Configure workspace-level SCIM provisioning using OneLogin (legacy)

Important

This documentation has been retired and might not be updated. Workspace-level SCIM provisioning is legacy. Databricks recommends that you use account-level SCIM provisioning, see Sync users and groups from your identity provider.

Preview

This feature is in Public Preview.

When you follow these steps, log into the Databricks admin settings page in one browser tab and log into the OneLogin admin console in another.

Generate a Databricks personal access token

As a Databricks workspace administrator, generate a personal access token. See Token management. Store the personal access token in a secure location. OneLogin will use this personal access token to authenticate to Databricks.

Important

The user who owns this personal access token must not be managed within OneLogin. Otherwise, removing the user from OneLogin would disrupt the SCIM integration.

Configure the OneLogin SCIM provisioning app

  1. Log in to OneLogin as a Super User or Account Owner, and launch the OneLogin admin console.

  2. Go to Applications and click Add App.

  3. Search for and select SCIM Provisioner with SAML (SCIM v2 Core).

  4. Click Save. New configuration tabs appear at the left.

  5. Click Configuration.

  6. In Databricks subdomain, enter https://<databricks-instance>/api/2.0/preview/scim/v2. Replace <databricks-instance> with the workspace URL of your Databricks deployment. See Get identifiers for workspace objects.

  7. In the SCIM Bearer Token field, enter the Databricks personal access token.

  8. Under API Connection, click Enable. The application authenticates to Databricks.

  9. Go to Provisioning to enable and configure provisioning.

    1. Under Workflow, select Enable provisioning.

    2. Configure whether to require admin approval to create, delete, or update a user.

      Note

      Databricks recommends that you enable admin approval for all operations as an initial safeguard, so that you don’t trigger automatic provisioning for your users before setup and testing have been completed. After you have tested and verified that provisioning is working as expected, you can configure these settings to override admin approval.

    3. Configure the behavior in Databricks when a user is deleted from OneLogin:

      • Do nothing does not modify the user in Databricks.

      • Suspend disables the user in Databricks. The user can’t log in, but the user’s resources are not modified. This is reversible.

      • Delete deletes the user in Databricks and archives the user’s resources. This is not reversible.

    4. Configure the behavior in Databricks when a user is suspended in OneLogin.

      • Do nothing does not modify the user in Databricks.

      • Suspend disables the user in Databricks. The user can’t log in, but the user’s resources are not modified. This is reversible.

    1. Under Entitlements, click Refresh. In OneLogin, groups are called entitlements. This imports groups from Databricks into OneLogin. Importing OneLogin entitlements into Databricks is not supported.

  10. Click Save.

Continue to Use OneLogin to manage users and groups in Databricks to provision users and groups in your Databricks workspace.

Note

When you remove a user from the admins group in OneLogin and the change is synced to Databricks, the user is no longer a Databricks workspace administrator.

Use OneLogin to manage entitlements and IAM roles

Databricks supports the assignment of IAM roles and workspace entitlements from workspace-level Databricks applications in OneLogin. The assignment of roles and entitlements is not supported from the account-level Databricks application in OneLogin. If you want to assign IAM roles and workspace entitlements from OneLogin, you must create a workspace-level Databricks application in OneLogin to that workspace.

Databricks recommends that you instead use an account-level Databricks application in OneLogin to provision users and groups to the account level. You assign users and groups to workspaces using identity federation and manage their entitlements and IAM roles within Databricks.

Map Databricks attributes to OneLogin attributes

In order to manage IAM roles and entitlements from OneLogin, you must first create mappings to keep Databricks IAM roles and entitlements in sync with OneLogin fields for provisioned users.

  1. In OneLogin, go to Users > Custom User Fields and create two custom fields:

    • One to hold a user’s allow-cluster-create permission. In our example, we name this databricksEntitlements.

    • One to hold the user’s Databricks IAM role. In our example, we name this IAM Role.

    Once you have created these fields, you can specify the IAM role and allow-cluster-create entitlement for any user in the Custom Fields section of the OneLogin user record.

  2. Return to your OneLogin SCIM provisioning app and go to the Parameters tab to map the Entitlement, Groups, and Role attributes (all optional).

    Click the field name to open the edit dialog, where you can set the OneLogin field (Value) to map to the Databricks field.

    • Entitlement: set the Value to the custom user field you created in Step 1.

    • Role: set the Value to the custom user field you created in Step 1.

  3. Click Save.

Repeat this procedure to assign additional IAM roles or entitlements.

Assign IAM roles and entitlements to Databricks workspace users

Once you have created your custom user fields and configured your attribute mapping, you can assign IAM roles and entitlements to Databricks users when you provision them.

When you enter a value for the entitlement and IAM role custom fields on the user record (Users > All Users > <username>), the entitlement and IAM role are automatically included when you provision the user to Databricks. You can also use OneLogin rules (mappings) to assign IAM roles and entitlements automatically, based on another OneLogin attribute, such as OneLogin Role.

You can remove or update IAM role or entitlement assignments by going to the Users tab in the OneLogin SCIM provisioning app and select the user to edit. Remove or override the current selection in the custom IAM role field, or custom entitlement field. If you have set up rules to assign IAM roles or entitlements to the user based on a OneLogin attribute, remove that attribute from the user. You can also change the rule that assigns the IAM role or entitlement to users in that OneLogin role.