Configure SSO with OneLogin for your Databricks account console

This article shows how to configure OneLogin as the identity provider for single sign-on (SSO) in your Databricks account. OneLogin supports both OpenID Connect (OIDC) and SAML 2.0, Databricks recommends that you use OIDC for account console authentication.

Enable account single sign-on authentication using OIDC

  1. As an account owner or account admin, log in to the account console and click the Settings icon in the sidebar.

  2. Click the Single sign-on tab.

  3. From the drop-down at the top of this tab, select OpenID Connect.

  4. On the Single sign-on tab, make note of the Databricks Redirect URI value.

    Single sign-on tab when first opened
  5. In a new browser tab, log in to OneLogin.

  6. Click Administration.

  7. Click Applications.

  8. Click Add App.

  9. Search for OpenId Connect and select the OpenId Connect (OIDC) app.

  10. Enter a name and click Save.

  11. In the Configuration tab, Databricks Redirect URI from step 4. You can choose to configure the other settings or you can leave them to their default values.

  12. In the SSO tab, copy the copy the client ID, client secret, and issuer URL values.

    • Client ID is the unique identifier for the Databricks application you created in OneLogin.

    • Client secret is a secret or password generated for the Databricks application that you created. It is used to authorize Databricks with your identity provider.

    • OpenID issuer URL is the URL at which OneLogin’s OpenID Configuration Document can be found. That OpenID Configuration Document must found be in {issuer-url}/.well-known/openid-configuration.

  13. Return to the Databricks account console Single sign-on tab and enter values you copied from the identity provider application to the Client ID, Client secret, and OpenID issuer URL fields.

    Single sign-on tab when all values have been entered
  14. Click Enable SSO to enable single sign-on for all users in your account. Now all account admins except for the account owner must use SSO to log in to the Databricks account console.

  15. Test account console login with SSO. Test with a user ID other than account owner.

    Single sign-on tab

Enable account single sign-on authentication using SAML (Public Preview)

Preview

This feature is in Public Preview.

Follow these steps to create a OneLogin SAML application for use with Databricks account console.

  1. To get the Databricks SAML URL, as an account owner or account admin, log in to the account console. Click Settings in the sidebar and click the Single sign-on tab. From the picker, select SAML 2.0. Copy the value in the Databricks SAML URL field.

  2. In a new browser tab, log in to OneLogin.

  3. Click Administration.

  4. Click Applications.

  5. Click Add App.

  6. Search for SAML Custom Connector (Advanced) and click the result by OneLogin, Inc.

  7. Set Display Name to Databricks.

  8. Click Save. The application’s Info tab loads.

  9. Click Configuration.

  10. In Gather required information, set each of the following fields to the Databricks SAML URL:

    • Audience

    • Recipient

    • ACS (Consumer) URL Validator

    • ACS (Consumer) URL

    • Single Logout URL

    • Login URL

  11. Set SAML signature element to Both.

  12. Click Parameters.

  13. Set Credentials are to Configured by admins and shared by all users.

  14. Click Email. Set the value to email and enable Include in SAML Assertion.

  15. Click the SSO tab.

  16. Copy the following values:

    • x.509 certificate

    • Issuer URL

    • SAML 2.0 endpoint (HTTP)

  17. Verify that SAML signature element is set to Response or Both.

  18. Verify that Encrypt assertion is disabled.

  19. Configure Databricks in the Databricks account console SSO page. See Enable account single sign-on authentication using SAML (Public Preview) for details on optional fields.

    1. Click Single sign-on.

    2. Set the SSO type drop-down to SAML 2.0.

    3. Set Single Sign-On URL to the OneLogin SAML 2.0 endpoint.

    4. Set Identity Provider Entity ID to the OneLogin Issuer URL.

    5. Set x.509 Certificate to the OneLogin x.509 certificate, including the markers for the beginning and ending of the certificate.

    6. Click Enable SSO.