Skip to main content

Activate SSO

You'll configure SSO so users sign in to Databricks with your identity provider in ~10 min.

Prereqs: Add Users, Add Groups, identity provider admin access

What you'll build

Single sign-on at the Databricks account level. Users sign in through your existing identity provider, so there are no separate Databricks passwords to manage or revoke.

Prerequisites

  • Account-admin access to the Databricks account console.
  • Admin access to your identity provider (Entra ID, Okta, or another SAML/OIDC provider).

Journey checklist

  • Get started.
  • Before you start.
  • Infra setup
    • Create workspaces.
    • Add users.
    • Add groups.
    • Change ownership to metastore admins.
    • Activate SSO.
  • Cost monitoring.
  • Data Governance Strategy.
  • Access your data.
  • Build the first pipeline.
  • Automation and orchestration.
  • Query and explore.
  • Databricks AI/BI.
  • Business semantics.

Steps

1. Pick the path for your cloud

The setup differs by cloud, so jump to your platform.

Azure

Nothing to do. Entra ID (Azure AD) SSO is on by default for Azure Databricks.

AWS

  1. Open the guide: Configure SSO for AWS.
  2. Set up the SAML or OIDC application in your IdP.
  3. Register that IdP configuration in the account console under Settings > Single sign-on.

GCP

Google SSO is often on already. If it is not:

  1. Open the guide: Configure SSO for GCP.
  2. Set up the SAML or OIDC application in your IdP.
  3. Register that IdP configuration in the account console.

2. Test SSO login

  1. Open a private or incognito browser window.
  2. Go to the workspace URL.
  3. The login should redirect to your identity provider. If it does, the wiring is right.
  4. Sign in and confirm you land in the workspace.

Verify

  1. Log in to a workspace through SSO from a private browser window.
  2. In the account console, open Settings > Single sign-on and confirm the configuration shows as active.

Where people trip

SSO redirect fails or loops

Check the SAML/OIDC reply URL configured in your IdP. It must match the URL registered in the Databricks account console exactly. Trailing slashes and protocol mismatches are common causes.

User authenticates but cannot access a workspace

SSO handles authentication, not authorization. The user must also be assigned to the workspace. Verify their assignment in the account console under the workspace's permission settings.

Azure: Entra ID SSO not working

Entra ID SSO is enabled by default, but the user must exist in the linked Entra ID directory. If using a guest account or B2B user, verify the account has been invited and accepted.

Next