Configure SSO in Databricks

This article shows how to configure single sign-on (SSO) to authenticate to the account console and Databricks workspaces using your organization’s identity provider. To sync users and groups from your identity provider, see Sync users and groups from your identity provider. To allow users to log in to Databricks with emails or common external accounts, such as Google or Microsoft, see Sign-in with email or external accounts.

Overview of SSO setup

SSO supports using either SAML 2.0 or OpenID Connect (OIDC). Your identity provider (IdP) must support at least one of these protocols.

Once you have enabled SSO in the account console, you can enable unified login. Unified login allows you to manage one SSO configuration in your account that is used for the account and Databricks workspaces. If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled. Databricks recommends enabling unified login on all workspaces. For more information, see Enable unified login.

In workspaces where unified login is disabled, you can enable workspace-level SSO needs to be configured separately. This is a legacy configuration. For more information, see Set up SSO for your workspace (legacy).

When account-level SSO is enabled, users, including admins, must sign in to the Databricks account and unified-login-enabled workspaces using single sign-on. To prevent lockouts, account admins can set up emergency access for up to twenty users. Users who have been selected for emergency access can use a username and password and a security key to log in. See Emergency access to prevent lockouts.

You can read the generic instructions on how to configure SSO with OIDC or SAML or specific instructions for different identity providers:

The following demos walk you through configuring SSO with Okta:

Enable unified login

Unified login allows you to manage one SSO configuration in your account that is used for the account and Databricks workspaces. When SSO is enabled on your account, you can choose to enable unified login for all workspaces or for selected workspaces. Unified login workspaces use the account-level SSO configuration, and all users, including account and workspace admins, must sign in to Databricks using SSO. You cannot manage SSO separately on the workspace-level in a unified login enabled workspace. Databricks recommends that you configure unified login for all workspaces.

If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled.

You can enable unified login using the account console or the workspace admin settings page.

For a demo of configuring unified login, see Unified Login.

Enable unified login using the account console

SSO must be enabled in the account to enable unified login.

  1. As an account admin, log in to the account console and click the Settings icon in the sidebar.

  2. Click the Authentication tab.

  3. In Unified login, click Get started.

  4. Ensure that all workspaces users have access to the identity provider in your account-level SSO configuration. Click Confirm.

  5. Choose to apply unified login to All workspaces or Selected workspaces. Databricks recommends that you enable unified login for all workspaces. Additional steps are required to enable unified login on workspaces that configure user-to-workspace private connectivity. See Step 6: (Optional) Configure front-end PrivateLink with unified login.

    If you choose Selected workspaces, choose to apply settings to newly created workspaces and select the existing workspaces to apply the settings to. To enable unified login on workspaces that configure user to workspace private connectivity, you must configure additional settings. See Step 6: (Optional) Configure front-end PrivateLink with unified login.

    Configure unified login.
  6. Click Save

Enable unified login using the workspace admin settings page

If unified login is enabled on selected workspaces by an account admin, a workspace admin can enable unified login on their workspace. If unified login is enabled on all workspaces, the single sign on configuration is not available on the workspace-level.

To enable unified login on workspaces that configure user to workspace private connectivity you must configure additional steps. See Step 6: (Optional) Configure front-end PrivateLink with unified login.

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Settings.

  3. Click on the Identity and access tab.

  4. Next to SSO settings, click Manage.

  5. Next to Unified login click Enable.

Upgrade to unified login

If you are enabling unified login on an existing workspace with workspace-level SSO configured, do the following:

  1. Configure single sign on on your account.

  2. Ensure the users in your workspace have access to the account-level SSO application in your identity provider.

    Granting users access to the account-level SSO application does not grant them any additional access in Databricks. All Databricks workspace users are automatically users in the Databricks account. See How do admins assign users to the account?.

  3. Configure unified login on the workspace following Enable unified login.

  4. Test SSO on the workspace by having a workspace user sign in.

  5. Decommission the workspace-level SSO application in your identity provider.