cancel
Showing results for 
Search instead for 
Did you mean: 
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 

Why does use of Azure SSO require Databricks PAT enabled ?

phguk
New Contributor III

My org uses Databricks and SSO. 

We are keen to disable the use of PAT but have noticed that when it's disabled, we're not able to use SSO. May I ask why does SSO have a dependency on PATs [arguably they are two distinct authentication methods] ?

Also, when a user logs on using SSO, when we inspect Access tokens, we see "This token is created by AzureAD". 

Any insight appreciated. Is this the way Databricks has worked before, or is this new behaviour ?

Thanks Paul

1 ACCEPTED SOLUTION

Accepted Solutions

Kaniz
Community Manager
Community Manager

Hi @phguk , 

  1. Disabling Personal Access Tokens (PATs):

    • By default, all users in an Azure Databricks account have access to the Personal Compute default policy, which includes the ability to create PATs.
    • To disable PATs account-wide, follow these steps:
      1. Navigate to the Databricks Account Console.
      2. Click the Settings icon.
      3. Go to the Feature enablement tab.
      4. Switch the Personal Compute setting from “Enable for all” to "Delegate"1.
    • This action will prevent users from creating new PATs.
  2. SSO Configuration:

    • SSO relies on external identity providers (like AzureAD) to authenticate users.
    • Ensure that your SSO configuration is correctly set up:
      • Configure Databricks to use your identity provider (e.g., AzureAD).
      • Verify that the SSO URL is correctly configured in Databricks.
      • Test SSO to ensure it works seamlessly.
    • If you encounter issues, consider checking the following:
  3. Permission Settings:

    • You mentioned the Permission Settings button. It’s worth exploring:
      • Disabling tokens for non-named users could be a viable approach.
      • Review the permissions assigned to different user roles (e.g., admins, developers, viewers).
      • Ensure that SSO users have appropriate permissions for their tasks.
      • Consult Databricks documentation or support for detailed guidance on permission settings.

In summary, disabling PATs and relying solely on SSO involves adjusting settings, validating configurations, and ensuring proper permissions. If you encounter any challenges, consider reaching out. Keep securing those data pipelines, Paul! 🔒🔍

 

View solution in original post

3 REPLIES 3

Kaniz
Community Manager
Community Manager

Hi @phgukLet’s delve into the intricacies of Databricks, SSO, and personal access tokens (PATs). 🚀

  1. SSO and PATs:

    • Single Sign-On (SSO) and personal access tokens (PATs) serve different purposes, but they can intersect in certain scenarios.
    • SSO allows users to authenticate once and access multiple services without re-entering credentials. It’s a convenient way to manage access across various platforms.
    • PATs, on the other hand, are tokens generated for specific tasks or automation within Databricks. They’re like secret keys that grant access to specific resources.
    • Now, why does SSO seem to depend on PATs? Let’s explore:
      • When you disable PATs, it might impact certain behind-the-scenes processes related to SSO configuration.
      • Some SSO implementations rely on tokens (like PATs) for specific interactions with services. For example, during SSO setup, Databricks might use a token to validate the identity provider (e.g., AzureAD).
      • While SSO itself doesn’t directly depend on PATs, the overall authentication ecosystem can be interconnected. Disabling PATs might inadvertently affect SSO workflows.
      • It’s essential to consult Databricks documentation or support to understand the specifics of this interaction in your environment.
  2. “This token is created by AzureAD”:

    • When a user logs in using SSO, the access token generated is indeed associated with Azure Active Directory (AzureAD).
    • This behavior is consistent with how Databricks integrates with identity providers. AzureAD plays a crucial role in SSO, and the token’s origin reflects that.
    • Essentially, the token acts as proof of successful authentication via AzureAD, allowing the user to access Databricks resources seamlessly.
  3. Historical Context:

    • Databricks has evolved over time, and its behavior aligns with industry standards and best practices.
    • The integration of SSO and identity providers has been refined to enhance security and user experience.

Keep exploring the data galaxy, Paul! 🌟🔍

 

phguk
New Contributor III

Hi @Kaniz , thanks for responding.  If we want to disable use of personal PATs and only rely on SSO authentication, how do we accomplish this ? Settings/Advanced provides the ability to disable the use of PAT but our experience suggests this breaks SSO. Might the answer be to use the Permission Settings button and just disable tokens for non-named users ?

Rgds Paul

Kaniz
Community Manager
Community Manager

Hi @phguk , 

  1. Disabling Personal Access Tokens (PATs):

    • By default, all users in an Azure Databricks account have access to the Personal Compute default policy, which includes the ability to create PATs.
    • To disable PATs account-wide, follow these steps:
      1. Navigate to the Databricks Account Console.
      2. Click the Settings icon.
      3. Go to the Feature enablement tab.
      4. Switch the Personal Compute setting from “Enable for all” to "Delegate"1.
    • This action will prevent users from creating new PATs.
  2. SSO Configuration:

    • SSO relies on external identity providers (like AzureAD) to authenticate users.
    • Ensure that your SSO configuration is correctly set up:
      • Configure Databricks to use your identity provider (e.g., AzureAD).
      • Verify that the SSO URL is correctly configured in Databricks.
      • Test SSO to ensure it works seamlessly.
    • If you encounter issues, consider checking the following:
  3. Permission Settings:

    • You mentioned the Permission Settings button. It’s worth exploring:
      • Disabling tokens for non-named users could be a viable approach.
      • Review the permissions assigned to different user roles (e.g., admins, developers, viewers).
      • Ensure that SSO users have appropriate permissions for their tasks.
      • Consult Databricks documentation or support for detailed guidance on permission settings.

In summary, disabling PATs and relying solely on SSO involves adjusting settings, validating configurations, and ensuring proper permissions. If you encounter any challenges, consider reaching out. Keep securing those data pipelines, Paul! 🔒🔍

 
Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!