Ping Identity single sign-on (SSO)

This article shows how to configure Ping Identity as the identity provider for Databricks.

Gather required information

Do not close this browser tab.

In a new browser tab, log in to Ping Identity as an administrator.
Inside the PingOne admin portal, click the Connections icon. It looks like a flow chart connector.
Click +Add Application.
Click Advanced Configuration.
Next to SAML, click Configure.
Set Application Name to Databricks, then click Next.
For Provide App Metadata, click Manually Enter.
Enter the Databricks SAML URL from Gather required information into the following fields:
- ACS URL
- Entity ID
- SLO Endpoint
- SLO Response Endpoint
- Target Application URL
Under Signing Key, select Sign Response or Sign Assertion and Response.

Important

Do not select Enable Encryption or Enforce Signed Authn Request.
Set Assertion Validity to a value between 30 and 180 seconds. For more details, see Accounting for Time Drift Between SAML Endpoints in the Ping Identity knowledge base.
Click Save and Continue.
Under SAML Attributes, set PINGONE USER ATTRIBUTE to Email Address.
Click Save and Close. The SAML application appears.
Click Configuration.
Click Download Metadata.
Open the downloaded XML file in a text editor.

Go back to the browser tab for Databricks.
In the admin settings page, click Single Sign On.
Set both Single Sign-On URL and Identity Provider Entity ID to the value of the Location attribute of the <SingleSignOnService> tag in the XML file you downloaded from Ping Identity.
Set x.509 Certificate to the value of the <ds:X509Certificate> tag in the XML file you downloaded from Ping Identity.
Click Enable SSO.
Optionally, click Allow auto user creation.

In an incognito browser window, go to your Databricks workspace.
Click Single Sign On. You are redirected to Ping Identity.
Log in to Ping Identity. If SSO is configured correctly, you are redirected to Databricks.

If the test fails, review Troubleshooting.