SSO to Databricks with Keycloak
This article shows how to configure Keycloak as the identity provider for single sign-on (SSO) in your Databricks account. Keycloak supports both OpenID Connect (OIDC) and SAML 2.0. Keycloak does not support SCIM to sync users and groups to Databricks.
Warning
To prevent getting locked out of Databricks during single sign-on testing, Databricks recommends keeping the account console open in a different browser window. You can also configure emergency access with security keys to prevent lockout. See Emergency access to prevent lockouts.
Enable Keycloak SSO using OIDC
As an account owner or account admin, log in to the account console and click the Settings icon in the sidebar.
Click the Authentication tab.
Next to Authentication, click Manage.
Choose Single sign-on with my identity provider.
Click Continue.
Under Identity protocol, select OpenID Connect.
On the Authentication tab, make note of the Databricks Redirect URL value.
In a new browser tab, log in to your Keycloak admin console.
Select the realm for Databricks integration or create a new one.
Create a new client:
Click Clients and click Create client.
In Client type, select OpenID Connect.
Enter a Client ID and Name.
Click Next and Save.
Configure the Databricks client:
In Access Settings, set Home URL to your Databricks account URL. (For example,
https://accounts.cloud.databricks.com/
).Set Valid redirect URIs to the Databricks Redirect URL you copied above.
In Capability config, set Client authentication to On for confidential access.
Set up group membership mapping:
Click Client scopes and select the dedicated scope for your client.
In the Mappers tab, click Configure a new mapper.
In Mapper type, select Group Membership.
Set both Name and Token Claim Name to groups.
Toggle Full group path to On or Off based on your preference.
Return to the Databricks account console Authentication tab and enter values you copied from Keycloak:
Client ID: The Client ID from Keycloak.
Client secret: Found in the Credentials tab of your Keycloak client.
OpenID issuer URL: Your Keycloak URL with realm (For example,
https://keycloak.example.com/auth/realms/your-realm
).
Click Save.
Click Test SSO to validate that your SSO configuration is working properly.
Click Enable SSO to enable single sign-on for your account.
Test account console login with SSO.
Configure unified login
Unified login allows you to use the account console SSO configuration in your Databricks workspaces. If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled. To configure unified login, see Enable unified login.
Enable Keycloak SSO using SAML
As an account owner or account admin, log in to the account console and click the Settings icon in the sidebar.
Click the Authentication tab.
Next to Authentication, click Manage.
Choose Single sign-on with my identity provider.
Click Continue.
Under Identity protocol, select OpenID Connect.
On the Authentication tab, make note of the Databricks Redirect URL value.
In a new browser tab, log in to your Keycloak admin console.
Select the realm for Databricks integration or create a new one.
Create a new client:
Click Clients and click Create client.
In Client type, select SAML.
Enter a Client ID and Name.
Click Next and Save.
In login settings, set Valid redirect URIs to the Databricks Redirect URL you copied above.
Configure the client:
In the Settings tab under SAML capabilities, set Name ID format to email.
Turn on Force name ID format.
Click Save.
Set up SAML attribute mapping:
Click Client scopes and select the dedicated scope for your client.
On the Mappers tab, click Add predefined mapper.
Select X500 email, X500 givenName, and X500 surname and click Add.
Retrieve SAML metadata:
Click Realm settings and General.
Click on SAML 2.0 Identity Provider Metadata.
From the metadata, save the following values:
The
Location
attribute in theSingleSignOnService
element (For example,https://my-idp.example.com/realms/DatabricksRealm/protocol/saml
). This is the Single Sign-On URL in DatabricksThe
entityID
attribute in theEntityDescriptor
element (For example,https://my-idp.example.com/realms/DatabricksRealm
).The
X509Certificate
tag.
Return to the Databricks account console Authentication tab and enter values you copied from Keycloak:
Single Sign-On URL: The
Location
attribute in theSingleSignOnService
element that you copied above.Entity ID: The
entityID
attribute in theEntityDescriptor
element that you copied above.X509Certificate: The
X509Certificate
tag that you copied above.
Click Save.
Click Test SSO to validate that your SSO configuration is working properly.
Click Enable SSO to enable single sign-on for your account.
Test account console login with SSO.
Configure unified login
Unified login allows you to use the account console SSO configuration in your Databricks workspaces. If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled. To configure unified login, see Enable unified login.