With the recent changes to Databricks login in order to increase our customers' security posture, some customers might be scrambling to setup SSO on their Databricks account and workspaces. Many of the startups and small organizations that I work with don't already have an SSO provider and might be looking around for a cheap/free provider to get started with. Fortunately, Auth0 is an SSO provider with a free tier. Now, this isn't some sponsored ad for Auth0, I literally just did a search on "free SSO provider" and Auth0 was the first result. So, I signed up for a free account and went through the SSO setup with Auth0 and Databricks in order to create this step-by-step guide to help my customers.
Please note that the following applies to Databricks on AWS; for Databricks on Azure or GCP, SSO is natively integrated into the cloud provider's SSO mechanism.
Preparation
You'll need to open two browser tabs:
Sign-up for free account at Auth0
When you sign-up for your free account at Auth0, you can use any email address you want.
You do not have to use the same email address with Auth0 that you use for your Databricks Account Owner. They certainly can be the same email address for both, but it's not required.
In this guide, I will be using two different emails:
| Auth0 | aaron.binns@databricks.com |
| Databricks Account Owner | aaron.binns+deployment-demo@databricks.com |
The only reason why I'm using two different emails is because I created a Databricks account using aaron.binns+deployment-demo@databricks.com about 3 years ago when I was creating another HOWTO guide, and I have kept that Databricks account around for testing and writing guides like this. So, as you read through this guide, you'll see screenshots using those two email addresses.
Skip Auth0 Onboarding
If Auth0 sends you through some sort of onboarding flow, skip it and just start at the main Auth0 dashboard - https://manage.auth0.com/dashboard
Add Databricks Account Owner as user in Auth0
The first thing we'll do in Auth0 is add our Databricks Account Owner email as a user in Auth0.
Navigate to the User Management > Users page in Auth0 and click Create User.
It's recommended that you use the same password for that you used when you originally signed-up for Databricks with the Account Owner's email address (just to keep things simple); but you can choose whatever password you want.
Prepare Databricks account for SSO configuration
Switch back to your browser tab with the Databricks Account Console. We will be toggling between the two browser tabs for Databricks Account Console and Auth0 in order to complete the SSO setup. Start by preparing the Databricks Account Console for SSO:
Go to Settings > Single sign-on
Click Manage to start the SSO setup process:
Then, from the SSO configuration pop-up's drop-down, choose SAML 2.0:
Leave the Databricks account console here, and switch back to the Auth0 tab.
Create Auth0 SSO application
In Auth0, go to Applications > Applications and click Create Application:
Give it a meaningful name, such as Databricks.
You will see a bunch of pre-defined options for integrating with various web applications and technologies, but you won't see Databricks in that list. That's no problem because we will configure it manually. However, you also won't find "I'll configure it manually" in that list either. So, what we do is just choose one, then ignore it and proceed with manual setup anyways. I chose Apache since it seemed the least obnoxious and I was able to get it to work. I recommend you also go with Apache, but presumably the others would work just as well. Click the blue Continue button.
This will create your SSO application. Navigate to the Addons tab, then click the SAML2 WEB APP tile to bring up a pop-up window to configure the SSO application for SAML 2.0:
Copy settings between Databricks and Auth0
Now comes the part where we copy values between the Databricks SSO setup and the Auth0 SSO setup so that the two systems can talk to each other properly and do the SSO dance.
A) Copy Identity Provider Login URL from Auth0 and paste into Single Sign-On URL on Databricks.
B) Copy Issuer from Auth0 and paste into Entity ID on Databricks.
C) On Auth0, download the Identity Provider Metadata file and open it in a text editor to copy the x.509 Certificate to paste into Databricks. NOTE: the x.509 certificate value should be one long string, so don't accidentally put any line-breaks/newlines in it when you copy/paste.
D) Don't save the Databricks SSO config yet, first, go back to Auth0 and change from the Usage tab to Settings tab:
E) From Databricks, copy Databricks redirect URL and paste into Auth0 Application Callback URL:
F) On Auth0 Settings tab, in the Settings text-box (looks like dark-mode), replace everything there with the following:
{
"signatureAlgorithm": "rsa-sha256",
"digestAlgorithm": "sha256",
"signResponse": true,
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
]
}
If you don't have these specific settings, the SSO won't work.
G) Scroll to the bottom of the Auth0 Setting tab and click Enable.
It will give you a little pop-up telling you that it can take up to 30 seconds for the settings to take effect. So, take breather and relax, we're almost there.
Also, confusingly, when you click Enable, it will turn into a Save/Cancel pair of buttons
I went ahead and hit Save just to be sure, but even after you click Save the Save/Cancel buttons remain on the screen and the only way to dismiss the window is to hit Cancel (or the X button on the upper-right corner of the window). So, go head and hit Cancel to dismiss the pop-up window.
Once you've dismissed the SAML2 config pop-up, you'll see that the SAML2 add-on is enabled:
H) Go back to Databricks browser tab and (finally) Save the SSO configuration.
Test SSO configuration
Once you save the Databricks SSO configuration in the previous step, that Save button turns into a Test SSO button:
Go ahead and click on Test SSO. This will open up a new browser tab with the Auth0 SSO page, where you can login with the email and password for Databricks Account Owner that you added to Auth0 (aaron.binns+deployment-demo@databricks.com in this example).
It works!
Enable SSO
If the test was successful, then you are redirected back to the Databricks SSO setup screen and that Test SSO button is now Enable SSO.
Go ahead and click Enable SSO. The pop-up window will refresh in-place and that Enable SSO button will turn into a Disable SSO button.
We don't want to disable SSO, so just dismiss the window.
Now your Databricks Account Console settings show that Authentication is set for Single Sign-On:
Congratulations!
You can now go back to Auth0 and add the rest of your users.
Emergency Access and Unified Login
Now that you have SSO setup at the account level, I strongly recommend you also setup
The emergency access is super important, in case there's an Auth0 outage, or you accidentally break something in the Auth0 SSO config. Without emergency access configured, you could be totally locked-out of your Databricks account in the event of an Auth0 problem.
In addition, Unified Login is also recommended as it will enable the same SSO login for the Databricks Account Console and all of your Workspaces.
