Configure SSO with OneLogin for your workspace

Note

Workspace-level SSO can only be configured when unified login is disabled. When unified login is enabled, your workspace uses the same SSO configuration as your account. Databricks recommends enabling unified login on all workspaces. See Unified login.

This article shows how to configure OneLogin as the identity provider for a Databricks workspace. To configure SSO in your Databricks account, see Set up SSO in your Databricks account console.

Gather required information

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Settings.

  3. Click on the Identity and access tab.

  4. Next to SSO settings, click Manage.

  5. Copy the Databricks SAML URL.

Do not close this browser tab.

Configure OneLogin

  1. In a new browser tab, log in to OneLogin.

  2. Click Administration.

  3. Click Applications.

  4. Click Add App.

  5. Search for SAML Custom Connector (Advanced) and click the result by OneLogin, Inc.

  6. Set Display Name to Databricks.

  7. Click Save. The application’s Info tab loads.

  8. Click Configuration.

  9. Set each of the following fields to the Databricks SAML URL from Gather required information:

    • Audience

    • Recipient

    • ACS (Consumer) URL Validator

    • ACS (Consumer) URL

    • Single Logout URL

    • Login URL

  10. Set SAML signature element to Both.

  11. Click Parameters.

  12. Set Credentials are to Configured by admins and shared by all users.

  13. Click Email. Set the value to email and enable Include in SAML Assertion.

  14. Go to the SSO tab. Copy the following values:

    • x.509 certificate

    • Issuer URL

    • SAML 2.0 endpoint (HTTP)

  15. Verify that SAML signature element is set to Response or Both.

  16. Verify that Encrypt assertion is disabled.

Configure Databricks

  1. Go back to the browser tab for Databricks.

  2. Click your username in the top bar of the Databricks workspace and select Admin Settings.

  3. Click on the Identity and access tab.

  4. Next to SSO settings, click Manage.

  5. Set Single Sign-On URL to the SAML 2.0 endpoint (HTTP) from OneLogin.

  6. Set Identity Provider Entity ID to the Issuer URL from OneLogin.

  7. Set x.509 Certificate to the x.509 certificate from OneLogin, including the markers for the beginning and ending of the certificate.

  8. Click Enable SSO.

  9. Optionally, click Allow auto user creation.

Test the configuration

  1. In an incognito browser window, go to your Databricks workspace.

  2. Click Single Sign On. You are redirected to OneLogin.

  3. Log in to OneLogin. If SSO is configured correctly, you are redirected to Databricks.

If the test fails, review Troubleshooting.