Configure SSO with Okta for your Databricks account console

This article shows how to configure Okta as the identity provider for single sign-on (SSO) in your Databricks account. Okta supports both OpenID Connect (OIDC) and SAML 2.0, Databricks recommends that you use OIDC for account console authentication.

Enable account single sign-on authentication using OIDC

  1. As an account owner or account admin, log in to the account console and click the Settings icon in the sidebar.

  2. Click the Single sign-on tab.

  3. From the drop-down at the top of this tab, select OpenID Connect.

  4. On the Single sign-on tab, make note of the Databricks Redirect URI value.

    Single sign-on tab when first opened
  5. In a new browser tab, log into Okta as an administrator.

  6. In the home page, click Applications > Applications.

  7. Click Create App Integration.

  8. Select OIDC - OpenID Connect and Web Application and click Next.

  9. In New Web App Integration, under Sign-in redirect URIs, enter the Databricks Redirect URI from step 4. You can choose to configure the other settings or you can leave them to their default values.

  10. Click Save

  11. Under the General tab, copy the client ID and client secret generated by Okta for the application.

    • Client ID is the unique identifier for the Databricks application you created in your identity provider.

    • Client secret is a secret or password generated for the Databricks application that you created. It is used to authorize Databricks with your identity provider.

  12. Under the Sign On tab, in OpenID Connect ID Token copy the Okta URL in the issuer field.

    If the issuer field says Dynamic, click Edit and choose Okta URL (url) in the drop down.

    This URL is the URL at which Okta’s OpenID Configuration Document can be found. That OpenID Configuration Document must found be in {issuer-url}/.well-known/openid-configuration.

  13. Return to the Databricks account console Single sign-on tab and enter values you copied from the identity provider application to the Client ID, Client secret, and OpenID issuer URL fields.

    Single sign-on tab when all values have been entered
  14. Click Enable SSO to enable single sign-on for all users in your account. Now all account admins except for the account owner must use SSO to log in to the Databricks account console.

  15. Test account console login with SSO. Test with a user ID other than account owner.

    Single sign-on tab

Enable account single sign-on authentication using SAML (Public Preview)

Preview

This feature is in Public Preview.

Follow these steps to create an Okta SAML application for use with Databricks account console.

  1. To get the Databricks SAML URL, as an account owner or account admin, log in to the account console. Click Settings in the sidebar and click the Single sign-on tab. From the picker, select SAML 2.0. Copy the value in the Databricks SAML URL field.

  2. In a new browser tab, log into Okta as an administrator.

  3. Verify that email addresses for existing Databricks users match exactly with the email addresses in Okta. Note that email addresses in Databricks are case sensitive.

  4. In the home page, click Applications > Applications.

  5. Click Create App Integration.

  6. Select SAML 2.0 and click Next.

  7. Set App name to Databricks SSO and click Next.

  8. Configure the application using the following settings:

    • Single Sign On URL: the Databricks SAML URL from Gather required information

    • Audience URI: the Databricks SAML URL from Gather required information

    • Name ID Format: EmailAddress

    • Application Username: Email

  9. Click Advanced settings. Ensure that Response is set to Signed (the default). Signing the assertion is optional.

    Important

    Do not modify other advanced settings. For example, assertion encryption must be set to Unencrypted.

  10. Click Hide advanced settings.

  11. Click Next.

  12. Select I’m an Okta customer adding an internal app.

  13. Click Finish. The Databricks SAML app is shown.

  14. Under SAML 2.0 is not configured until you complete the setup instructions, click View Setup Instructions.

  15. Copy the following values:

    • Identity Provider Single Sign-On URL

    • Identity Provider Issuer

    • x.509 certificate

  16. Configure Databricks in the Databricks account console SSO page. See Enable account single sign-on authentication using SAML (Public Preview) for details on optional fields.

    1. Click Single sign-on.

    2. Set the SSO type drop-down to SAML 2.0.

    3. Set Single Sign-On URL to the Azure Active Directory field that was called Login URL.

    4. Set Identity Provider Entity ID to the Okta field that was called Identity Provider Issuer.

    5. Set x.509 Certificate to the Okta x.509 certificate, including the markers for the beginning and ending of the certificate.

    6. Click Enable SSO.