Skip to main content

Activate SSO

You'll configure SSO so users sign in to Databricks with your identity provider in ~10 min.

Prereqs: Add Users, Add Groups, identity provider admin access

What you'll build

Single sign-on configured at the Databricks account level. Users authenticate through your existing identity provider instead of managing separate Databricks credentials.

Prerequisites

  • Account-admin access to the Databricks account console.
  • Admin access to your identity provider (Entra ID, Okta, or another SAML/OIDC provider).

Journey checklist

  • Get started.
  • Before you start.
  • Infra setup
    • Create workspaces.
    • Add users.
    • Add groups.
    • Change ownership to metastore admins.
    • Activate SSO.
  • Cost monitoring.
  • Data Governance Strategy.
  • Access your data.
  • Build the first pipeline.
  • Automation and orchestration.
  • Query and explore.
  • Databricks AI/BI.
  • Business semantics.

Steps

1. Check your cloud provider

SSO configuration varies by cloud. Follow the instructions for your platform.

Azure

No action needed. Entra ID (Azure AD) SSO is enabled by default for Azure Databricks.

AWS

Configure SSO with your identity provider:

  1. Follow the guide: Configure SSO for AWS.
  2. Set up the SAML or OIDC application in your IdP.
  3. Register the IdP configuration in the Databricks account console under Settings > Single sign-on.

GCP

Google SSO may be enabled by default. If it is not:

  1. Follow the guide: Configure SSO for GCP.
  2. Set up the SAML or OIDC application in your IdP.
  3. Register the IdP configuration in the Databricks account console.

2. Test SSO login

  1. Open a private/incognito browser window.
  2. Navigate to the workspace URL.
  3. Confirm the login redirects to your identity provider.
  4. Sign in and verify you land in the workspace.

Verify

  1. Log in to a workspace using SSO from a private browser window.
  2. In the account console, navigate to Settings > Single sign-on and confirm the SSO configuration shows as active.

Troubleshoot

SSO redirect fails or loops

Check the SAML/OIDC reply URL configured in your IdP. It must match the URL registered in the Databricks account console exactly. Trailing slashes and protocol mismatches are common causes.

User authenticates but cannot access a workspace

SSO handles authentication, not authorization. The user must also be assigned to the workspace. Verify their assignment in the account console under the workspace's permission settings.

Azure: Entra ID SSO not working

Entra ID SSO is enabled by default, but the user must exist in the linked Entra ID directory. If using a guest account or B2B user, verify the account has been invited and accepted.

Next