Configure AWS IAM Identity SSO for your workspace
Warning
Workspace-level SSO is a legacy configuration. It can only be configured when unified login is disabled. When unified login is enabled, your workspace uses the same SSO configuration as your account.
If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled.
Databricks recommends enabling unified login on all workspaces. See Enable unified login.
This documentation has been retired and might not be updated.
This article shows how to configure AWS IAM Identity Center as the identity provider for a Databricks workspace. To configure SSO in your Databricks account, see Configure SSO in Databricks.
Requirements
In the AWS console, you need permission to manage applications.
In Databricks, you need an administrator account.
Gather required information
As a workspace admin, log in to the Databricks workspace.
Click your username in the top bar of the Databricks workspace and select Settings.
Click on the Identity and access tab.
Next to SSO settings, click Manage.
Copy the Databricks SAML URL.
Keep this browser tab open.
Configure AWS SSO
In a new browser tab, go to the AWS IAM Identity Center console.
Click Add a new application.
In the AWS IAM Identity Center Application Catalog field, type
databricks
.Click the Databricks tile.
Set Display name to Databricks.
Under Application Metadata, select If you don’t have a metadata file, you can manually type your metadata values.
Set both Application ACS URL and Application SAML Audience to the Databricks SAML URL from Gather required information.
Copy the Single Sign On URL and Identity Provider Entity ID.
Download the x.509 certificate, then open the downloaded file in a text editor.
Configure Databricks
Go back to the Databricks browser tab.
Set Single Sign On URL to the Single Sign On URL from AWS SSO.
Set Identity Provider Entity ID to the Identity Provider Entity ID from AWS SSO.
Paste the entire x.509 certificate from AWS SSO into x.509 certificate, including the markers for the beginning and ending of the certificate.
Click Enable SSO.
Optionally, click Allow auto user creation.
Test the configuration
In an incognito browser window, go to your Databricks workspace.
Click Single Sign On. You are redirected to AWS.
Log in to AWS. If SSO is configured correctly, you are redirected to Databricks.
If the test fails, review Troubleshooting.