AWS single sign-on (SSO)

This article shows how to configure AWS Single Sign-On (SSO) as the identity provider for Databricks.


  • In the AWS console, you need permission to manage applications.
  • In Databricks, you need an administrator account.

Gather required information

  1. Log in to Databricks as an administrator.
  2. Go to the admin console.
  3. Click Single Sign On.
  4. Copy the Databricks SAML URL.

Keep this browser tab open.

Configure AWS SSO

  1. In a new browser tab, go to the AWS Single-Sign On console.

  2. Click Add a new application.

    Add application
  3. In the AWS SSO Application Catalog field, type databricks.

  4. Click the Databricks tile.

    Select Databricks application
  5. Set Display name to Databricks.

  6. Under Application Metadata, select If you don’t have a metadata file, you can manually type your metadata values.

  7. Set both Application ACS URL and Application SAML Audience to the Databricks SAML URL from Gather required information.

  8. Copy the Single Sign On URL and Identity Provider Entity ID.

  9. Download the x.509 certificate, then open the downloaded file in a text editor.

Configure Databricks application

Configure Databricks

  1. Go back to the Databricks browser tab.
  2. Set Single Sign On URL to the Single Sign On URL from AWS SSO.
  3. Set Identity Provider Entity ID to the Identity Provider Entity ID from AWS SSO.
  4. Paste the entire x.509 certificate from AWS SSO into x.509 certificate, including the markers for the beginning and ending of the certificate.
  5. Click Enable SSO.
  6. Optionally, click Allow auto user creation.

Test the configuration

  1. In an incognito browser window, go to your Databricks workspace.
  2. Click Single Sign On. You are redirected to AWS.
  3. Log in to Okta. If SSO is configured correctly, you are redirected to Databricks.

If the test fails, review Troubleshooting.