SSO with Microsoft Entra ID for your workspace

Warning

Workspace-level SSO is a legacy configuration. It can only be configured when unified login is disabled. When unified login is enabled, your workspace uses the same SSO configuration as your account.

If your account was created after June 21, 2023 or you did not configure SSO before December 12, 2024, unified login is enabled on your account for all workspaces, new and existing, and it cannot be disabled.

Databricks recommends enabling unified login on all workspaces. See Enable unified login.

This documentation has been retired and might not be updated.

This article shows how to configure single sign-on (SSO) when you use Databricks and your users and groups are managed in Microsoft Entra ID. Microsoft Entra ID runs in your Azure tenant and supports SAML 2.0.

This article shows how to configure Microsoft Entra ID as the identity provider for a Databricks workspace. To configure SSO in your Databricks account, see Configure SSO in Databricks.

Gather required information

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Settings.

  3. Click on the Identity and access tab.

  4. Next to SSO settings, click Manage.

  5. Copy the Databricks SAML URL.

Do not close this browser tab.

Configure Microsoft Entra ID

Create an Azure portal application

Follow these steps to create a non-gallery Azure portal SAML application.

  1. In the Azure portal menu, click All services. In the Identity section, click Enterprise applications.

  2. Click New application, then click Create your own application.

  3. Enter a name for the application. When asked What are you looking to do with your application?, choose Integrate any other application you don’t find in the gallery.

  4. Click Create.

Configure the Azure portal application

  1. In the Azure portal menu, click Users and groups.

  2. Click Add user/group and select users or groups to grant them access to this SAML application. Users must have access to this SAML application to log into your Databricks workspace using SSO.

  3. In the Azure portal menu, click Authentication.

  4. Click the SAML tile to configure the application for SAML authentication.

  5. Next to Basic SAML configuration, click Edit.

  6. Next to SAML Signing Certificate, click Edit.

  7. In the Signing Option drop-down list, select Sign SAML response and assertion.

  8. In Attributes & Claims, click Edit.

  9. Set the Unique User Identifier (Name ID) field to user.mail.

  10. Under SAML Certificates, next to Certificate (Base64), click Download. The certificate is downloaded locally as a file with the .cer extension.

  11. Open the .cer file in a text editor. Do not open it using the macOS keychain, which is the default on macOS. The file comprises the entire x.509 certificate for the Microsoft Entra ID SAML application.

    Important

    The certificate is sensitive data. Be cautious about where you download it and delete it from local storage as soon as possible.

  12. Copy the file contents.

  13. Under Set up Microsoft Entra ID SAML Toolkit, copy the Login URL and Microsoft Entra ID Identifier.

Configure Databricks

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Settings.

  3. Click on the Identity and access tab.

  4. Next to SSO settings, click Manage.

  5. Set Single Sign-On URL to the Login URL from Configure the Azure portal application.

  6. Set Identity Provider Entity ID to the Microsoft Entra ID Identifier from Configure the Azure portal application.

  7. Paste the certificate from Configure the Azure portal application into the X.509 Certificate field.

  8. Click Enable SSO.

  9. Optionally, click Allow auto user creation.

Test the configuration

  1. In an incognito browser window, go to your Databricks workspace.

  2. Click Single Sign On. You are redirected to Microsoft Entra ID.

  3. Enter your Microsoft Entra ID credentials. If SSO is configured correctly, you are redirected to Databricks.

If the test fails, review Troubleshooting.