SSO to Databricks with JumpCloud

This article shows how to configure JumpCloud as the identity provider for single sign-on (SSO) in your Databricks account. JumpCloud supports SAML 2.0.

Enable JumpCloud SSO using SAML

  1. Copy the redirect URL from Databricks.

    1. As an account admin, log in to the account console and click the Settings icon in the sidebar.

    2. Click the Authentication tab.

    3. Next to Authentication, click Manage.

    4. Choose Single sign-on with my identity provider.

    5. Click Continue.

    6. Under Identity protocol, select SAML 2.0.

    7. On the Authentication tab, make note of the Databricks Redirect URL value.

    Configure SAML SSO.

  2. Create a SAML application in JumpCloud.

    1. In a new browser tab, log in to your JumpCloud admin portal.

    2. In the sidebar, under User Authentication, click SSO Applications.

    3. Click Add New Application > Custom Application > Next.

    4. In Select the features you would like to enable, select Manage Single Sign-on (SSO) and Configure SSO with SAML.

    5. In Enter General Info, enter a Display label and a Description.

    6. Click Save Application.

  3. Configure the SSO settings.

    1. Click the SSO tab.

    2. Set IdP Entity ID to a value to uniquely identify this SSO application in your JumpCloud environment. Save this value.

    3. Set SP Entity ID to the Databricks Redirect URL you copied above.

    4. Set ACS URLs to the Databricks Redirect URL you copied above.

    JumpCloud configure SAML URLs.

  4. Set the SAML configurations.

    1. On the SSO tab, in SAMLSubject NameID select email.

    2. In SAMLSubject NameID Format select urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified.

    3. In Signature Algorithm select RSA-SHA256.

    4. In Sign select Response.

    5. Copy and save the IDP URL.

    JumpCloud configure SAML settings.

  5. Download the JumpCloud certificate.

    1. In the sidebar, click IDP Certificate Valid and Download Certificate. The certificate is downloaded locally as a file with the .cer extension.

    2. Open the .cer file in a text editor and copy the file contents. The file is the entire x.509 certificate for the JumpCloud SAML application.

      Important

      • Do not open it using the macOS keychain, which is the default application for that file type in macOS.

      • The certificate is sensitive data. Use caution about where to download it. Delete it from local storage as soon as possible.

  6. Configure Databricks in the Databricks account console SSO page.

    1. Set Single Sign-On URL to the JumpCloud field IDP URL.

    2. Set Identity Provider Entity ID to the JumpCloud field IdP Entity ID.

    3. Set x.509 Certificate to the JumpCloud x.509 certificate, including the markers for the beginning and end of the certificate.

    4. Click Save.

    5. Click Test SSO to validate that your SSO configuration is working properly.

    6. Click Enable SSO to enable single sign-on for your account.

    7. Test account console login with SSO.

    Single sign-on tab when all values have been entered

Configure unified login and add users to Databricks

After you configure SSO, Databricks recommends that you configure unified login and add users to your account using SCIM provisioning.

  1. Configure unified login

    Unified login allows you to use the account console SSO configuration in your Databricks workspaces. If your account was created after June 21, 2023 or you did not configure SSO before December 12, 2024, unified login is enabled on your account for all workspaces and it cannot be disabled. To configure unified login, see Enable unified login.

  2. Add users to Databricks

    You must add users to Databricks in order for them to log in. Databricks recommends using SCIM provisioning to sync users and groups automatically from your identity provider to your Databricks account. SCIM streamlines onboarding a new employee or team by using your identity provider to create users and groups in Databricks and give them the proper level of access. See Sync users and groups from your identity provider.