SSO to Databricks with AWS IAM Identity Center

This article shows how to configure AWS IAM Identity Center as the identity provider for single sign-on (SSO) in your Databricks account. You can configure SSO with AWS IAM Identity Center using SAML 2.0. AWS IAM Identity Center support for OIDC is not compatible with Databricks.

Warning

To prevent getting locked out of Databricks during single sign-on testing, Databricks recommends keeping the account console open in a different browser window. You can also configure emergency access with security keys to prevent lockout. See Emergency access to prevent lockouts.

Enable AWS IAM Identity Center SSO using SAML

  1. In a new browser tab, log in to the AWS Management Console and navigate to IAM Identity Center. You might need to enable IAM Identity Center in your AWS account.

    1. In the IAM Identity Center console, go to Applications.

    2. Click Add application.

    3. In Setup preference, select I want to select an application from the catalog.

    4. Search for and select Databricks and click Next.

      AWS IAM identity setup preferences
    5. Copy and save the IAM Identity Center sign-in URL value.

    6. Download the public certificate from the IAM Identity Center Certificate link.

  2. In a new browser tab, log in to the Databricks account console and click the Settings icon in the sidebar.

    1. Click the Authentication tab.

    2. Next to Authentication, click Manage.

    3. Choose Single sign-on with my identity provider.

    4. Click Continue.

    5. Under Identity protocol, select SAML 2.0.

    6. Set Single Sign-On URL and the Identity Provider Entity ID both to the IAM Identity Center sign-in URL that you copied.

    7. Set x.509 Certificate to the text from the IAM Identity Center Certificate you downloaded. Paste the entire certificate, including the markers for the beginning and ending of the certificate.

    8. Copy the Databricks redirect URL.

    Configure SAML SSO.
  3. Go back to the AWS IAM Identity center browser tab.

    1. Under Application metadata, select Manually type your metadata values.

    2. In both Application ACS URL and Application SAML audience, paste the value for the Databricks redirect URL that you copied.

    3. Click Submit.

      AWS IAM identity metadata
  4. Go back to the Databricks browser tab.

    1. Click Save.

    2. Click Test SSO to validate that your SSO configuration is working properly.

    3. Click Enable SSO to enable single sign-on for your account.

    4. Test account console login with SSO.