AWS IAM Identity Center (successor to AWS SSO) Integration Guide for Databricks

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for Databricks using SAML.

Topics

Prerequisites

You’ll need the following to set up SSO access to Databricks:

Setup instructions

  1. On the Databricks page in the IAM Identity Center Console, in the Details section, fill in the Display name, and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

  1. Login to Databricks with your administrator account. (Example: https://DOMAINNAME.cloud.databricks.com)

  2. Click on Your Account, then choose Admin Console.

  3. Next, click on Single Sign On tab.

  4. Insert these values:

  1. Download the IAM Identity Center certificate, copy its content, then upload the IAM Identity Center certificate to x.509 Certificate.

  1. Click on Enable SSO.

  2. On the Databricks Single Sign-On page, Copy Databricks SAML URL.

  3. Go back to the IAM Identity Center console page where you are configuring the Application.

  4. Under Application metadata, choose If you don't have a metadata file, you can manually type your metadata values. to display the application metadata settings.

  5. Insert these values:

Field Value
Application ACS URL Databricks SAML URL
Application SAML audience Databricks SAML URL

  1. Click Save Changes.

  2. Assign a user to the application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Verifying SSO from IAM Identity Center

  1. Access the AWS access portal using the credentials of a user assigned to the Databricks application.

  2. In the list of applications, choose Databricks to initiate a login to Databricks.

  3. If login was successful you will be signed-in to the Databricks application.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Verifying Service Provider Initiated SSO from Databricks

  1. Access Databricks login page (Example: https://DOMAINNAME.cloud.databricks.com).

  2. Click on Single Sign On.

  3. Login to IAM Identity Center portal using the credentials of a user assigned to the Databricks application.

  4. If login was successful you will be signed-in to the Databricks application.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error Issue Solution
Other When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' and 'subject' fields (if they are present) from the connected directory to populate the 'Email' and 'Subject' attributes in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields. Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings. Additionally the 'name' attribute being sent to the provider should not be the user's email address, make sure that your attribute name is not mapping to an email.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of:

User Provisioning