Configure SSO in Databricks

This article gives you an overview of using single sign-on (SSO) to authenticate to the account console and Databricks workspaces. To sync users and groups from your identity provider, see Sync users and groups from your identity provider using SCIM. To allow users to log in to Databricks with emails or common external accounts, such as Google or Microsoft, see Sign-in with email or external accounts.

For information on legacy workspace-level SSO, see Set up SSO for your workspace (legacy).

Overview of SSO setup

SSO supports using either SAML 2.0 or OpenID Connect (OIDC). Your identity provider (IdP) must support at least one of these protocols.

For most accounts, unified login is enabled by default. This means that a single SSO configuration is used across your account and all Databricks workspaces. If your account was created after June 21, 2023 or you did not configure SSO before December 12, 2024, unified login is automatically enabled for all workspaces and cannot be disabled.

Accounts created before June 21, 2023 that had previously configured SSO at the workspace-level don't have unified login enabled by default. Account admins can enable unified login for all workspaces or specific workspaces. Databricks recommends using unified login across all workspaces for a streamlined and consistent authentication experience. For more information, see Enable unified login.

When account-level SSO is enabled, all users, including admins, must sign in to the Databricks account and unified-login-enabled workspaces using single sign-on. To prevent lockouts, account admins can set up emergency access for up to twenty users. Users who have been selected for emergency access can use a username and password and a security key to log in. See Emergency access to prevent lockouts.

After enabling SSO, you must add users to Databricks in order for them to log in. Databricks recommends using SCIM provisioning to sync users and groups automatically from your identity provider to your Databricks account. See Sync users and groups from your identity provider using SCIM.

You can configure just-in-time (JIT) provisioning to automatically create new user accounts from your identity provider upon their first login. See Automatically provision users (JIT).

You can read the generic instructions on how to configure SSO with OIDC or SAML or specific instructions for different identity providers:

• Configure SSO using OIDC
• Configure SSO using SAML
• SSO to Databricks with Microsoft Entra ID
• SSO to Databricks with Okta
• SSO to Databricks with OneLogin
• SSO to Databricks with AWS IAM Identity Center
• SSO to Databricks with Keycloak
• SSO to Databricks with JumpCloud

The following demos walk you through configuring SSO with Okta:

• Secure Your Databricks Access with OIDC SSO
• Secure Your Databricks Access with SAML SSO

For troubleshooting errors with SSO, see:

• Troubleshooting OIDC SSO
• Troubleshooting SAML SSO