SAML signature element to Both.

  12. Click Parameters.

  13. Set Credentials are to Configured by admins and shared by all users.

  14. Click Email. Set the value to email and enable Include in SAML Assertion.

  15. Click the SSO tab.

  16. Copy the following values:

    • x.509 certificate

    • Issuer URL

    • SAML 2.0 endpoint (HTTP)

  17. Verify that SAML signature element is set to Response or Both.

  18. Verify that Encrypt assertion is disabled.

  19. Configure Databricks in the Databricks account console SSO page. See Enable account single sign-on authentication using SAML (Public Preview) for details on optional fields.

    1. Click Single sign-on.

    2. Set the SSO type drop-down to SAML 2.0.

    3. Set Single Sign-On URL to the OneLogin SAML 2.0 endpoint.

    4. Set Identity Provider Entity ID to the OneLogin Issuer URL.

    5. Set x.509 Certificate to the OneLogin x.509 certificate, including the markers for the beginning and ending of the certificate.

    6. Click Enable SSO.

Configure account console SAML authentication with Azure Active Directory

Follow these steps to create a non-gallery Azure portal SAML application for use with Databricks account console.

  1. To get the Databricks SAML URL, as an account owner or account admin, log in to the account console. Click Settings in the sidebar and click the Single sign-on tab. From the picker, select SAML 2.0. Copy the value in the Databricks SAML URL field.

  2. In another browser tab, create an Azure portal application:

    1. Log in to Azure portal as an administrator.

    2. In the Azure services pane, click Enterprise applications. The All applications pane opens and displays a random sample of the applications in your Azure Active Directory tenant.

    3. In the Enterprise applications pane, click New application.

    4. The Browse Azure Active Directory Gallery pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications.

    5. Enter a name.

    6. Click Create your own application.

    7. Under What are you looking to do with your application? choose Integrate any other application you don’t find in the gallery.

  3. Configure the Azure portal application:

    1. In the application’s properties pane, click Users and groups. Select users and groups to grant them access to this SAML application. Users must have access to this SAML application to log into your Databricks workspace using SSO.

    2. In the application’s properties pane, click Single sign on.

    3. Click SAML configure the application for SAML authentication. The SAML properties pane appears.

    4. Next to Basic SAML configuration, click Edit.

    5. Set Entity ID to the Databricks SAML URL you got from the <Datbaricks> SSO configuration page.

    6. Set Reply URL to the Databricks SAML URL you got from the <Datbaricks> SSO configuration page.

    7. Next to SAML Signing Certificate, click Edit.

    8. In the Signing Option drop-down list, select Sign SAML response and assertion.

    9. Next to Certificate (Base64), click Download. The certificate is downloaded locally as a file with .cer extension.

    10. Open the .cer file in a text editor and copy the file contents. The file is the entire x.509 certificate for the Azure Active Directory SAML application.

      Important

      • Do not open it using the macOS keychain, which is the default application for that file type in macOS.

      • The certificate is sensitive data. Use caution about where to download it. Delete it from local storage as soon as possible.

    11. In the Azure portal, under Set up Azure AD SAML Toolkit, copy and save the Login URL and Azure Active Directory Identifier.

  4. Configure Databricks in the Databricks account console SSO page. See Enable account single sign-on authentication using SAML (Public Preview) for details on optional fields.

    1. Click Single sign-on.

    2. Set the SSO type drop-down to SAML 2.0.

    3. Set Single Sign-On URL to the Azure Active Directory field that was called Login URL.

    4. Set Identity Provider Entity ID to the Azure Active Directory field that was called Azure Active Directory Identifier.

    5. Set x.509 Certificate to the Azure Active Directory x.509 certificate, including the markers for the beginning and ending of the certificate.

    6. Click Enable SSO.

Configure account console SAML authentication with Okta

Follow these steps to create an Okta SAML application for use with Databricks account console.

  1. To get the Databricks SAML URL, as an account owner or account admin, log in to the account console. Click Settings in the sidebar and click the Single sign-on tab. From the picker, select SAML 2.0. Copy the value in the Databricks SAML URL field.

  2. In a new browser tab, log into Okta as an administrator.

  3. Verify that email addresses for existing Databricks users match exactly with the email addresses in Okta. Note that email addresses in Databricks are case sensitive.

  4. In the home page, click Applications > Applications.

  5. Click Create App Integration.

  6. Select SAML 2.0 and click Next.

  7. Set App name to Databricks SSO and click Next.

  8. Configure the application using the following settings:

    • Single Sign On URL: the Databricks SAML URL from Gather required information

    • Audience URI: the Databricks SAML URL from Gather required information

    • Name ID Format: EmailAddress

    • Application Username: Email

  9. Click Advanced settings. Ensure that Response is set to Signed (the default). Signing the assertion is optional.

    Important

    Do not modify other advanced settings. For example, assertion encryption must be set to Unencrypted.

  10. Click Hide advanced settings.

  11. Click Next.

  12. Select I’m an Okta customer adding an internal app.

  13. Click Finish. The Databricks SAML app is shown.

  14. Under SAML 2.0 is not configured until you complete the setup instructions, click View Setup Instructions.

  15. Copy the following values:

    • Identity Provider Single Sign-On URL

    • Identity Provider Issuer

    • x.509 certificate

  16. Configure Databricks in the Databricks account console SSO page. See Enable account single sign-on authentication using SAML (Public Preview) for details on optional fields.

    1. Click Single sign-on.

    2. Set the SSO type drop-down to SAML 2.0.

    3. Set Single Sign-On URL to the Azure Active Directory field that was called Login URL.

    4. Set Identity Provider Entity ID to the Okta field that was called Identity Provider Issuer.

    5. Set x.509 Certificate to the Okta x.509 certificate, including the markers for the beginning and ending of the certificate.

    6. Click Enable SSO.