Configure account SSO using OIDC

This article hows how to generally configure single sign-on (SSO) to authenticate to the account console and Databricks workspaces using OIDC. You can also read the specific instructions on how to configure SSO with OIDC to the following identity providers:

For an overview of single sign-on in the account, see SSO in your Databricks account console.

Enable account single sign-on authentication using OIDC

Warning

To prevent getting locked out of Databricks during single sign-on testing, Databricks recommends keeping the account console open in a different browser window. You can also configure emergency access with security keys to prevent lock out. See Configure emergency access.

  1. As an account admin, log in to the account console and click the Settings icon in the sidebar.

  2. Click the Single sign-on tab.

  3. From the drop-down at the top of this tab, select OpenID Connect.

  4. Copy the value in the Databricks Redirect URI field.

  5. Go to your identity provider and create a new client application (web), entering the Databricks Redirect URI value in the appropriate field in the identity provider configuration interface.

    Your identity provider should have documentation to guide you through this process.

  6. Copy the client ID, client secret, and OpenID issuer URL generated by the identity provider for the application.

    • Client ID is the unique identifier for the Databricks application you created in your identity provider. This is sometimes referred to as the Application ID.

    • Client secret is a secret or password generated for the Databricks application that you created. It is used to authorize Databricks with your identity provider.

    • OpenID issuer URL is the URL at which your identity-provider’s OpenID Configuration Document can be found. That OpenID Configuration Document must found be in {issuer-url}/.well-known/openid-configuration.

  7. Return to the Databricks account console Single sign-on tab and enter values you copied from the identity provider application to the Client ID, Client secret, and OpenID issuer URL fields.

    Single sign-on tab when all values have been entered

  8. Click Save.

  9. Click Test SSO to validate that your SSO configuration is working properly.

  10. Click Enable SSO to enable single sign-on for your account.

  11. Test account console login with SSO.

  12. Grant all account users access to the Databricks application in your identity provider. You might need to modify the access permissions for the application.

Configure unified login

Once you have enabled SSO in the account console, Databricks recommends enabling unified login. Unified login allows you to use the account console SSO configuration in your Databricks workspaces. If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled. To configure unified login, see Enable unified login.