Google Workspace (formerly GSuite) single sign-on (SSO v2.0)
Workspaces on the E2 version of the Databricks platform always use SSO version 2.0. All new Databricks accounts and most existing accounts are now E2. In addition, many workspaces on the ST version of the Databricks platform have been upgraded to SSO version 2.0. Therefore, most workspaces use SSO version 2.0, and should follow the instructions in this article.
If you’re not sure, follow these steps to check the SSO version your workspace uses:
Go to the Admin Console and select the SSO tab.
Look for the Single Sign-On header.
If the number displayed to the right of the header is (v2.0), leave the browser tab open and proceed with the following instructions.
If the number displayed to the right of the header is (v1.0), follow the Google Workspace single sign-on (SSO v1.0) instructions instead of the instructions in this article.
Gather required information
From the Databricks Single Sign-On tab, copy the Databricks SAML URL.
Do not close this browser tab.
Configure Google Workspace
In a new browser tab, log in to the Google Workspace Admin console.
In the sidebar, select Apps > Web and mobile apps.
On the Web and mobile apps page, select Add App > Add custom SAML app to add a new SAML app.
Enter a name in the App name field and click Continue.
Go to the Service provider detail page.
Set both ACS URL and Entity ID to the Databricks SAML URL from Gather required information.
(Required) Select Signed response.
Set Name ID Format to EMAIL.
Click Continue.
On the Google Identity Provider details page, copy the following SAML values under Option 2:
SSO URL
Entity ID
Certificate
Complete the rest of the SAML app workflow in the Google Workspace Admin console.
Configure Databricks
Go back to the browser tab for Databricks.
In the admin console, click Single Sign On.
Set Single Sign-On URL to the SSO URL from the Google Workspace app.
Set Identity Provider Entity ID to the Entity ID from the Google Workspace app.
Set x.509 Certificate to the certificate from the Google Marketplace Workspace, including the markers for the beginning and ending of the certificate.
Click Enable SSO.
Optionally, click Allow auto user creation.
Test the configuration
In an incognito browser window, go to your Databricks workspace.
Click Single Sign On. You are redirected to Okta.
Log in to Okta. If SSO is configured correctly, you are redirected to Databricks.
If the test fails, review Troubleshooting.