Ping Identity single sign-on (SSO)

This article shows how to configure Ping Identity as the identity provider for Databricks.

Gather required information

  1. Log in to Databricks as an administrator.
  2. Go to the admin console.
  3. Click Single Sign On.
  4. Copy the Databricks SAML URL.

Do not close this browser tab.

Configure Ping Identity

  1. In a new browser tab, log in to Ping Identity as an administrator.

  2. Inside the PingOne admin portal, click the Connetions icon. It looks like a flow chart connector.

  3. Click +Add Application.

  4. Click Advanced Configuration.

  5. Next to SAML, click Configure.

  6. Set Application Name to Databricks, then click Next.

  7. For Provide App Metadata, click Manually Enter.

  8. Enter the Databricks SAML URL from Gather required information into the following fields:

    • ACS URL
    • Entity ID
    • SLO Endpoint
    • SLO Response Endpoint
    • Target Application URL
  9. Under Signing Key, select Sign Response or Sign Assertion and Response.

    Important

    Do not select Enable Encryption or Enforce Signed Authn Request.

  10. Set Assertion Validity to a value between 30 and 180 seconds. For more details, see Accounting for Time Drift Between SAML Endpoints in the Ping Identity knowledge base.

  11. Click Save and Continue.

  12. Under SAML Attributes, set PINGONE USER ATTRIBUTE to Email Address.

  13. Click Save and Close. The SAML application appears.

  14. Click Configuration.

  15. Click Download Metadata.

  16. Open the downloaded XML file in a text editor.

Configure Databricks

  1. Go back to the browser tab for Databricks.
  2. In the admin console, click Single Sign On.
  3. Set both Single Sign-On URL and Identity Provider Entity ID to the value of the Location attribute of the <SingleSignOnService> tag in the XML file you downloaded from Ping Identity.
  4. Set x.509 Certificate to the value of the <ds:X509Certificate> tag in the XML file you downloaded from Ping Identity.
  5. Click Enable SSO.
  6. Optionally, click Allow auto user creation.

Test the configuration

  1. In an incognito browser window, go to your Databricks workspace.
  2. Click Single Sign On. You are redirected to Ping Identity.
  3. Log in to Ping Identity. If SSO is configured correctly, you are redirected to Databricks.

If the test fails, review Troubleshooting.