Configure SSO in Databricks

This article shows how to configure single sign-on (SSO) to authenticate to the account console and Databricks workspaces using your organization’s identity provider. To sync users and groups from your identity provider, see Sync users and groups from your identity provider. To allow users to log in to Databricks with emails or common external accounts, such as Google or Microsoft, see Sign-in with email or external accounts.

Overview of SSO setup

SSO supports using either SAML 2.0 or OpenID Connect (OIDC). Your identity provider (IdP) must support at least one of these protocols.

Once you have enabled SSO in the account console, you can enable unified login. Unified login allows you to manage one SSO configuration in your account that is used for the account and Databricks workspaces. If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled. Databricks recommends enabling unified login on all workspaces. For more information, see Enable unified login.

In workspaces where unified login is disabled, you can enable workspace-level SSO needs to be configured separately. This is a legacy configuration. For more information, see Set up SSO for your workspace (legacy).

When account-level SSO is enabled, all users, including admins, must sign in to the Databricks account and unified-login-enabled workspaces using single sign-on. Users who have been selected for emergency access can use a username and password and a security key to log in.

To prevent lockouts, account admins can set up emergency access for up to ten users. See Emergency access for SSO.

You can read the instructions on how to configure SSO to the following identity providers:

• Microsoft Entra ID (formerly Azure Active Directory)

• Okta

• One Login

The following demos walk you through configuring SSO with Okta:

• Secure Your Databricks Access with OIDC SSO

• Secure Your Databricks Access with SAML SSO

The process is similar for any identity provider that supports OIDC or SAML 2.0. If your identity provider is not listed above, follow the instructions for OIDC or SAML.

Enable unified login

Unified login allows you to manage one SSO configuration in your account that is used for the account and Databricks workspaces. When SSO is enabled on your account, you can choose to enable unified login for all workspaces or for selected workspaces. Unified login workspaces use the account-level SSO configuration, and all users, including account and workspace admins, must sign in to Databricks using SSO. You cannot manage SSO separately on the workspace-level in a unified login enabled workspace. Databricks recommends that you configure unified login for all workspaces.

If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled.

You can enable unified login using the account console or the workspace admin settings page.

For a demo of configuring unified login, see Unified Login.

Enable unified login using the account console

SSO must be enabled in the account to enable unified login.

1. As an account admin, log in to the account console and click the Settings icon in the sidebar.

2. Click the Single sign-on tab.

3. In Unified login, click Get started.

4. Ensure that all workspaces users have access to the identity provider in your account-level SSO configuration. Click Confirm.

5. Choose to apply unified login to All workspaces or Selected workspaces. Databricks recommends that you enable unified login for all workspaces. Additional steps are required to enable unified login on workspaces that configure user-to-workspace private connectivity. See Step 6: (Optional) Configure front-end PrivateLink with unified login.

   If you choose Selected workspaces, choose to apply settings to newly created workspaces and select the existing workspaces to apply the settings to. To enable unified login on workspaces that configure user to workspace private connectivity, you must configure additional settings. See Step 6: (Optional) Configure front-end PrivateLink with unified login.

6. Click Save

Enable unified login using the workspace admin settings page

If unified login is enabled on selected workspaces by an account admin, a workspace admin can enable unified login on their workspace. If unified login is enabled on all workspaces, the single sign on configuration is not available on the workspace-level.

To enable unified login on workspaces that configure user to workspace private connectivity you must configure additional steps. See Step 6: (Optional) Configure front-end PrivateLink with unified login.

1. As a workspace admin, log in to the Databricks workspace.

2. Click your username in the top bar of the Databricks workspace and select Settings.

3. Click on the Identity and access tab.

4. Next to SSO settings, click Manage.

5. Next to Unified login click Enable.

Upgrade to unified login

If you are enabling unified login on an existing workspace with workspace-level SSO configured, do the following:

1. Configure single sign on on your account.

2. Ensure the users in your workspace have access to the account-level SSO application in your identity provider.

   Granting users access to the account-level SSO application does not grant them any additional access in Databricks. All Databricks workspace users are automatically users in the Databricks account. See How do admins assign users to the account?.

3. Configure unified login on the workspace following Enable unified login.

4. Test SSO on the workspace by having a workspace user sign in.

5. Decommission the workspace-level SSO application in your identity provider.