Configure SSO using SAML

This article shows how to configure single sign-on (SSO) to authenticate to the account console and Databricks workspaces using SAML. You can also read the specific instructions on how to configure SSO with SAML to the following identity providers:

• Microsoft Entra ID (formerly Azure Active Directory)

• Okta

• One Login

The following demo walks you through configuring SAML SSO with Okta:

• Secure Your Databricks Access with SAML SSO

For an overview of single sign-on in the account, see Configure SSO in Databricks.

Enable SSO using SAML

The following instructions describe how to use SAML 2.0 to authenticate account console users.

Warning

To prevent getting locked out of Databricks during single sign-on testing, Databricks recommends keeping the account console open in a different browser window. You can also configure emergency access with security keys to prevent lockout. See Emergency access to prevent lockouts.

1. View the account console SSO page and copy the SAML URL:

   1. As an account admin, log in to the account console and click the Settings icon in the sidebar.

      1. Click the Authentication tab.

      2. Next to Authentication, click Manage.

      3. Choose Single sign-on with my identity provider.

      4. Click Continue.

      5. Under Identity protocol, select SAML 2.0.

      6. Copy the value in the Databricks Redirect URL field. You will need the Databricks SAML URL for a later step.

   

2. In another browser window or tab, create a Databricks application in your identity provider:

   1. Go to your identity provider (IdP).

   2. Create a new client application (web):

      • Use your identity provider’s documentation as needed.

      • For the SAML URL field (which might be called a redirect URL), use the Databricks SAML URL that you copied from the Databricks page.

   3. Copy the following objects and fields from your new Databricks application:

      • The x.509 certificate: A digital certificate provided by your Identity Provider for securing communications between Databricks and the Identity Provider

      • The single-sign-on (SSO) URL for your identity provider. This is the URL that initiates SSO with your identity provider. It is also sometimes referred to as the SAML endpoint.

      • The identity provider issuer: This is the unique identifier for your SAML identity provider. This is sometimes referred to as the Entity ID or Issuer URL.

3. Set your Databricks account to use your identity provider:

   1. Return to the browser tab or window with the Databricks account console SSO page.

   2. Type or paste the following fields from your identity provider’s Databricks application: the single sign-on URL, the identity provider entity ID, and the x.509 Certificate.

   3. Click Save.

   4. Click Test SSO to validate that your SSO configuration is working properly.

   5. Click Enable SSO to enable single sign-on for your account.

   6. Test account console login with SSO.

4. Grant all account users access to the Databricks application in your identity provider. You might need to modify the access permissions for the application.

Configure unified login

Once you have enabled SSO in the account console, Databricks recommends enabling unified login. Unified login allows you to use the account console SSO configuration in your Databricks workspaces. If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled. To configure unified login, see Enable unified login.