Configure SCIM provisioning for OneLogin

You can configure Databricks as a provisioning app in OneLogin, enabling you to use OneLogin to provision users with Databricks automatically.

Prerequisites

  • Your Databricks account must have the Premium plan (or, for customers who subscribed to Databricks before March 3, 2020, the Operational Security package).
  • Your OneLogin account must support provisioning.
  • You must be a Super User or Account Owner for your OneLogin account.
  • It is highly recommended that you read the OneLogin article, Introduction to User Provisioning.

Enable Databricks provisioning using OneLogin

Step 1: Databricks Admin Console

  1. Log in to your Databricks workspace as an administrator.

    Important

    This Databricks admin user should not be managed by OneLogin. A Databricks admin user who is managed by OneLogin can be deprovisioned using OneLogin, which would cause your SCIM provisioning integration to be disabled.

  2. In the Admin Console, go to the Single Sign-On tab.

  3. Click Enable SSO if it isn’t already enabled and copy the Databricks SAML URL.

    You provide this to OneLogin in a subsequent step.

  4. Generate a personal access token in Databricks and copy it. See Generate a personal access token.

    You provide this to OneLogin in a subsequent step.

Step 2: OneLogin Admin Console

  1. Log in to OneLogin as a Super User or Account Owner, and launch the OneLogin admin console.

  2. Type https://<mycompany>.onelogin.com/apps/new/112664 in your browser’s address bar, where <mycompany> is your organization’s OneLogin subdomain.

  3. On the Configuration tab of the Add Databricks SCIM Test page, click Save to add the app to your Company Apps and to display the other tabs required to complete your provisioning configuration.

    Before you save, you can update the display name and add an icon, if you like.

  4. (Optional but recommended) Set up SAML SSO for the app.

    In most provisioning scenarios, you also use SAML to provide SSO to Databricks. However, this step is not necessary for enabling provisioning using the SCIM API. You can come back to this step and enable SSO later, after you have configured and tested provisioning.

    SSO tab
    1. Go to the SSO tab and copy the X.509 Certificate (click View Details), Issuer URL, and the SAML 2.0 Endpoint (HTTP).

Step 3: Databricks Admin Console

  1. In the Databricks Admin Console, go to the Single Sign On tab.

  2. On the Single Sign-On page, paste the copied OneLogin SAML 2.0 Endpoint (HTTP) into the Single Sign-On URL field, the OneLogin Issuer URL into the Identity Provider Entity ID field, and the X.509 Certificate into the x.509 Certificate field.

    Databricks SSO configuration
  3. Click Enable SSO.

Step 4: OneLogin Admin Console

  1. In OneLogin, go to the Configuration tab to provide the Databricks SAML URL to OneLogin and to connect to the Databricks SCIM API.

    OneLogin configuration
    1. Paste the Databricks SAML URL that you copied in Step 1 into the SAML Audience URL and SAML Consumer URL fields.
    2. In SCIM Base URL, enter https://<your-company>.cloud.databricks.com/api/2.0/preview/scim/v2/.
    3. In SCIM Bearer Token, paste the Databricks personal access token that you generated and copied in Step 1.
    4. Click Enable.
  2. Go to the Provisioning tab to enable provisioning, set your admin approval policy, and specify what happens in Databricks when a user is deleted in OneLogin.

    1. Select Enable provisioning.

    2. Select the operations for which you want there to be admin approval (Create user, Delete user, Update user). Once you select these operations, an admin must go to Users > Provisioning in OneLogin to manually approve each operation.

      Note

      We recommend that you enable admin approval for all operations as an initial safeguard, so that you don’t trigger automatic provisioning for your users before setup and testing have been completed. After you have tested and verified that provisioning is working as expected, you can configure these settings to override admin approval.

    3. Select how user deletion in OneLogin should be handled in Databricks: Delete or Do Nothing.

      Note

      Suspend is an option, but behaves the same way as Delete in Databricks.

  3. In the Entitlements section, click Refresh.

    This imports group names from Databricks so that you can use OneLogin to select and assign Databricks group membership when you provision users.

    Note

    You should create Databricks groups in your Databricks workspace and sync them to OneLogin using this Refresh action.

  4. Click Save.

Map Databricks attributes to OneLogin attributes

Some Databricks attributes (like First Name, Last Name, NameID, SCIM Username) are mapped to OneLogin attributes by default and need no configuration. Others—Groups, Role, and Entitlements—are optional and require configuration if you want to include these attributes when you provision the user with Databricks.

  1. In OneLogin, go to Users > Custom User Fields and create two custom fields:

    • One to hold a user’s allow-cluster-create permission. In our example, we name this databricksEntitlements, although you can use any name that you like.
    • One to hold the user’s Databricks IAM role. In our example, we name this IAM Role.

    Once you have created these fields, you can specify the IAM role and allow-cluster-create entitlement for any user in the Custom Fields section of the OneLogin user record.

