Set up single sign-on for your Databricks account console (E2)

Preview

This feature is in Public Preview.

Single sign-on (SSO) enables your Databricks account admins to authenticate to the account console using your organization’s identity provider. The account console is where you administer your Databricks account-level configurations, including workspace creation, delegated AWS access credentials, AWS storage configurations, and optional customer-managed VPCs.

Unlike SSO for workspace users, which uses SAML 2.0, account console SSO uses the OpenID Connect protocol. If your identity provider supports OpenID Connect, you can use Databricks SSO to integrate with your identity provider.

Once you have enabled SSO for account admins, all account admins are required to use SSO to log in to the account console. Only the account owner can log in using their username (email address) and password.

Note

To use the account console that supports account-level SSO, your account must be on the E2 version of the Databricks platform. All new Databricks accounts and most existing accounts are now E2. If you are unsure which account type you have, contact your Databricks representative.

Enable single sign-on authentication

  1. As an account owner or account admin, log in to the account console and click the Settings icon in the sidebar.

  2. On the Single sign-on tab, make note of the Databricks Redirect URI value.

    Single sign-on tab when first opened
  3. Go to your identity provider and create a new client application (web), entering the Databricks Redirect URI value in the appropriate field in the identity provider configuration interface.

    Your identity provider should have documentation to guide you through this process.

  4. Copy the client ID, client secret, and OpenID issuer URL generated by the identity provider for the application.

    • Client ID is the unique identifier for the Databricks application you created in your identity provider. This is sometimes referred to as the Application ID.
    • Client secret is a secret or password generated for the Databricks application that you created. It is used to authorize Databricks with your identity provider.
    • OpenID issuer URL is the URL at which your identity-provider’s OpenID Configuration Document can be found. That OpenID Configuration Document must found be in {issuer-url}/.well-known/openid-configuration.
  5. Return to the Databricks account console Single sign-on tab and enter values you copied from the identity provider application to the Client ID, Client secret, and OpenID issuer URL fields.

    Single sign-on tab when all values have been entered
  6. Click Enable SSO.

Now all account admins must use SSO to log in to the Databricks account console.

Single sign-on tab