SSO to your Databricks console with Azure Active Directory

This article shows how to configure Azure Active Directory (Azure AD) as the identity provider for single sign-on (SSO) in your Databricks account. Azure Active Directory supports both OpenID Connect (OIDC) and SAML 2.0, Databricks recommends that you use OIDC for account console authentication.

Warning

To prevent getting locked out of Databricks during single sign-on testing, Databricks recommends keeping the account console open in a different browser window.

Enable account single sign-on authentication using OIDC

  1. As an account owner or account admin, log in to the account console and click the Settings icon in the sidebar.

  2. Click the Single sign-on tab.

  3. From the drop-down at the top of this tab, select OpenID Connect.

  4. On the Single sign-on tab, make note of the Databricks Redirect URI value.

    Single sign-on tab when first opened
  5. In another browser tab, create an Azure Active Directory application:

    1. Log in to Azure portal as an administrator.

    2. In the Azure services pane, click Azure Active Directory, in the left plan, click App registrations.

    3. Click New registration.

    4. Enter a name.

    5. Under Supported account types choose: Accounts in this organizational directory only.

    6. Under Redirect URI, choose web and paste the Databricks Redirect URI value.

    7. Click Register.

  6. Gather the required information from the Azure Active Directory application:

    1. Under Essentials, copy the Application (client) ID.

    2. Click Endpoints.

    3. Copy the URL under OpenID Connect metadata document

    4. In the left pane, click Certificates & secrets.

    5. Click + New client secret.

    6. Enter a description and choose an expiration.

    7. Click Add.

    8. Copy the secret value.

  7. Return to the Databricks account console Single sign-on tab and enter values you copied from the identity provider application to the Client ID, Client secret, and OpenID issuer URL fields. Remove the /.well-known/openid-configuration ending from the URL.

    Single sign-on tab when all values have been entered
  8. Click Enable SSO to enable single sign-on for all users in your account. Now all account admins except for the account owner must use SSO to log in to the Databricks account console.

  9. Test account console login with SSO. Test with a user ID other than account owner.

    Single sign-on tab

Enable account single sign-on authentication using SAML

Follow these steps to create a non-gallery Azure portal SAML application for use with Databricks account console.

Note

Databricks recommends that you use OIDC for account console authentication.

  1. To get the Databricks SAML URL as an account owner or account admin, log in to the account console. Click Settings in the sidebar and click the Single sign-on tab. From the picker, select SAML 2.0. Copy the value in the Databricks SAML URL field.

  2. In another browser tab, create an Azure Active Directory application:

    1. Log in to Azure portal as an administrator.

    2. In the Azure services pane, click Azure Active Directory, in the left plan, click Enterprise applications. The All applications pane opens and displays a random sample of the applications in your Azure Active Directory tenant.

    3. Click New application.

    4. Click Create your own application.

    5. Enter a name.

    6. Under What are you looking to do with your application? choose Integrate any other application you don’t find in the gallery.

  3. Configure the Azure Active Directory application:

    1. In the application’s properties pane, click 1. Assign users and groups. Select users and groups to grant them access to this SAML application. Users must have access to this SAML application to log into your Databricks workspace using SSO.

    2. In the application’s properties pane, click 2. Set up single sign on.

    3. Click SAML configure the application for SAML authentication. The SAML properties pane appears.

    4. Next to Basic SAML configuration, click Edit.

    5. Set Entity ID to the Databricks SAML URL you got from the <Datbaricks> SSO configuration page.

    6. Set Reply URL to the Databricks SAML URL you got from the <Datbaricks> SSO configuration page.

    7. Next to SAML Signing Certificate, click Edit.

    8. In the Signing Option drop-down list, select Sign SAML response and assertion.

    9. Next to Certificate (Base64), click Download. The certificate is downloaded locally as a file with .cer extension.

    10. Open the .cer file in a text editor and copy the file contents. The file is the entire x.509 certificate for the Azure Active Directory SAML application.

      Important

      • Do not open it using the macOS keychain, which is the default application for that file type in macOS.

      • The certificate is sensitive data. Use caution about where to download it. Delete it from local storage as soon as possible.

    11. In the Azure portal, under Set up Azure AD SAML Toolkit, copy and save the Login URL and Azure Active Directory Identifier.

  4. Configure Databricks in the Databricks account console SSO page. See Enable account single sign-on authentication using SAML for details on optional fields.

    1. Click Single sign-on.

    2. Set the SSO type drop-down to SAML 2.0.

    3. Set Single Sign-On URL to the Azure Active Directory field that was called Login URL.

    4. Set Identity Provider Entity ID to the Azure Active Directory field that was called Azure Active Directory Identifier.

    5. Set x.509 Certificate to the Azure Active Directory x.509 certificate, including the markers for the beginning and ending of the certificate.

    6. Click Enable SSO.