Databricks

phguk · 2 weeks ago

My org uses Databricks and SSO.

We are keen to disable the use of PAT but have noticed that when it's disabled, we're not able to use SSO. May I ask why does SSO have a dependency on PATs [arguably they are two distinct authentication methods] ?

Also, when a user logs on using SSO, when we inspect Access tokens, we see "This token is created by AzureAD".

Any insight appreciated. Is this the way Databricks has worked before, or is this new behaviour ?

Thanks Paul

Kaniz · 2 weeks ago

Hi @phguk, Let’s delve into the intricacies of Databricks, SSO, and personal access tokens (PATs). 🚀

SSO and PATs:
- Single Sign-On (SSO) and personal access tokens (PATs) serve different purposes, but they can intersect in certain scenarios.
- SSO allows users to authenticate once and access multiple services without re-entering credentials. It’s a convenient way to manage access across various platforms.
- PATs, on the other hand, are tokens generated for specific tasks or automation within Databricks. They’re like secret keys that grant access to specific resources.
- Now, why does SSO seem to depend on PATs? Let’s explore:
  - When you disable PATs, it might impact certain behind-the-scenes processes related to SSO configuration.
  - Some SSO implementations rely on tokens (like PATs) for specific interactions with services. For example, during SSO setup, Databricks might use a token to validate the identity provider (e.g., AzureAD).
  - While SSO itself doesn’t directly depend on PATs, the overall authentication ecosystem can be interconnected. Disabling PATs might inadvertently affect SSO workflows.
  - It’s essential to consult Databricks documentation or support to understand the specifics of this interaction in your environment.
“This token is created by AzureAD”:
- When a user logs in using SSO, the access token generated is indeed associated with Azure Active Directory (AzureAD).
- This behavior is consistent with how Databricks integrates with identity providers. AzureAD plays a crucial role in SSO, and the token’s origin reflects that.
- Essentially, the token acts as proof of successful authentication via AzureAD, allowing the user to access Databricks resources seamlessly.
Historical Context:
- Databricks has evolved over time, and its behavior aligns with industry standards and best practices.
- The integration of SSO and identity providers has been refined to enhance security and user experience.

Keep exploring the data galaxy, Paul! 🌟🔍

phguk · 2 weeks ago

Hi @Kaniz , thanks for responding. If we want to disable use of personal PATs and only rely on SSO authentication, how do we accomplish this ? Settings/Advanced provides the ability to disable the use of PAT but our experience suggests this breaks SSO. Might the answer be to use the Permission Settings button and just disable tokens for non-named users ?

Rgds Paul

Kaniz · 2 weeks ago

Hi @phguk ,

Disabling Personal Access Tokens (PATs):
- By default, all users in an Azure Databricks account have access to the Personal Compute default policy, which includes the ability to create PATs.
- To disable PATs account-wide, follow these steps:
  1. Navigate to the Databricks Account Console.
  2. Click the Settings icon.
  3. Go to the Feature enablement tab.
  4. Switch the Personal Compute setting from “Enable for all” to "Delegate"¹.
- This action will prevent users from creating new PATs.
SSO Configuration:
- SSO relies on external identity providers (like AzureAD) to authenticate users.
- Ensure that your SSO configuration is correctly set up:
  - Configure Databricks to use your identity provider (e.g., AzureAD).
  - Verify that the SSO URL is correctly configured in Databricks.
  - Test SSO to ensure it works seamlessly.
- If you encounter issues, consider checking the following:
  - SSO Redirect URL: Ensure that the SSO redirect URL matches the one configured in your identity provider.
  - Token Validation: During SSO setup, Databricks might use a token (like a PAT) to validate the identity provider. Disabling PATs could impact this process.
  - User Mapping: Confirm that user mapping between SSO and Databricks is accurate.
  - AzureAD Integration: The “This token is created by AzureAD” message indicates successful SSO authent...².
Permission Settings:
- You mentioned the Permission Settings button. It’s worth exploring:
  - Disabling tokens for non-named users could be a viable approach.
  - Review the permissions assigned to different user roles (e.g., admins, developers, viewers).
  - Ensure that SSO users have appropriate permissions for their tasks.
  - Consult Databricks documentation or support for detailed guidance on permission settings.

In summary, disabling PATs and relying solely on SSO involves adjusting settings, validating configurations, and ensuring proper permissions. If you encounter any challenges, consider reaching out. Keep securing those data pipelines, Paul! 🔒🔍

Databricks

Why does use of Azure SSO require Databricks PAT enabled ?

Unity Catalog Lakeguard: Industry-first and only data governance for multi-user Apache™ Spark cluste

Announcing the General Availability of Databricks Asset Bundles

Register now and save 50% on training at Data + AI Summit!

How to successfully build GenAI applications

Meet DBRX, the New Standard for High-Quality LLMs