Configure SSO in Databricks

Preview

This feature is in Public Preview.

This page gives you an overview of using single sign-on (SSO) to authenticate to the account console and Databricks workspaces. To sync users and groups from your identity provider, see Sync users and groups from your identity provider using SCIM.

Overview of SSO setup

By default, single sign-on using Google Cloud Identity (or GSuite) is available in Databricks. Optionally, you can choose to bring your own identity provider to configure single sign-on to Databricks. A single SSO configuration is used across your account and all Databricks workspaces.

When SSO is enabled in the account, all users, including admins, must sign in to the Databricks account and workspaces using single sign-on.

SSO supports using either SAML 2.0 or OpenID Connect (OIDC). Your identity provider (IdP) must support at least one of these protocols.

After enabling SSO, Databricks recommends using SCIM provisioning to sync users and groups automatically from your identity provider to your Databricks account. See Sync users and groups from your identity provider using SCIM.

You can configure just-in-time (JIT) provisioning to automatically create new user accounts from your identity provider upon their first login. See Automatically provision users (JIT).

You can read the generic instructions on how to configure SSO with OIDC or SAML or specific instructions for different identity providers:

• Configure SSO using OIDC
• Configure SSO using SAML
• SSO to Databricks with Microsoft Entra ID
• SSO to Databricks with Okta
• SSO to Databricks with OneLogin
• SSO to Databricks with AWS IAM Identity Center
• SSO to Databricks with Keycloak
• SSO to Databricks with JumpCloud

The following demos walk you through configuring SSO with Okta:

• Secure Your Databricks Access with OIDC SSO
• Secure Your Databricks Access with SAML SSO

Test your SSO configuration

After you complete the SSO setup, test your configuration to make sure users can sign in.

Test SSO from the account console

During SSO setup, use the built-in test to verify your configuration before you enable SSO:

1. After you enter your identity provider settings in the Databricks account console, click Save.
2. Click Test SSO. Databricks opens a new browser window and attempts to authenticate using your identity provider.
3. Complete the sign-in flow in your identity provider.
4. Review the test results:
   • If the test succeeds, click Enable SSO to enable single sign-on for your account.
   • If the test fails, review the error message and verify your identity provider settings. See Troubleshooting OIDC SSO or Troubleshooting SAML SSO.

Test account console login

After you enable SSO, verify that users can sign in to the account console:

1. Open a new browser window or private/incognito session.
2. Go to the account console.
3. Enter a test user's email address. Your browser redirects to your identity provider's sign-in page.
4. Complete the sign-in flow. After you authenticate, Databricks redirects you to the account console.
5. Verify the user identity by clicking the username in the top bar to confirm the correct user is logged in.

Troubleshoot test failures

If SSO testing fails, try the following:

• your identity provider settings: Verify that the redirect URL, client ID, client secret (for OIDC), or x.509 certificate (for SAML) are correct.
• Verify user access: Make sure the test user is assigned to the Databricks application in your identity provider.
• Review error messages: See Troubleshooting OIDC SSO or Troubleshooting SAML SSO for specific error codes.

• Use a private browser window: Test in an incognito or private session to avoid cached credentials from interfering with the test.
• Review browser console logs: Open your browser's developer tools to look for redirect or network errors during the sign-in flow.

For troubleshooting errors with SSO, see:

• Troubleshooting OIDC SSO
• Troubleshooting SAML SSO