Configure SSO using OIDC

This article hows how to generally configure single sign-on (SSO) to authenticate to the account console and Databricks workspaces using OIDC. You can also read the specific instructions on how to configure SSO with OIDC to the following identity providers:

The following demo walks you through configuring OIDC SSO with Okta:

For an overview of single sign-on in the account, see Configure SSO in Databricks.

Enable SSO using OIDC

Warning

To prevent getting locked out of Databricks during single sign-on testing, Databricks recommends keeping the account console open in a different browser window. You can also configure emergency access with security keys to prevent lockout. See Emergency access to prevent lockouts.

  1. As an account admin, log in to the account console and click the Settings icon in the sidebar.

  2. Click the Authentication tab.

  3. Next to Authentication, click Manage.

  4. Choose Single sign-on with my identity provider.

  5. Click Continue.

  6. Under Identity protocol, select OpenID Connect.

  7. Copy the value in the Databricks Redirect URL field.

    Configure OIDC sso.
  8. Go to your identity provider and create a new client application (web), entering the Databricks Redirect URL value in the appropriate field in the identity provider configuration interface.

    Your identity provider should have documentation to guide you through this process.

  9. Copy the client ID, client secret, and OpenID issuer URL generated by the identity provider for the application.

    • Client ID is the unique identifier for the Databricks application you created in your identity provider. This is sometimes referred to as the Application ID.

    • Client secret is a secret or password generated for the Databricks application that you created. It is used to authorize Databricks with your identity provider.

    • Issuer URL is the prefix of the URL at which your identity-provider’s OpenID Configuration Document can be found. That OpenID Configuration Document must found be in {issuer-url}/.well-known/openid-configuration.

      Remove the /.well-known/openid-configuration ending from the URL. You can specify query parameters by appending them to the issuer URL, for example {issuer-url}?appid=123.

  10. Return to the Databricks account console Authentication tab and enter values you copied from the identity provider application to the Client ID, Client secret, and OpenID issuer URL fields.

  11. Optionally, enter a Username claim if you want to use a claim other than email as users’ Databricks usernames. See your identity provider’s documentation for specific information on claim values.

    Single sign-on tab
  12. Click Save.

  13. Click Test SSO to validate that your SSO configuration is working properly.

  14. Click Enable SSO to enable single sign-on for your account.

  15. Test account console login with SSO.

  16. Grant all account users access to the Databricks application in your identity provider. You might need to modify the access permissions for the application.

Configure unified login

Once you have enabled SSO in the account console, Databricks recommends enabling unified login. Unified login allows you to use the account console SSO configuration in your Databricks workspaces. If your account was created after June 21, 2023 or you did not configure SSO before December 12, 2024, unified login is enabled on your account for all workspaces and it cannot be disabled. To configure unified login, see Enable unified login.