SSO to Databricks with OneLogin

This page shows how to configure OneLogin as the identity provider for single sign-on (SSO) in your Databricks account. OneLogin supports both OpenID Connect (OIDC) and SAML 2.0. To sync users and groups from OneLogin, see Sync users and groups from your identity provider using SCIM.

warning

To prevent getting locked out of Databricks during single sign-on testing, keep the account console open in a different browser window. You can also configure emergency access with security keys to prevent lockout. See Emergency access to prevent lockouts.

Enable OneLogin single sign-on

Choose your identity protocol:

OIDC

1. As an account admin, log in to the account console and click Security.

2. Click the Authentication tab.

3. Next to Authentication, click Manage.

4. Choose Single sign-on with my identity provider.

5. Click Continue.

6. Under Identity protocol, select OpenID Connect.

7. On the Authentication tab, make note of the Databricks Redirect URL value.

   

8. In a new browser tab, log in to OneLogin.

9. Click Administration.

10. Click Applications.

11. Click Add App.

12. Search for OpenId Connect and select the OpenId Connect (OIDC) app.

13. Enter a name and click Save.

14. In the Configuration tab, Databricks Redirect URL from step 4. You can choose to configure the other settings or you can leave them to their default values.

15. In the SSO tab, copy the copy the client ID, client secret, and issuer URL values.

    • Client ID is the unique identifier for the Databricks application you created in OneLogin.

    • Client secret is a secret or password generated for the Databricks application that you created. It is used to authorize Databricks with your identity provider.

    • Issuer URL is the URL where you can find OneLogin's OpenID Configuration Document. That OpenID Configuration Document must found be in {issuer-url}/.well-known/openid-configuration.

      Remove the /.well-known/openid-configuration ending from the URL. You can specify query parameters by appending them to the issuer URL, for example {issuer-url}?appid=123.

16. Return to the Databricks account console Authentication tab and enter values you copied from the identity provider application to the Client ID, Client secret, and OpenID issuer URL fields.

17. Optionally, enter a Username claim if you want to use a claim other than email as users' Databricks usernames. See your identity provider's documentation for specific information on claim values.

    

18. Click Save.

19. Click Test SSO to validate that your SSO configuration is working properly.

20. Click Enable SSO to enable single sign-on for your account.

21. Test account console login with SSO.

SAML 2.0

1. As an account admin, log in to the account console and click Security.

2. Click the Authentication tab.

3. Next to Authentication, click Manage.

4. Choose Single sign-on with my identity provider.

5. Click Continue.

6. Under Identity protocol, select SAML 2.0.

7. On the Authentication tab, make note of the Databricks Redirect URL value.

8. In a new browser tab, log in to OneLogin.

9. Click Administration.

10. Click Applications.

11. Click Add App.

12. Search for SAML Custom Connector (Advanced) and click the result by OneLogin, Inc.

13. Set Display Name to Databricks.

14. Click Save. The application's Info tab loads.

15. Click Configuration.

16. In Gather required information, set each of the following fields to the Databricks SAML URL:

    • Audience
    • Recipient
    • ACS (Consumer) URL Validator
    • ACS (Consumer) URL
    • Single Logout URL
    • Login URL

17. Set SAML signature element to Both.

18. Click Parameters.

19. Set Credentials are to Configured by admins and shared by all users.

20. Click Email. Set the value to email and enable Include in SAML Assertion.

21. Click the SSO tab.

22. Copy the following values:

    • x.509 certificate
    • Issuer URL
    • SAML 2.0 endpoint (HTTP)

23. Verify that SAML signature element is set to Response or Both.

24. Verify that Encrypt assertion is disabled.

25. Return to the Databricks account console Authentication tab and enter values you copied from OneLogin:

    • Single Sign-On URL: The OneLogin SAML 2.0 endpoint (HTTP)
    • Identity Provider Entity ID: The OneLogin Issuer URL
    • x.509 Certificate: The OneLogin x.509 certificate, including the markers for the beginning and ending of the certificate

26. Click Save.

27. Click Test SSO to validate that your SSO configuration is working properly.

28. Click Enable SSO to enable single sign-on for your account.

29. Test account console login with SSO.

Configure unified login and add users to Databricks

After you configure SSO, Databricks recommends that you configure unified login and add users to your account using SCIM provisioning.

1. Configure unified login

   Unified login allows you to use the account console SSO configuration in your Databricks workspaces. If your account was created after June 21, 2023 or you did not configure SSO before December 12, 2024, unified login is enabled on your account for all workspaces and it cannot be disabled. To configure unified login, see Enable unified login.

2. Add users to Databricks

   1. Enable JIT provisioning

      Databricks recommends enabling JIT to automatically add users to Databricks when they first log in using SSO. JIT provisioning is on by default for accounts created after May 1, 2025 when SSO is configured. See Automatically provision users (JIT).

   2. Configure SCIM provisioning

      Databricks recommends using SCIM provisioning to sync users and groups automatically from your identity provider to your Databricks account. SCIM streamlines onboarding a new employee or team by using your identity provider to create users and groups in Databricks and give them the proper level of access. See Sync users and groups from your identity provider using SCIM.