Configure SCIM Provisioning for Okta

Databricks is available as a provisioning app in the Okta Integration Network (OIN), enabling you to use Okta to provision users and groups with Databricks automatically.

Features

The Databricks Okta application supports “Invited User Administration.”

This enables Okta to:

  • Update user profiles for users who are in an invited state in Databricks (including those who have not accepted invitations)
  • Add invited users to groups while they are in invited state in Databricks
  • Remove users from Databricks while they are in invited state in Databricks

The following provisioning features are supported:

  • Push new users
  • Push profile updates
  • Push user deletion
  • Import new users
  • Import profile updates
  • Push groups

Prerequisites

Your Databricks account must have the Databricks Operational Security Package.

Configure Databricks provisioning using Okta

  1. Log in to your Databricks workspace as an administrator.

    Important

    This Databricks admin user should not be managed by Okta. A Databricks admin user who is managed by Okta can be deprovisioned using Okta, which would cause your SCIM provisioning integration to be disabled.

  2. On the Admin Console, go to the Single Sign-On tab.

  3. Click Enable SSO if it isn’t already enabled and copy the Databricks SAML URL. You will provide this to Okta in a subsequent step.

  4. Generate a personal access token in Databricks and copy it. See Generate a token.

    You will provide this to Okta in a subsequent step.

  5. Launch the Okta admin console, go to Applications > Applications, and select Add Application.

  6. Search for Databricks, select it, and click the Add button.

  7. Enter an Application Label and click Done.

    Use a name that will help administrators find it, like Provision_<WorkspaceName>.

  8. Go to the Sign On tab and click the Edit button.

  9. Paste the Databricks SAML URL that you copied in step 3 into the Default Relay State and Databricks SAML URL fields and click Save.

    Databricks SAML URL
  10. Go to the Provisioning tab and click Configure API Integration.

  11. Select Enable API Integration and do the following:

    1. Enter the Base URL, like this: https://<your-account>.cloud.databricks.com/api/2.0/preview/scim/v2.

    2. In the API Token field, paste the Databricks personal access token that you generated in step 4.

      Okta SCIM credentials
  12. Click the Test API Credentials button. When you’ve seen the message that confirms that the credentials are authorized to enable provisioning, click Save.

  13. In the Settings menu on the left sidebar, select To App.

  14. Click Edit and select the provisioning features you want to enable.

    Okta provisioning options

    Note

    The Deactivate Users option deletes users from the Databricks workspace. Depending on your organization’s Databricks deployment, users removed from a Databricks workspace lose access to that workspace but may still have access to other Databricks workspaces. If a deprovisioned user is re-provisioned to the workspace and they are still active in other workspaces, they will be re-provisioned with their existing ID. A user who has had no active workspaces for 30 days will automatically be purged from Databricks due to GDPR requirements.

  15. Click Save and scroll to the bottom of the page to verify your Databricks Attribute Mappings.

    These mappings will depend on the options you enabled above. You can add and edit mappings to fit your needs. See Application-Based Mapping in the Okta documentation.

  16. In the Settings menu on the left sidebar, select To Okta.

    The default settings work well for Databricks provisioning. If you want to update the default settings and attribute mappings, see Provisioning and Deprovisioning in the Okta documentation.

Import users from Databricks to Okta

To import users from Databricks to Okta, go to the Import tab and click Import Now. You will be prompted to review and confirm assignments for any users who are not automatically matched to existing Okta users.

Add user and group assignments

To verify or add user and group assignments, go to the Assignments tab.

Push groups to Databricks

To push groups from Okta to Databricks, go to the Push Groups tab.

Roles and entitlements

Databricks supports the assignment of roles and entitlements from Okta. Each of these is a multi-valued attribute that requires that you create attributes in the Databricks provisioning app profile. For example, if you want to assign two roles to a user, you must create two attributes in the Databricks provisioning app and map one Okta user attribute to each.

The following instructions use the roles attribute as an example, but you can set up entitlements in the same manner.

  1. In the Okta admin console, go to Directory > Profile Editor.

  2. Click the Profile edit button for the Okta user profile.

  3. Click the + Add Attribute button to add a role.

  4. In the Add Attribute dialog, give the role attribute a Display name and Variable name (in this example, we use Primary role and primary_role, respectively).

    add okta role attribute
  5. Return to the Profile Editor and click the Profile edit button for the Databricks provisioning app user profile.

  6. Click the + Add Attribute button to add a role.

  7. On the Add Attribute dialog, give the role attribute the following values:

    Display name: Primary role

    Variable name: primary_role

    External Name in the format roles.^[type==’$TYPE’].value, where $TYPE is a string describing the role; in this case, if $TYPE were primary, the External Name would be roles.^[type==’primary’].value.

    External Namespace: urn:ietf:params:scim:schemas:core:2.0:User.

    add Databricks role attribute
  8. Return to the Profile Editor and click the Mappings edit button for the Databricks provisioning app user profile.

  9. For both Databricks to Okta and Okta to Databricks, map the Databricks SCIM app role attribute to the Okta user role attribute and then click Save Mappings.

    Okta to Databricks role attribute mapping
  10. To add a role attribute value to a user, go to Directory > People, select a user, and go to the Profile tab in the user page.

    Click the Edit button to enter a Primary role value for the user. When you assign the user to the app, you should see the role populated with the value that you entered.

If you want to add another role, simply follow the steps above using a different value for the $TYPE field in the External name field of the attribute.

Troubleshooting and tips

  • Users without either First Name or Last Name in their Databricks profiles cannot be imported to Okta as new users.
  • Users who existed in Databricks prior to provisioning setup:
    • Are automatically linked to an Okta user if they already exist in Okta and are matched based on email address (username).
    • Can be manually linked to an existing user or created as a new user in Okta if they are not automatically matched.
  • User permissions that are assigned individually and duplicated through membership in a group remain after the group membership is removed for the user.
  • Users removed from a Databricks workspace lose access to that workspace but may still have access to other Databricks workspaces.
  • The “admins” group is a reserved group in Databricks and cannot be removed.
  • Groups cannot be renamed in Databricks; do not attempt to rename them in Okta.
  • You can use the Databricks Groups API or the Groups UI to get a list of members of any Databricks group.
  • You cannot update Databricks usernames and email addresses.