Configure SSO in Databricks

Preview

This feature is in Public Preview.

This page gives you an overview of using single sign-on (SSO) to authenticate to the account console and Databricks workspaces. To sync users and groups from your identity provider, see Sync users and groups from your identity provider using SCIM.

Overview of SSO setup

By default, single sign-on using Google Cloud Identity (or GSuite) is available in Databricks. Optionally, you can choose to bring your own identity provider to configure single sign-on to Databricks. A single SSO configuration is used across your account and all Databricks workspaces.

When SSO is enabled in the account, all users, including admins, must sign in to the Databricks account and workspaces using single sign-on.

SSO supports using either SAML 2.0 or OpenID Connect (OIDC). Your identity provider (IdP) must support at least one of these protocols.

After enabling SSO, Databricks recommends using SCIM provisioning to sync users and groups automatically from your identity provider to your Databricks account. See Sync users and groups from your identity provider using SCIM.

You can read the generic instructions on how to configure SSO with OIDC or SAML or specific instructions for different identity providers:

• Configure SSO using OIDC
• Configure SSO using SAML
• SSO to Databricks with Microsoft Entra ID
• SSO to Databricks with Okta
• SSO to Databricks with OneLogin
• SSO to Databricks with AWS IAM Identity Center
• SSO to Databricks with Keycloak
• SSO to Databricks with JumpCloud

The following demos walk you through configuring SSO with Okta:

• Secure Your Databricks Access with OIDC SSO
• Secure Your Databricks Access with SAML SSO

For troubleshooting errors with SSO, see:

• Troubleshooting OIDC SSO
• Troubleshooting SAML SSO