Databricks Community

RoyRoger711 · ‎03-08-2024

Hello Databricks

I wanted to ask a couple questions regarding switching SSO from onelogin to OKTA and turning on user provisioning. We have a total of 4 workspaces ( 1 sandbox , 2 dev and 1 prod) within our account. We have unified login enabled for only 3 of the workspaces but reading the provisioning documentation it says "If you delete a user from the account-level Databricks application in Okta, the user is deleted in the Databricks account and loses access to all workspaces, whether or not those workspaces are enabled for identity federation.” and “By default, Databricks users inherit the workspace-access and databricks-sql-access entitlements. By default, Databricks admin users inherit the create-cluster entitlement. You don’t need to assign these inherited entitlements from Okta.” Which would means that they get deprovisioned from all workspaces and added to all workspaces regardless. If we do not want to provision access prod at all, should we avoid enabling provisioning ?

Kaniz_Fatma · ‎03-08-2024

Hi @RoyRoger711, Let’s break down your questions regarding switching SSO from OneLogin to Okta and enabling user provisioning for Databricks workspaces.

Switching SSO from OneLogin to Okta:
- When transitioning from OneLogin to Okta for Single Sign-On (SSO), you’ll need to configure the SSO method for your Databricks application in Okta.
- Okta supports different access protocols, including OpenID Connect (OIDC), SAML 2.0, and WS-Federation.
- Depending on the specific Databricks app integration, you’ll choose the appropriate SSO method. For example:
  - OIDC: If your Databricks app integration uses OIDC, follow the provided instructions to set it up.
  - SAML 2.0 or WS-Federation: These methods apply a federated approach to user authentication. Refer to the linked instructions for details on configuring SAML applications ¹.
- Additionally, consider whether you want to use Secure Web Authentication (SWA), which allows Okta to sign in to the external application for each user. SWA can be configured with various options, such as user-set usernames and passwords or administrato...¹.
User Provisioning:
- User provisioning ensures that user accounts are created, updated, or deactivated consistently across applications.
- The statement you mentioned from the provisioning documentation is important: “If you delete a user from the account-level Databricks application in Okta, the user is deleted in the Databricks account and loses access to all workspaces, whether or not those workspaces are enabled for identity federation.”
- By default, Databricks users inherit certain entitlements related to workspace access and SQL access. Admin users also inherit the create-cluster entitlement.
- If you enable provisioning, users will be added to all workspaces by default, regardless of whether you’ve enabled identity federation for those workspaces.
- Considerations for Your Scenario:
  - If you do not want to provision access to the “prod” workspace, you have a few options:
    - Avoid enabling provisioning: If you don’t want users to be automatically added to the “prod” workspace, refrain from enabling provisioning.
    - Manually manage access: Instead of relying on provisioning, manually manage user access to the “prod” workspace. This way, you can control who has access.
  - Keep in mind that if you delete a user from the account-level Databricks application in Okta, they’ll lose access to all workspaces, including “prod,” due to the inheritance of entitlements.

View solution in original post

Kaniz_Fatma · ‎03-08-2024

Hi @RoyRoger711, Let’s break down your questions regarding switching SSO from OneLogin to Okta and enabling user provisioning for Databricks workspaces.

Switching SSO from OneLogin to Okta:
- When transitioning from OneLogin to Okta for Single Sign-On (SSO), you’ll need to configure the SSO method for your Databricks application in Okta.
- Okta supports different access protocols, including OpenID Connect (OIDC), SAML 2.0, and WS-Federation.
- Depending on the specific Databricks app integration, you’ll choose the appropriate SSO method. For example:
  - OIDC: If your Databricks app integration uses OIDC, follow the provided instructions to set it up.
  - SAML 2.0 or WS-Federation: These methods apply a federated approach to user authentication. Refer to the linked instructions for details on configuring SAML applications ¹.
- Additionally, consider whether you want to use Secure Web Authentication (SWA), which allows Okta to sign in to the external application for each user. SWA can be configured with various options, such as user-set usernames and passwords or administrato...¹.
User Provisioning:
- User provisioning ensures that user accounts are created, updated, or deactivated consistently across applications.
- The statement you mentioned from the provisioning documentation is important: “If you delete a user from the account-level Databricks application in Okta, the user is deleted in the Databricks account and loses access to all workspaces, whether or not those workspaces are enabled for identity federation.”
- By default, Databricks users inherit certain entitlements related to workspace access and SQL access. Admin users also inherit the create-cluster entitlement.
- If you enable provisioning, users will be added to all workspaces by default, regardless of whether you’ve enabled identity federation for those workspaces.
- Considerations for Your Scenario:
  - If you do not want to provision access to the “prod” workspace, you have a few options:
    - Avoid enabling provisioning: If you don’t want users to be automatically added to the “prod” workspace, refrain from enabling provisioning.
    - Manually manage access: Instead of relying on provisioning, manually manage user access to the “prod” workspace. This way, you can control who has access.
  - Keep in mind that if you delete a user from the account-level Databricks application in Okta, they’ll lose access to all workspaces, including “prod,” due to the inheritance of entitlements.

Databricks Community

User Provisioning ( SCIM for OKTA)

Data + AI World Tour 2024

Databricks Community Social - July 31 - 8AM PT

Get Started With Generative AI on Databricks

Submit your feedback and win a $25 gift card!

🔔 ALERT: Act Now to Protect Your Community Account; Secure Your Details Before It's Too Late!