Skip to main content

SSO to Databricks with AWS IAM Identity Center

Preview

This feature is in Public Preview.

This page shows how to configure AWS IAM Identity Center as the identity provider for single sign-on (SSO) in your Databricks account. You can configure SSO with AWS IAM Identity Center using SAML 2.0. AWS IAM Identity Center support for OIDC is not compatible with Databricks.

Enable AWS IAM Identity Center SSO using SAML

  1. In a new browser tab, log in to the AWS Management Console and navigate to IAM Identity Center. You might need to enable IAM Identity Center in your AWS account.

    1. In the IAM Identity Center console, go to Applications.

    2. Click Add application.

    3. In Setup preference, select I want to select an application from the catalog.

    4. Search for and select Databricks and click Next.

      AWS IAM identity setup preferences

    5. Copy and save the IAM Identity Center sign-in URL value.

    6. Download the public certificate from the IAM Identity Center Certificate link.

  2. In a new browser tab, log in to the Databricks account console and click the Settings icon in the sidebar.

    1. Click the Authentication tab.
    2. Next to Authentication, click Manage.
    3. Choose Single sign-on with my identity provider.
    4. Click Continue.
    5. Under Identity protocol, select SAML 2.0.
    6. Set Single Sign-On URL and the Identity Provider Entity ID both to the IAM Identity Center sign-in URL that you copied.
    7. Set x.509 Certificate to the text from the IAM Identity Center Certificate you downloaded. Paste the entire certificate, including the markers for the beginning and ending of the certificate.
    8. Copy the Databricks redirect URL.

    Configure SAML SSO.

  3. Go back to the AWS IAM Identity center browser tab.

    1. Under Application metadata, select Manually type your metadata values.

    2. In both Application ACS URL and Application SAML audience, paste the value for the Databricks redirect URL that you copied.

    3. Click Submit.

      AWS IAM identity metadata

  4. Go back to the Databricks browser tab.

    1. Click Save.
    2. Click Test SSO to validate that your SSO configuration is working properly.
    3. Click Enable SSO to enable single sign-on for your account.
    4. Test account console login with SSO.
  1. Add users to Databricks

    You must add users to Databricks in order for them to log in. Databricks recommends using SCIM provisioning to sync users and groups automatically from your identity provider to your Databricks account. SCIM streamlines onboarding a new employee or team by using your identity provider to create users and groups in Databricks and give them the proper level of access. See Sync users and groups from your identity provider using SCIM.