SSO in your Databricks account console

This article shows how to configure single sign-on (SSO) to authenticate to the account console and Databricks workspaces using your organization’s identity provider. To sync users and groups from your identity provider, see Sync users and groups from your identity provider.

Overview of SSO setup

SSO supports using either SAML 2.0 or OpenID Connect (OIDC). Your identity provider (IdP) must support at least one of these protocols.

Once you have enabled SSO in the account console, you can choose to enable unified login. Unified login allows you to manage one SSO configuration in your account that is used for the account and Databricks workspaces. If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled. For more information, see Enable unified login.

In workspaces where unified login is disabled, workspace-level SSO needs to be configured separately. For more information, see Set up SSO for your workspace.

You can read the instructions on how to configure SSO to the following identity providers:

The process is similar for any identity provider that supports OIDC or SAML 2.0. If your identity provider is not listed above, follow the instructions for OIDC or SAML.

Account sign-in process

When account-level SSO is enabled, the sign-in behavior is as follows:

  • All users, including admins, must sign in to the Databricks account and unified-login enabled workspaces using single sign-on. Users who have been selected for emergency access can use a username and password and a security key to log in.

If your account was created before June 21, 2023, the account owner can also login to the Databricks account using their username and password.

  • Account admins can use their username and password to make account-level REST API calls.

  • All users can use their username and password to make workspace-level REST API calls. Basic authentication is legacy and not recommended in production.

To learn about the workspace sign-in process when SSO is enabled, see Workspace sign-in process.

Enable unified login

Preview

Unified login is currently in Public Preview for accounts created before June 21, 2023. Unified login is generally available for accounts created after June 21, 2023.

Unified login allows you to manage one SSO configuration in your account that is used for the account and Databricks workspaces. When SSO is enabled on your account, you can choose to enabled unified login for all workspaces or for selected workspaces. Unified login workspaces use the account-level SSO configuration, and all users, including account and workspace admins, must sign in to Databricks using SSO. You cannot manage SSO separately on the workspace-level in a unified login enabled workspace. Databricks recommends that you configure unified login for all workspaces.

If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled.

You can enable unified login using the account console or the workspace admin settings page.

Enable unified login using the account console

SSO must be enabled in the account to enable unified login.

  1. As an account admin, log in to the account console and click the Settings icon in the sidebar.

  2. Click the Single sign-on tab.

  3. In Unified login, click Get started.

  4. Ensure that all workspaces users have access to the identity provider in your account-level SSO configuration. Click Confirm.

  5. Choose to apply unified login to All workspaces or Selected workspaces. Databricks recommends that you enable unified login for all workspaces. Additional steps are required to enable unified login on workspaces that configure user-to-workspace private connectivity. See Step 5: (Optional) Configure front-end PrivateLink with unified login.

    If you choose Selected workspaces, choose to apply settings to newly created workspaces and select the existing workspaces to apply the settings to.

  6. Click Save

Enable unified login using the workspace admin settings page

If unified login is enabled on selected workspaces by an account admin, a workspace admin can enable unified login on their workspace. If unified login is enabled on all workspaces, the single sign on configuration is not available on the workspace-level.

To enable unified login on workspaces that configure user to workspace private connectivity you must configure additional steps. See Step 5: (Optional) Configure front-end PrivateLink with unified login.

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Settings.

  3. Click on the Identity and access tab.

  4. Next to SSO settings, click Manage.

  5. Next to Unified login click Enable.

Upgrade to unified login

If you are enabling unified login on an existing workspace with workspace-level SSO configured, do the following:

  1. Configure single sign on on your account.

  2. Ensure the users in your workspace have access to the account-level SSO application in your identity provider.

    Granting users access to the account-level SSO application does not grant them any additional access in Databricks. All Databricks workspace users are automatically users in the Databricks account. See How do admins assign users to the account?.

  3. Configure unified login on the workspace following Enable unified login.

  4. Test SSO on the workspace by having a workspace user sign in.

  5. Decommission the workspace-level SSO application in your identity provider.

Configure emergency access

Preview

This feature is in Private Preview. To join this preview, contact your Databricks account team.

To prevent lockouts, account admins can set up emergency access for up to ten users. These users can sign into Databricks using multi-factor authentication with FIDO 2 security keys, which may be hardware-based, like a physical security key, or software-based, like a mobile authenticator app.

Databricks recommends configuring a strong password and at least one FIDO 2 security key for signing in with emergency access.

To configure emergency access:

  1. As an account admin, log in to the account console and click the Settings icon in the sidebar.

  2. Click the Single sign-on tab.

  3. In Emergency access, choose up to ten users that can sign in using emergency access. These users must register security keys.

  4. Click Save.

    It might take up to two minutes for the users to see the security key management page.

Register a security key for emergency access

A security key can be hardware-based, like a physical security key, or software-based, like a mobile authenticator app. To register a security key:

  1. As a user with emergency access, log in to the account console.

  2. Click the down arrow next to your username in the upper right corner.

  3. Click User preferences.

  4. In Authentication, click Add key.

    You need to configure a password in order to add a key. If you have not configured a password already, you will see a prompt to reset your password first.

  5. Click Set up and follow the browser prompts to configure your key.

After you configure your key, you will see a Databricks notification that the security key was added successfully.

Login to Databricks using a security key

To login using emergency access and a security key:

  1. As a user with emergency access, go to the account console.

  2. Click Sign in with Databricks credentials.

  3. Enter your username and and password. Click Continue.

  4. Follow the browser prompt to use your security key.