Configure SSO with Ping Identity for your workspace
Warning
Workspace-level SSO is a legacy configuration. It can only be configured when unified login is disabled. When unified login is enabled, your workspace uses the same SSO configuration as your account.
If your account was created after June 21, 2023 or you did not configure SSO before December 12, 2024, unified login is enabled on your account for all workspaces, new and existing, and it cannot be disabled.
Databricks recommends enabling unified login on all workspaces. See Enable unified login.
This documentation has been retired and might not be updated.
This article shows how to configure Ping Identity as the identity provider for a Databricks workspace. To configure SSO in your Databricks account, see Configure SSO in Databricks.
Gather required information
As a workspace admin, log in to the Databricks workspace.
Click your username in the top bar of the Databricks workspace and select Settings.
Click on the Identity and access tab.
Next to SSO settings, click Manage.
Copy the Databricks SAML URL.
Do not close this browser tab.
Configure Ping Identity
In a new browser tab, log in to Ping Identity as an administrator.
Inside the PingOne admin portal, click the Connections icon. It looks like a flow chart connector.
Click +Add Application.
Click Advanced Configuration.
Next to SAML, click Configure.
Set Application Name to Databricks, then click Next.
For Provide App Metadata, click Manually Enter.
Enter the Databricks SAML URL from Gather required information into the following fields:
ACS URL
Entity ID
SLO Endpoint
SLO Response Endpoint
Target Application URL
Under Signing Key, select Sign Response or Sign Assertion and Response.
Important
Do not select Enable Encryption or Enforce Signed Authn Request.
Set Assertion Validity to a value between 30 and 180 seconds. For more details, see Accounting for Time Drift Between SAML Endpoints in the Ping Identity knowledge base.
Click Save and Continue.
Under SAML Attributes, set PINGONE USER ATTRIBUTE to Email Address.
Click Save and Close. The SAML application appears.
Click Configuration.
Click Download Metadata.
Open the downloaded XML file in a text editor.
Configure Databricks
Go back to the browser tab for Databricks.
Click your username in the top bar of the Databricks workspace and select Settings.
Click on the Identity and access tab.
Next to SSO settings, click Manage.
Set both Single Sign-On URL and Identity Provider Entity ID to the value of the
Location
attribute of the<SingleSignOnService>
tag in the XML file you downloaded from Ping Identity.Set x.509 Certificate to the value of the
<ds:X509Certificate>
tag in the XML file you downloaded from Ping Identity.Click Enable SSO.
Optionally, click Allow auto user creation.
Test the configuration
In an incognito browser window, go to your Databricks workspace.
Click Single Sign On. You are redirected to Ping Identity.
Log in to Ping Identity. If SSO is configured correctly, you are redirected to Databricks.
If the test fails, review Troubleshooting.