Single Sign On

What is Single Sign On

The Single Sign-On (SSO) feature enables you to authenticate your employees using your organization’s identity provider. If your identity provider supports the SAML 2.0 protocol, you can use Databricks SSO to integrate with your identity provider and sign in.

Note

SSO is only available in the Databricks Operational Security Package.

Enabling Single Sign-On Authentication

To enable SSO, please use the Admin Console. Then select the SSO tab.

Enable SSO

There are two steps involved in the registration process:

Step 1: The first step is to configure your identity provider.

This requires creating a Databricks application on your identity provider with the information provided by Databricks (Databricks SAML URL). You can read the instructions on how to set this up for:

The process will be similar for any other identity provider who support SAML 2.0.

Step 2: Once you configure your identity provider, you need to then provide the information from the identity provider in the Databricks admin page to complete the registration process.

Authorizing Access to Databricks

You may choose which employees of your organization can get access to Databricks through one of two ways.

  • Explicitly add users during the configuration process with your identity provider in Step 1 and enable auto-user creation in the SSO tab; if the user’s account does not already exist, then a new account will be provisioned for them upon login.
  • Manually add users in Databricks as described in Managing Users and disable auto-user creation; if the user’s account does not already exist, then they cannot log in.

Sign-In Process

Once enabled, you will see the new option in the sign in page to use the single sign-on option.

SSO Login
  1. Once enabled, all non-admin users can sign in only using SSO.
  2. The admins can sign in with both SSO and their username/password. If there are difficulties signing in with SSO, the admins can sign in with password and disable SSO in the admin console.
  3. API users will still be able to use their username / password to make REST API users

Migrating Existing Users to SSO

Note

If a user’s current email address (username) with Databricks is the same as in the identity provider, then the migration will be automatic (as long as auto-user creation is enabled) and you can skip this step.

Read this section if there is a user on your Databricks instance with an email address that is different from their email in the identity provider.

If a user’s email address with the identity provider is different from the one with Databricks, then a new user based on the identity provider email will appear in Databricks when they login. Since non-admin users will no longer be able to login with their old email address and password, they will not be able to access the files in their existing ‘Users’ folder.

We recommended the following steps to migrate files from their old ‘Users’ folder to their new ‘Users’ folder:

  • The admin can go to the ‘Admin Console’ and remove the old user.
  • This will mark the user’s folder directory as defunct and the directory will move below all the active users in the workspace. All the notebooks and libraries will still be accessible by admins.
  • All the clusters and jobs created by the user will remain as it is.
  • If the user had any other ACLs set, enabling SSO will cause those to reset and the admin have to manually set those ACLs for the new user.
  • The admin can then move the old user’s folder into the new one as shown below.
SSO Move