Microsoft Azure Active Directory (AD) runs in your Azure tenant. It provides identity based access controls for a wide range of Microsoft product and provides support for authenticating third-party applications such as Databricks. Azure Active Directory uses SAML 2.0.
This article shows how to configure Azure Active Directory as the identity provider for Databricks. If you use Microsoft Windows Active Directory that you host in your Azure tenant or on your premises, you can use it for SSO with Databricks. In that case, see Microsoft Windows Active Directory instead of this article.
- Log in to Databricks as an administrator.
- Go to the admin console.
- Click Single Sign On.
- Copy the Databricks SAML URL.
Do not close this browser tab.
Follow these steps to create a non-gallery Azure portal SAML application.
In the Azure portal, in the Azure services pane, click Enterprise applications. The All applications pane opens and displays a random sample of the applications in your Azure Active Directory tenant.
In the Enterprise applications pane, click New application.
The Browse Azure Active Directory Gallery pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications.
Switch to the legacy app galley experience.
In the banner at the top of the Add an application page, click the link that says You’re in the new and improved app gallery experience. Click here to switch back to the legacy app gallery experience.
Enter a name, then click Create your own application. Under What are you looking to do with your application? choose Integrate any other application you don’t find in the gallery.
The application’s properties pane appears.
In the application’s properties pane, click Users and groups. Select users and groups to grant them access to this SAML application. Users must have access to this SAML application to log into your Databricks workspace using SSO.
In the application’s properties pane, click Single sign on.
Click SAML configure the application for SAML authentication. The SAML properties pane appears.
Next to Basic SAML configuration, click Edit.
Next to SAML Signing Certificate, click Edit.
In the Signing Option drop-down list, select Sign SAML response and assertion.
Next to Certificate (Base64), click Download. The certificate is downloaded locally as a file with
.cerfile in a text editor. Do not open it using the macOS keychain, which is the default on macOS. The file comprises the entire x.509 certificate for the Azure Active Directory SAML application.
The certificate is sensitive data. Be cautious about where you download it and delete it from local storage as soon as possible.
Copy the file contents.
Under Set up Azure AD SAML Toolkit, copy the Login URL and Azure Active Directory Identifier.
As a Databricks administrator:
- Go to the admin console.
- Go to the Single Sign On tab.
- Set Single Sign-On URL to the Login URL from Configure the Azure portal application.
- Set Identity Provider Entity ID to the Azure Active Directory Identifier from Configure the Azure portal application.
- Paste the certificate from Configure the Azure portal application into the X.509 Certificate field.
- Click Enable SSO.
- Optionally, click Allow auto user creation.
- In an incognito browser window, go to your Databricks workspace.
- Click Single Sign On. You are redirected to Azure Active Directory.
- Enter your Azure Active Directory credentials. If SSO is configured correctly, you are redirected to Databricks.
If the test fails, review Troubleshooting.