Configure SCIM provisioning for OneLogin

Preview

This feature is in Public Preview.

You can configure Databricks as a SCIM provisioning app in OneLogin, enabling you to use OneLogin to provision users with Databricks automatically.

Prerequisites

  • Your Databricks account must have the Premium plan (or, for customers who subscribed to Databricks before March 3, 2020, the Operational Security package).
  • Your OneLogin account must support provisioning.
  • You must be a Super User or Account Owner for your OneLogin account.
  • Databricks recommends that you read the OneLogin article, What is User Provisioning and Deprovisioning?.

Enable Databricks provisioning using OneLogin

When you follow these steps, log into the Databricks admin console in one browser tab, and log into the OneLogin admin console in another.

Generate a Databricks personal access token

As a Databricks workspace administrator, generate a personal access token. See Token management. Store the personal access token in a secure location. OneLogin will use this personal access token to authenticate to Databricks.

Important

The user who owns this personal access token must not be managed within OneLogin. Otherwise, removing the user from OneLogin would disrupt the SCIM integration.

Configure the OneLogin SCIM provisioning app

  1. Log in to OneLogin as a Super User or Account Owner, and launch the OneLogin admin console.

  2. Go to Applications and click Add App.

  3. Search for Databricks. Select the row with the label SAML2.0, provisioning.

  4. Click Save. New configuration tabs appear at the left.

  5. Click Configuration.

  6. Enter the Databricks subdomain.

  7. In the SCIM Bearer Token field, enter the Databricks personal access token.

  8. Under API Connection, click Enable. The application authenticates to Databricks.

  9. Go to Provisioning to enable and configure provisioning.

    1. Under Workflow, select Enable provisioning.

    2. Configure whether to require admin approval to create, delete, or update a user.

      Note

      Databricks recommends that you enable admin approval for all operations as an initial safeguard, so that you don’t trigger automatic provisioning for your users before setup and testing have been completed. After you have tested and verified that provisioning is working as expected, you can configure these settings to override admin approval.

    3. Configure the behavior in Databricks when a user is deleted from OneLogin:

      • Do nothing does not modify the user in Databricks.
      • Suspend disables the user in Databricks. The user can’t log in, but the user’s resources are not modified. This is reversible.
      • Delete deletes the user in Databricks and archives the user’s resources. This is not reversible.
    4. Configure the behavior in Databricks when a user is suspended in OneLogin.

      • Do nothing does not modify the user in Databricks.
      • Suspend disables the user in Databricks. The user can’t log in, but the user’s resources are not modified. This is reversible.
  10. Go to SSO to configure SSO. You can configure the strength of the x.509 certificate and the SAML signature algorithm, and you can enable or disable automatic population of the username in SSO login fields.

  11. In SSO, copy the SAML 2.0 Endpoint (HTTP) URL.

  12. Click Save. The application configuration screen reloads.

  13. Go to SSO. Under X.509 Certificate, click View details.

  14. Copy the x.509 certificate.

Configure Databricks for SSO and SCIM provisioning

  1. In the Databricks admin console, go to Single Sign On.
  2. Paste the OneLogin SAML 2.0 Endpoint URL into the Single Sign-On URL field.
  3. Paste the OneLoin Issuer URL into the Identity Provider Entity ID field.
  4. Paste the x.509 certificate into the x.509 certificate field.
  5. Under Advanced options, optionally enable automatic user creation and automatic IAM entitlement sync.
  6. Click Enable SSO.

Configure OneLogin entitlements

In OneLogin, groups are called entitlements. Follow these steps to import groups from Databricks into OneLogin. Importing OneLogin entitlements into Databricks is not supported.

  1. In the OneLogin Databricks application, go to SSO.
  2. In the Entitlements section, click Refresh.
  3. Click Save.

Map Databricks attributes to OneLogin attributes

Some Databricks attributes (like First Name, Last Name, NameID, SCIM Username) are mapped to OneLogin attributes by default and need no configuration. You must create mappings to keep Databricks groups, roles, and entitlements in sync with OneLogin fields for provisioned users.

  1. In OneLogin, go to Users > Custom User Fields and create two custom fields:

    • One to hold a user’s allow-cluster-create permission. In our example, we name this databricksEntitlements, although you can use any name that you like.
    • One to hold the user’s Databricks IAM role. In our example, we name this IAM Role.

    Once you have created these fields, you can specify the IAM role and allow-cluster-create entitlement for any user in the Custom Fields section of the OneLogin user record.

  2. Return to your OneLogin SCIM provisioning app and go to the Parameters tab to map the Entitlement, Groups, and Role attributes (all optional).

    Click the field name to open the edit dialog, where you can set the OneLogin field (Value) to map to the Databricks field.

    • Entitlement: set the Value to the custom user field you created in Step 1.
    • Groups: verify that all of the group names were successfully imported from Databricks to the Available Values field when you clicked Refresh on the Provisioning tab (above), and select the Include in User Provisioning flag.
    • Role: set the Value to the custom user field you created in Step 1.
  3. Click Save.

