Workspace-level SSO can only be configured when unified login is disabled. When unified login, your workspace uses the same SSO configuration as your account. Databricks recommends enabling unified login on all workspaces. See Unified login.
This article shows how to configure Ping Identity as the identity provider for a Databricks workspace. To configure SSO in your Databricks account, see Set up SSO in your Databricks account console.
Log in to Databricks as an administrator.
Go to the admin settings page.
Click Single Sign On.
Copy the Databricks SAML URL.
Do not close this browser tab.
In a new browser tab, log in to Ping Identity as an administrator.
Inside the PingOne admin portal, click the Connections icon. It looks like a flow chart connector.
Click +Add Application.
Click Advanced Configuration.
Next to SAML, click Configure.
Set Application Name to Databricks, then click Next.
For Provide App Metadata, click Manually Enter.
Enter the Databricks SAML URL from Gather required information into the following fields:
SLO Response Endpoint
Target Application URL
Under Signing Key, select Sign Response or Sign Assertion and Response.
Do not select Enable Encryption or Enforce Signed Authn Request.
Set Assertion Validity to a value between 30 and 180 seconds. For more details, see Accounting for Time Drift Between SAML Endpoints in the Ping Identity knowledge base.
Click Save and Continue.
Under SAML Attributes, set PINGONE USER ATTRIBUTE to Email Address.
Click Save and Close. The SAML application appears.
Click Download Metadata.
Open the downloaded XML file in a text editor.
Go back to the browser tab for Databricks.
In the admin settings page, click Single Sign On.
Set both Single Sign-On URL and Identity Provider Entity ID to the value of the
Locationattribute of the
<SingleSignOnService>tag in the XML file you downloaded from Ping Identity.
Set x.509 Certificate to the value of the
<ds:X509Certificate>tag in the XML file you downloaded from Ping Identity.
Click Enable SSO.
Optionally, click Allow auto user creation.
In an incognito browser window, go to your Databricks workspace.
Click Single Sign On. You are redirected to Ping Identity.
Log in to Ping Identity. If SSO is configured correctly, you are redirected to Databricks.
If the test fails, review Troubleshooting.