Set up SSO for your Databricks account console
Use single sign-on (SSO) to authenticate to the account console using your organization’s identity provider. The account console is where you administer your Databricks account-level configurations, including workspace creation, delegated AWS access credentials, AWS storage configurations, and optional customer-managed VPCs.
Unlike SSO for workspace users, which requires SAML 2.0, account console SSO supports using either SAML 2.0 or OpenID Connect (OIDC). Your identity provider (IdP) must support at least one of these protocols. If your IdP supports both OIDC and SAML 2.0, Databricks recommends that you use OIDC for account console authentication.
Once you have enabled SSO for the account, all users are required to use SSO to log in to the account console. Only the account owner can log in using their username (email address) and password.
The behavior of the account console with SSO authentication varies on whether the user has the admin
role in the Databricks account.
With the
admin
role, the user can access the account admin features of the account console such as creating and modifying workspaces and workspace resources.Without the
admin
role, the user is limited to non-admin actions such as viewing a list of workspaces that they can log into, and links to access those workspaces.
Workspaces do not inherit account-level authentication settings. Workspace users must continue to authenticate to the workspace using each workspace’s workspace-level authentication settings, even if workspace-level SSO is configured for one or more workspaces in the account.
Note
To use account-level SSO, your account must be on the E2 version of the Databricks platform. All new Databricks accounts and most existing accounts are now E2. If you are unsure which account type you have, contact your Databricks representative.
Account console SSO application examples
You can read the instructions on how to configure SSO to the following identity providers:
The process is similar for any identity provider that supports OIDC or SAML 2.0. If your identity provider is not listed above, follow the instructions below for OIDC or SAML. Databricks recommends that you use OIDC for account console authentication.
Enable account single sign-on authentication using OIDC
Warning
To prevent getting locked out of Databricks during single sign-on testing, Databricks recommends keeping the account console open in a different browser window.
As an account owner or account admin, log in to the account console and click the Settings icon in the sidebar.
Click the Single sign-on tab.
From the drop-down at the top of this tab, select OpenID Connect.
On the Single sign-on tab, make note of the Databricks Redirect URI value.
Go to your identity provider and create a new client application (web), entering the Databricks Redirect URI value in the appropriate field in the identity provider configuration interface.
Your identity provider should have documentation to guide you through this process.
Copy the client ID, client secret, and OpenID issuer URL generated by the identity provider for the application.
Client ID is the unique identifier for the Databricks application you created in your identity provider. This is sometimes referred to as the Application ID.
Client secret is a secret or password generated for the Databricks application that you created. It is used to authorize Databricks with your identity provider.
OpenID issuer URL is the URL at which your identity-provider’s OpenID Configuration Document can be found. That OpenID Configuration Document must found be in
{issuer-url}/.well-known/openid-configuration
.
For examples, see Account console SSO application examples.
Return to the Databricks account console Single sign-on tab and enter values you copied from the identity provider application to the Client ID, Client secret, and OpenID issuer URL fields.
Click Enable SSO to enable single sign-on for all users in your account. Now all account admins except for the account owner must use SSO to log in to the Databricks account console.
Test account console login with SSO. Test with a user ID other than account owner.
Enable account single sign-on authentication using SAML
The following instructions describe how to use SAML 2.0 to authenticate account console users other than the account owner. If your IdP supports both OIDC and SAML 2.0, Databricks recommends that you use OIDC for account console authentication.
Warning
To prevent getting locked out of Databricks during single sign-on testing, Databricks recommends keeping the account console open in a different browser window.
View the account console SSO page and copy the SAML URL:
As an account owner or account admin, log in to the account console and click the Settings icon in the sidebar.
Click the Single sign-on tab.
From the drop-down at the top of this tab, select SAML 2.0.
Copy the value in the Databricks SAML URL field. You will need the Databricks SAML URL for a later step.
In another browser window or tab, create a Databricks application in your identity provider:
Go to your identity provider (IdP).
Create a new client application (web):
Use your identity provider’s documentation as needed.
For the SAML URL field (which might be called a redirect URL), use the Databricks SAML URL that you copied from the Databricks page.
Copy the following objects and fields from your new Databricks application:
The x.509 certificate: A digital certificate provided by your Identity Provider for securing communications between Databricks and the Identity Provider
The single-sign-on (SSO) URL for your identity provider. This is the URL that initiates single sign-on with your identity provider. This is also sometimes referred to as the SAML endpoint.
The identity provider issuer: This is the unique identifier for your SAML identity provider. This is sometimes referred to as the Entity ID or Issuer URL.
For examples, see Account console SSO application examples.
Set your Databricks account to use your identity provider:
Return to the browser tab or window with the the Databricks account console SSO page.
Type or paste the following fields from your identity provider’s Databricks application: the single sign-on URL, the identity provider entity ID, and the x.509 Certificate.
Click Enable SSO to enable single sign-on for all users in your account. Now all account admins except for the account owner must use SSO to log in to the Databricks account console.
Test account console login with SSO. Test with a user ID other than account owner.