Configure SSO in Databricks

This page gives you an overview of using single sign-on (SSO) to authenticate to the account console and Databricks workspaces. To sync users and groups from your identity provider, see Sync users and groups from your identity provider using SCIM.

To allow users to log in to Databricks with emails or common external accounts, such as Google or Microsoft, see Sign-in with email or external accounts.

For information on legacy workspace-level SSO, see Set up SSO for your workspace (legacy).

Overview of SSO setup

SSO supports using either SAML 2.0 or OpenID Connect (OIDC). Your identity provider (IdP) must support at least one of these protocols.

For most accounts, unified login is enabled by default. This means that a single SSO configuration is used across your account and all Databricks workspaces. If your account was created after June 21, 2023 or you did not configure SSO before December 12, 2024, unified login is automatically enabled for all workspaces and cannot be disabled.

Accounts created before June 21, 2023 that had previously configured SSO at the workspace-level don't have unified login enabled by default. Account admins can enable unified login for all workspaces or specific workspaces. Databricks recommends using unified login across all workspaces for a streamlined and consistent authentication experience. For more information, see Enable unified login.

When account-level SSO is enabled, all users, including admins, must sign in to the Databricks account and unified-login-enabled workspaces using single sign-on. To prevent lockouts, account admins can set up emergency access for up to 20 users. Users who have been selected for emergency access can use a username and password and a security key to log in. See Emergency access to prevent lockouts.

After enabling SSO, Databricks recommends using SCIM provisioning to sync users and groups automatically from your identity provider to your Databricks account. See Sync users and groups from your identity provider using SCIM.

You can configure just-in-time (JIT) provisioning to automatically create new user accounts from your identity provider upon their first login. See Automatically provision users (JIT).

You can read the generic instructions on how to configure SSO with OIDC or SAML or specific instructions for different identity providers:

• Configure SSO using OIDC
• Configure SSO using SAML
• SSO to Databricks with Microsoft Entra ID
• SSO to Databricks with Okta
• SSO to Databricks with OneLogin
• SSO to Databricks with AWS IAM Identity Center
• SSO to Databricks with Keycloak
• SSO to Databricks with JumpCloud

The following demos walk you through configuring SSO with Okta:

• Secure Your Databricks Access with OIDC SSO
• Secure Your Databricks Access with SAML SSO

Test your SSO configuration

After you complete the SSO setup, test your configuration to make sure users can sign in.

Test SSO from the account console

During SSO setup, use the built-in test to verify your configuration before you enable SSO:

1. After you enter your identity provider settings in the Databricks account console, click Save.
2. Click Test SSO. Databricks opens a new browser window and attempts to authenticate using your identity provider.
3. Complete the sign-in flow in your identity provider.
4. Review the test results:
   • If the test succeeds, click Enable SSO to enable single sign-on for your account.
   • If the test fails, review the error message and verify your identity provider settings. See Troubleshooting OIDC SSO or Troubleshooting SAML SSO.

Test account console login

After you enable SSO, verify that users can sign in to the account console:

1. Open a new browser window or private/incognito session.
2. Go to the account console.
3. Enter a test user's email address. Your browser redirects to your identity provider's sign-in page.
4. Complete the sign-in flow. After you authenticate, Databricks redirects you to the account console.
5. Verify the user identity by clicking the username in the top bar to confirm the correct user is logged in.

Test workspace login

If you have unified login enabled, verify that SSO works for workspace access:

1. Open a new browser window or private/incognito session.
2. Go to the workspace URL. Your browser redirects to your identity provider's sign-in page.
3. Enter a test user's email address and complete the sign-in flow.
4. After you authenticate, Databricks redirects you to the workspace.
5. Verify the user identity by clicking the username in the top bar of the workspace.

For unified login configuration, see Enable unified login.

Troubleshoot test failures

If SSO testing fails, try the following:

• your identity provider settings: Verify that the redirect URL, client ID, client secret (for OIDC), or x.509 certificate (for SAML) are correct.
• Verify user access: Make sure the test user is assigned to the Databricks application in your identity provider.
• Review error messages: See Troubleshooting OIDC SSO or Troubleshooting SAML SSO for specific error codes.

• Prevent lockout: Before enabling SSO, configure emergency access for at least one administrator user. See Emergency access to prevent lockouts.

• Use a private browser window: Test in an incognito or private session to avoid cached credentials from interfering with the test.
• Review browser console logs: Open your browser's developer tools to look for redirect or network errors during the sign-in flow.

For troubleshooting errors with SSO, see:

• Troubleshooting OIDC SSO
• Troubleshooting SAML SSO