SSO to Databricks with Okta
This article shows how to configure Okta as the identity provider for single sign-on (SSO) in your Databricks account. Okta supports both OpenID Connect (OIDC) and SAML 2.0. To sync users and groups from Okta, see Sync users and groups from your identity provider.
The following demos walk you through configuring SSO with Okta:
Warning
To prevent getting locked out of Databricks during single sign-on testing, Databricks recommends keeping the account console open in a different browser window. You can also configure emergency access with security keys to prevent lock out. See Emergency access to prevent lockouts.
Enable Okta single sign-on using OIDC
As an account owner or account admin, log in to the account console and click the Settings icon in the sidebar.
Click the Authentication tab.
Next to Authentication, click Manage.
Choose Single sign-on with my identity provider.
Click Continue.
Under Identity protocol, select OpenID Connect.
On the Authentication tab, make note of the Databricks Redirect URI value.
In a new browser tab, log into Okta as an administrator.
In the home page, click Applications > Applications.
Click Create App Integration.
Select OIDC - OpenID Connect and Web Application and click Next.
In New Web App Integration, under Sign-in redirect URIs, enter the Databricks Redirect URI from step 4. You can choose to configure the other settings or you can leave them to their default values.
Click Save
Under the General tab, copy the client ID and client secret generated by Okta for the application.
Client ID is the unique identifier for the Databricks application you created in your identity provider.
Client secret is a secret or password generated for the Databricks application that you created. It is used to authorize Databricks with your identity provider.
Under the Sign On tab, in OpenID Connect ID Token copy the Okta URL in the issuer field.
If the issuer field says Dynamic, click Edit and choose Okta URL (url) in the drop down.
This URL is the URL at which Okta’s OpenID Configuration Document can be found. That OpenID Configuration Document must found be in
{issuer-url}/.well-known/openid-configuration
.Click the Assignments tab. Databricks recommends adding the Okta group named Everyone to the application. This ensures all users in your organization can access the Databricks account.
Return to the Databricks account console Authentication tab and enter values you copied from the identity provider application to the Client ID, Client secret, and OpenID issuer URL fields.
Optionally, enter a Username claim if you want to use a claim other than
email
as users’ Databricks usernames. See your identity provider’s documentation for specific information on claim values.Click Save.
Click Test SSO to validate that your SSO configuration is working properly.
Click Enable SSO to enable single sign-on for your account.
Test account console login with SSO.
Configure unified login
Unified login allows you to use the account console SSO configuration in your Databricks workspaces. If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled. To configure unified login, see Enable unified login.
Enable Okta single sign-on using SAML
Follow these steps to create an Okta SAML application for use with Databricks account console.
As an account owner or account admin, log in to the account console and click the Settings icon in the sidebar.
Click the Authentication tab.
Next to Authentication, click Manage.
Choose Single sign-on with my identity provider.
Click Continue.
Under Identity protocol, select SAML 2.0.
On the Authentication tab, make note of the the Databricks redirect URL.
In a new browser tab, log into Okta as an administrator.
Go to Applications and click Browse App Catalog.
Search for Databricks in the Browse App Integration Catalog.
Click Add integration.
Select the Sign On tab and click Edit.
Under Advanced sign-on settings, Configure the application using the following settings:
Databricks SAML URL: the Databricks redirect URL you copied above.
Application username format: Email
Click Save. The Databricks SAML app is shown.
Under SAML 2.0 is not configured until you complete the setup instructions, click View Setup Instructions.
Copy the following values:
Identity Provider Single Sign-On URL
Identity Provider Issuer
x.509 certificate
Click the Assignments tab. Databricks recommends adding the Okta group named Everyone to the application. This ensures all users in your organization can access the Databricks account.
Configure Databricks in the Databricks account console SSO page.
Set the SSO type drop-down to SAML 2.0.
Set Single Sign-On URL to the Okta field called Login URL.
Set Identity Provider Entity ID to the Okta field that was called Identity Provider Issuer.
Set x.509 Certificate to the Okta x.509 certificate, including the markers for the beginning and ending of the certificate.
Click Save.
Click Test SSO to validate that your SSO configuration is working properly.
Click Enable SSO to enable single sign-on for your account.
Test account console login with SSO.
Configure unified login
Unified login allows you to use the account console SSO configuration in your Databricks workspaces. If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled. To configure unified login, see Enable unified login.