  2. Return to your Databricks SCIM Test app and go to the Parameters tab to map the Entitlement, Groups, and Role attributes (all optional).

    Map attributes

    Click the field name to open the edit dialog, where you can set the OneLogin field (Value) to map to the Databricks field.

    • Entitlement: set the Value to the custom user field you created in Step 1.
    • Groups: verify that all of the group names were successfully imported from Databricks to the Available Values field when you clicked Refresh on the Provisioning tab (above), and select the Include in User Provisioning flag.
    • Role: set the Value to the custom user field you created in Step 1.
  3. Click Save.

Assign groups, IAM roles, and entitlements to Databricks users

Once you have created your custom user fields and configured your attribute mapping, you can assign group, IAM role, and allow-cluster-create entitlement values to Databricks users when you provision them.

When you enter a value for the entitlement and IAM role custom fields on the user record (Users > All Users > <username>), the entitlement and IAM role will automatically be included when you provision the user to Databricks. For more information, see the OneLogin article, Custom User Fields.

To assign Group values, you must manually select them on the user login record for the Databricks SCIM Test app. On the Users tab of the Databricks SCIM Test app, select the user to launch the login record edit dialog. For more information, see the OneLogin article, Provisioning Attributes: the Effect of Defaults, Rules, and Manual Entry.

Assign group values

You can also use OneLogin rules (mappings) to assign users to Databricks groups, IAM roles, and entitlements automatically, based on another OneLogin attribute, such as OneLogin Role. For example, to place all users who are in the OneLogin Role “Finance” in the Databricks “finance” group, you can go to the Rules tab in your Databricks SCIM Test app and create a New Rule with the condition Roles – include – Finance and the action Set Groups in Databricks to – finance, as in this screenshot:

Rules tab

Now, whenever you add a user to the OneLogin “Finance” role and the Databricks SCIM Test app, the user will be assigned the “finance” group in Databricks when you reapply entitlement mappings. For more information about using rules (mappings) this way, see the OneLogin help article, Rules.

Remove or update group, IAM role, or entitlement assignments

You can remove or update group, IAM role, or entitlement assignments in multiple ways:

  • Manually: go to the Users tab in the Databricks SCIM Test app and select the user to launch the login record edit dialog. Simply remove or override the current selection in the group field, custom IAM role field, or custom entitlement field.
  • Automatically: if you have set up rules to assign groups, IAM roles, or entitlements to the user based on a OneLogin attribute, such as OneLogin Role, remove that attribute from the user (for example, remove the user from the OneLogin Role). You can also change the rule that assigns the group, IAM role, or entitlement to users in that OneLogin role.

See the OneLogin documentation for more information.

Trigger a sync

You can manually trigger a sync of OneLogin users with Databricks users by going to the Databricks SCIM Test app and selecting MORE ACTIONS -> Sync logins. If a user is assigned to the app, the user will be added to your Databricks workspace. However, the reverse is not true: a user created in the Databricks workspace will not be added to the Databricks SCIM Test app in OneLogin.

To manually sync users from the Databricks workspace to OneLogin, create a user in OneLogin with the same username and email address as the user in the Databricks workspace, and then assign the user to the app in OneLogin.

For more information, see Synchronizing users in the OneLogin documentation.

Delete users

You should delete users in OneLogin and let OneLogin take care of deprovisioning them from the Databricks workspace. If you delete a OneLogin-managed user directly in the Databricks workspace, the user will remain active in the OneLogin Databricks SCIM Test app. When you try to delete the user from the Databricks SCIM Test app, the attempt will fail, because the user is already deleted in the workspace.

You can deprovision a user in multiple ways:

  • Delete or suspend the user from OneLogin.
  • Remove the user from the app manually by going to the Users tab in the Databricks SCIM Test app, selecting the user, and clicking the Delete button.
  • If you have set up rules to assign the user to the app based on a OneLogin attribute, such as OneLogin Role, remove that attribute from the user (for example, remove the user from the OneLogin Role). You can also remove then Databricks app from a OneLogin Role that the user is assigned to (this deprovisions Databricks for all users in the role).

See the OneLogin documentation for more information.

Troubleshooting and tips

  • Users who existed in Databricks prior to provisioning setup:
    • Are automatically linked to a OneLogin user if they already exist in OneLogin and are matched based on email address (username).
    • Can be manually linked to an existing user or created as a new user in OneLogin if they are not automatically matched. For more information, see Synchronizing users in the OneLogin documentation.
  • User permissions that are that are assigned individually and duplicated through membership in a group remain after the group membership is removed for the user.
  • Users removed from a Databricks workspace lose access to that workspace but may still have access to other Databricks workspaces.
  • You must create Databricks groups in Databricks; you cannot add groups using OneLogin.
  • You cannot update Databricks usernames and email addresses.