Configure account SSO using SAML

This article hows how to generally configure single sign-on (SSO) to authenticate to the account console and Databricks workspaces using SAML. You can also read the specific instructions on how to configure SSO with OIDC to the following identity providers:

• Microsoft Entra ID (formerly Azure Active Directory)

• Okta

• One Login

For an overview of single sign-on in the account, see SSO in your Databricks account console.

Enable account single sign-on authentication using SAML

The following instructions describe how to use SAML 2.0 to authenticate account console users.

Warning

To prevent getting locked out of Databricks during single sign-on testing, Databricks recommends keeping the account console open in a different browser window. You can also configure emergency access with security keys to prevent lock out. See Configure emergency access.

1. View the account console SSO page and copy the SAML URL:

   1. As an account admin, log in to the account console and click the Settings icon in the sidebar.

   2. Click the Single sign-on tab.

   3. From the drop-down at the top of this tab, select SAML 2.0.

   4. Copy the value in the Databricks Redirect URI field. You will need the Databricks SAML URL for a later step.

2. In another browser window or tab, create a Databricks application in your identity provider:

   1. Go to your identity provider (IdP).

   2. Create a new client application (web):

      • Use your identity provider’s documentation as needed.

      • For the SAML URL field (which might be called a redirect URL), use the Databricks SAML URL that you copied from the Databricks page.

   3. Copy the following objects and fields from your new Databricks application:

      • The x.509 certificate: A digital certificate provided by your Identity Provider for securing communications between Databricks and the Identity Provider

      • The single-sign-on (SSO) URL for your identity provider. This is the URL that initiates single sign-on with your identity provider. This is also sometimes referred to as the SAML endpoint.

      • The identity provider issuer: This is the unique identifier for your SAML identity provider. This is sometimes referred to as the Entity ID or Issuer URL.

3. Set your Databricks account to use your identity provider:

   1. Return to the browser tab or window with the the Databricks account console SSO page.

   2. Type or paste the following fields from your identity provider’s Databricks application: the single sign-on URL, the identity provider entity ID, and the x.509 Certificate.

      

   3. Click Save.

   4. Click Test SSO to validate that your SSO configuration is working properly.

   5. Click Enable SSO to enable single sign-on for your account.

   6. Test account console login with SSO.

4. Grant all account users access to the Databricks application in your identity provider. You might need to modify the access permissions for the application.

Configure unified login

Once you have enabled SSO in the account console, Databricks recommends enabling unified login. Unified login allows you to use the account console SSO configuration in your Databricks workspaces. If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled. To configure unified login, see Enable unified login.