Configure SSO with Okta for your workspace
Warning
Workspace-level SSO is a legacy configuration. It can only be configured when unified login is disabled. When unified login is enabled, your workspace uses the same SSO configuration as your account.
If your account was created after June 21, 2023 or you did not configure SSO before December 12, 2024, unified login is enabled on your account for all workspaces, new and existing, and it cannot be disabled.
Databricks recommends enabling unified login on all workspaces. See Enable unified login.
This documentation has been retired and might not be updated.
This article shows how to configure Okta as the identity provider for a Databricks workspace. To configure SSO in your Databricks account, see Configure SSO in Databricks.
Gather required information
As a workspace admin, log in to the Databricks workspace.
Click your username in the top bar of the Databricks workspace and select Settings.
Click on the Identity and access tab.
Next to SSO settings, click Manage.
Copy the Databricks SAML URL.
Do not close this browser tab.
Configure Okta
In a new browser tab, log into Okta as an administrator.
In the home page, click Applications > Applications.
Click Create App Integration.
Select SAML 2.0 and click Next.
Set App name to Databricks SSO and click Next.
Configure the application using the following settings:
Single Sign On URL: the Databricks SAML URL from Gather required information
Audience URI: the Databricks SAML URL from Gather required information
Name ID Format: EmailAddress
Application Username: Email
Click Advanced settings. Ensure that Response is set to Signed (the default). Signing the assertion is optional. Do not modify other advanced settings.
Important
Assertion encryption must be set to Unencrypted.
Click Hide advanced settings.
Click Next.
Select I’m an Okta customer adding an internal app.
Click Finish. The Databricks SAML app is shown.
Under SAML 2.0 is not configured until you complete the setup instructions, click View Setup Instructions.
Copy the following values:
Identity Provider Single Sign-On URL
Identity Provider Issuer
x.509 certificate
Configure Databricks
Go back to the browser tab for Databricks.
Click your username in the top bar of the Databricks workspace and select Settings.
Click on the Identity and access tab.
Next to SSO settings, click Manage.
Set Single Sign-On URL to the Identity Provider Single Sign-On URL from Okta.
Set Identity Provider Entity ID to the Identity Provider Issuer from Okta.
Set x.509 Certificate to the x.509 certificate from Okta, including the markers for the beginning and ending of the certificate.
Click Enable SSO.
Optionally, click Allow auto user creation.
Test the configuration
In an incognito browser window, go to your Databricks workspace.
Click Single Sign On. You are redirected to Okta.
Log in to Okta. If SSO is configured correctly, you are redirected to Databricks.
If the test fails, review Troubleshooting.