SSO to Databricks with Okta

Preview

This feature is in Public Preview.

This page shows how to configure Okta as the identity provider for single sign-on (SSO) in your Databricks account. Okta supports both OpenID Connect (OIDC) and SAML 2.0. To sync users and groups from Okta, see Sync users and groups from your identity provider using SCIM.

The following demos walk you through configuring SSO with Okta:

• Secure Your Databricks Access with OIDC SSO
• Secure Your Databricks Access with SAML SSO

Enable Okta single sign-on

Choose your identity protocol:

OIDC

1. As an account admin, log in to the account console and click Security.

2. Click the Authentication tab.

3. Next to Authentication, click Manage.

4. Choose Single sign-on with my identity provider.

5. Click Continue.

6. Under Identity protocol, select OpenID Connect.

7. On the Authentication tab, make note of the Databricks Redirect URL value.

8. In a new browser tab, log into Okta as an administrator.

9. In the home page, click Applications > Applications.

10. Click Create App Integration.

11. Select OIDC - OpenID Connect and Web Application and click Next.

12. Name your app integration.

13. In Sign-in redirect URIs, enter the Databricks Redirect URL from step 7. You can choose to configure the other settings or you can leave them to their default values.

14. In Assignments, select Allow everyone in your organization to access. This ensures all users in your organization can access the Databricks account.

15. Click Save.

16. In the General tab, copy the client ID and client secret generated by Okta for the application.

    • Client ID is the unique identifier for the Databricks application you created in your identity provider.
    • Client secret is a secret or password generated for the Databricks application that you created. It is used to authorize Databricks with your identity provider.

17. Click the Sign On tab, in OpenID Connect ID Token copy the Okta URL in the issuer field.

    If the issuer field says Dynamic, click Edit and select Okta URL in the dropdown menu.

    note

    This URL points to Okta’s OpenID Configuration Document, which is located at {issuer-url}/.well-known/openid-configuration. You can specify query parameters by appending them to the issuer URL, for example {issuer-url}?appid=123.

18. Return to the Databricks account console Authentication tab and enter values you copied from the identity provider application to the Client ID, Client secret, and Issuer URL fields.

19. Optionally, enter a Username claim if you want to use a claim other than email as users' Databricks usernames. See your identity provider's documentation for specific information on claim values.

    

20. Click Save.

21. Click Test SSO to validate that your SSO configuration is working properly.

22. Click Enable SSO to enable single sign-on for your account.

23. Test account console login with SSO.

SAML 2.0

1. As an account admin, log in to the account console and click Security.

2. Click the Authentication tab.

3. Next to Authentication, click Manage.

4. Choose Single sign-on with my identity provider.

5. Click Continue.

6. Under Identity protocol, select SAML 2.0.

7. On the Authentication tab, make note of the Databricks redirect URL.

   

8. In a new browser tab, log into Okta as an administrator.

9. Go to Applications and click Browse App Catalog.

10. Search for and select Databricks.

11. Click Add integration.

12. Name your application and click Done.

13. Select the Sign On tab and click Edit.

14. Under Advanced sign-on settings, configure the application using the following settings:

    • Databricks SAML URL: the Databricks redirect URL you copied above.
    • Application username format: Email

15. Click Save. The Databricks SAML app is shown.

16. Under SAML 2.0 is not configured until you complete the setup instructions, click View Setup Instructions.

17. Copy the following values:

    • Identity Provider Single Sign-On URL
    • Identity Provider Issuer
    • x.509 certificate

18. Click the Assignments tab. Add the Okta group named Everyone to the application. This ensures all users in your organization can access the Databricks account.

19. Return to the Databricks account console Authentication tab and enter values you copied from Okta:

    • Single Sign-On URL: The Okta Identity Provider Single Sign-On URL
    • Identity Provider Entity ID: The Okta Identity Provider Issuer
    • x.509 Certificate: The Okta x.509 certificate, including the markers for the beginning and ending of the certificate

20. Click Save.

21. Click Test SSO to validate that your SSO configuration is working properly.

22. Click Enable SSO to enable single sign-on for your account.

23. Test account console login with SSO.

1. Add users to Databricks

   You must add users to Databricks in order for them to log in. Databricks recommends using SCIM provisioning to sync users and groups automatically from your identity provider to your Databricks account. SCIM streamlines onboarding a new employee or team by using your identity provider to create users and groups in Databricks and give them the proper level of access. See Sync users and groups from your identity provider using SCIM.