Assign groups, IAM roles, and entitlements to Databricks users

Once you have created your custom user fields and configured your attribute mapping, you can assign groups, IAM roles, and the allow-cluster-create entitlement to Databricks users when you provision them. To assign additional entitlements, use the Databricks admin console.

When you enter a value for the entitlement and IAM role custom fields on the user record (Users > All Users > <username>), the entitlement and IAM role will automatically be included when you provision the user to Databricks. For more information, see the OneLogin article, Custom User Fields.

To assign Group values, you must manually select them on the user login record for the OneLogin SCIM provisioning app. On the Users tab of the OneLogin SCIM provisioning app, select the user to edit. For more information, see the OneLogin article, Provisioning Attributes: the Effect of Defaults, Rules, and Manual Entry.

You can also use OneLogin rules (mappings) to assign users to Databricks groups, IAM roles, and entitlements automatically, based on another OneLogin attribute, such as OneLogin Role. For example, to place all users who are in the OneLogin Role “Finance” in the Databricks “finance” group, you can go to the Rules tab in your OneLogin SCIM provisioning app and create a New Rule with the condition Roles – include – Finance and the action Set Groups in Databricks to – finance, as in this screenshot:

Rules tab

Now, whenever you add a user to the OneLogin “Finance” role and the OneLogin SCIM provisioning appp, the user will be assigned the “finance” group in Databricks when you reapply entitlement mappings. For more information about using rules (mappings) this way, see the OneLogin help article, Rules.

Users who are added to the admins group in OneLogin become Databricks workspace administrators.

Remove or update group, IAM role, or entitlement assignments

You can remove or update group, IAM role, or entitlement assignments in multiple ways:

  • Manually: go to the Users tab in the OneLogin SCIM provisioning app and select the user to edit. Remove or override the current selection in the group field, custom IAM role field, or custom entitlement field.
  • Automatically: if you have set up rules to assign groups, IAM roles, or entitlements to the user based on a OneLogin attribute, such as OneLogin Role, remove that attribute from the user (for example, remove the user from the OneLogin Role). You can also change the rule that assigns the group, IAM role, or entitlement to users in that OneLogin role.

Note

In many cases, it is easier to manage groups, IAM roles, and entitlements using the Databricks admin console.

When a user is removed from the admins group in OneLogin and the change is synced to Databricks, the user is no longer a Databricks workspace administrator.

Important

Do not remove the administrator who configured the OneLogin SCIM provisioning app, and do not remove them from the admins group. Otherwise, the SCIM integration cannot authenticate to Databricks.

See the OneLogin documentation for more information about mapping attributes.

Trigger a sync

You can manually trigger a sync of OneLogin users with Databricks users by going to the OneLogin SCIM provisioning app and selecting MORE ACTIONS -> Sync logins. If a user is assigned to the app, the user will be added to your Databricks workspace. However, the reverse is not true: a user created in the Databricks workspace will not be added to the OneLogin SCIM provisioning app.

To manually sync users from the Databricks workspace to OneLogin, create a user in OneLogin with the same username and email address as the user in the Databricks workspace, and then assign the user to the app in OneLogin.

For more information, see Synchronizing users in the OneLogin documentation.

Delete users

You should delete users in OneLogin and let OneLogin take care of deprovisioning them from the Databricks workspace. If you delete a OneLogin-managed user directly in the Databricks workspace, the user will remain active in the OneLogin SCIM provisioning app. When you try to delete the user from the OneLogin SCIM provisioning app, the attempt will fail, because the user is already deleted in the workspace.

You can deprovision a user in multiple ways:

  • Delete or suspend the user from OneLogin.
  • Remove the user from the app manually by going to the Users tab in the OneLogin SCIM provisioning app, selecting the user, and clicking the Delete button.
  • If you have set up rules to assign the user to the app based on a OneLogin attribute, such as OneLogin Role, remove that attribute from the user (for example, remove the user from the OneLogin Role). You can also remove then Databricks app from a OneLogin Role that the user is assigned to (this deprovisions Databricks for all users in the role).

Important

Do not remove the administrator who configured the OneLogin SCIM provisioning app from Databricks or from the admins group. Otherwise, the SCIM integration cannot authenticate to Databricks.

See the OneLogin documentation for more information.

Troubleshooting and tips

  • Users who existed in Databricks prior to provisioning setup:
    • Are automatically linked to a OneLogin user if they already exist in OneLogin and are matched based on email address (username).
    • Can be manually linked to an existing user or created as a new user in OneLogin if they are not automatically matched. For more information, see Synchronizing users in the OneLogin documentation.
  • User permissions that are that are assigned individually and duplicated through membership in a group remain after the group membership is removed for the user.
  • Users removed from a Databricks workspace lose access to that workspace but may still have access to other Databricks workspaces.
  • You must create Databricks groups in Databricks; you cannot add groups using OneLogin.
  • You cannot update Databricks usernames and email addresses.