Databricks

Databricks Identity Federation Deep Dive: SSO, SCIM, and Organizational Integration

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

When running Databricks across an entire organization, the "create users directly in Databricks" model breaks down. The standard design is to manage users and groups centrally in your IdP (Entra ID, Okta, Google Workspace, etc.) and federate those identities into Databricks.

This article walks through SSO authentication via SAML 2.0/OIDC, automated identity provisioning via SCIM, the relationship between Account Console and Workspace, and identity management best practices in the Unity Catalog era.

How SSO Works: SAML 2.0 and OIDC

SSO (Single Sign-On) lets a user authenticate once at the IdP and have that session carry over into Databricks. Databricks supports two SSO protocols.

ProtocolStandards bodyToken formatMajor IdPsDatabricks recommendation
SAML 2.0OASISXML assertionEntra ID, Okta, ADFS, OneLoginLong-standing standard (still supported)
OIDC (OpenID Connect)OpenID FoundationJWT tokenEntra ID, Okta, Google WorkspaceRecommended for new deployments

SAML 2.0 has a long track record but is XML-based and somewhat complex to configure. OIDC is a lightweight, modern, JWT-based protocol, and Databricks recommends OIDC for new setups. You do not need to forcibly migrate existing SAML configurations.

SSO Authentication Flow

The SAML 2.0 SSO authentication flow consists of the following steps.

  1. The user accesses the Databricks workspace URL
  2. Databricks generates a SAML AuthnRequest and redirects to the IdP
  3. The user authenticates at the IdP (password + MFA, etc.)
  4. The IdP generates a SAML Response and redirects back to Databricks
  5. Databricks validates the assertion and creates a user session

With OIDC (Authorization Code Flow), an ID Token (JWT) is used in place of the SAML assertion. From the user's perspective, the experience is identical: authenticate at the IdP login screen and you are automatically logged in to Databricks.

Automated Provisioning with SCIM

SCIM (System for Cross-domain Identity Management) is a protocol that automatically syncs user and group changes from the IdP to Databricks. While SSO unifies authentication (login), SCIM unifies the identity lifecycle (creation, updates, deactivation, deletion).

Action on the IdPResulting change in Databricks via SCIM
Create a userA user is automatically created in Databricks
Add a user to a groupThe user is added to the corresponding group in Databricks
Update user attributes (display name, etc.)The attributes are updated in Databricks
Deactivate a userThe user is deactivated in Databricks (active=false)
Delete a groupThe corresponding group is deleted in Databricks

If you use SSO alone without SCIM, deactivating a user in the IdP leaves the Databricks user record in place. If their PAT is still valid, they can keep accessing the API — a real risk. For production, configuring both SSO and SCIM is mandatory.

Account Console vs Workspace: The Two-Tier Identity Model

Databricks has two levels — Account and Workspace — and identity management mirrors that two-tier structure.

LevelManaged scopeSSO configurationSCIM endpoint
AccountAll users, groups, and workspaces in the accountAccount Console SSOAccount-level SCIM API
WorkspaceUsers assigned to that specific workspaceWorkspace SSO (can inherit from Account SSO)Workspace-level SCIM API

The recommended Unity Catalog-era configuration is to sync with the IdP via Account-level SCIM and manage users and groups centrally at the account. Each workspace then assigns account-level users and groups to itself. Workspace-level SCIM remains supported as a legacy configuration, but Account-level SCIM is the recommended approach for new deployments.

End-to-End Identity Federation Flow

Here is the typical enterprise Identity Federation setup flow.

  1. Register Databricks as an application in the IdP: create a SAML/OIDC application in Entra ID or Okta and configure the Databricks ACS URL / Redirect URI
  2. Configure SSO in Databricks: in the Account Console, register the IdP metadata (Entity ID, Login URL, certificate)
  3. Configure SCIM provisioning: enable the SCIM connector on the IdP side and set the Databricks SCIM API endpoint and Bearer token
  4. Configure group mapping: set up the IdP's groups (data-engineers, ml-team, etc.) to sync into Databricks
  5. Assign users to workspaces: from the Account Console, assign users and groups to workspaces
  6. Validate: log in via SSO with a test user and confirm that SCIM sync creates the user correctly

Group Management Best Practices

Group management under Identity Federation is critical because it ties directly into Unity Catalog permission management.

  • IdP groups = Databricks groups: define groups such as data-engineers, data-scientists, and platform-admins in the IdP and sync them to Databricks via SCIM
  • Keep Databricks-local groups to a minimum: local groups that aren't synced by SCIM scatter management across systems — limit them to special cases like workspace admins
  • Watch out for nested group limitations: some SCIM providers have restrictions on nested group sync. A flat group structure is recommended
  • Grant Unity Catalog permissions to groups, not individuals: assign permissions via GRANT statements to groups, and let membership changes happen entirely on the IdP side

Configuration Notes by IdP

IdPSSO protocolSCIM supportSetup notes
Entra ID (Azure AD)SAML 2.0 / OIDCSupported via gallery appSearch for "Databricks" in the gallery and add it. Generate the SCIM token in the Account Console
OktaSAML 2.0 / OIDCSupported via OIN catalogUse the "Databricks" app from the Okta Integration Network. Register the API Token in the Provisioning settings
Google WorkspaceSAML 2.0Supported via a custom SCIM appManually add a SAML app in the Google Admin Console. For SCIM integration, consider third-party tooling
OneLoginSAML 2.0 / OIDCSupported via connectorAdd "Databricks" from the OneLogin app catalog. Configure provisioning via the SCIM connector

Key Exam Points

  • "What happens on the Databricks side when an IdP user is deactivated?" → If SCIM is configured, it auto-updates to active=false
  • "SSO is configured, but users are not being auto-created in Databricks" → You need SSO JIT provisioning or SCIM
  • "How to centrally manage users across multiple workspaces" → Account-level SCIM
  • "Which authentication protocols does SSO support?" → SAML 2.0 or OIDC
  • "Benefit of group-based access control" → Membership changes are handled entirely on the IdP side, eliminating per-user permission management

Check with a Sample Question

Security & Governance

問題 1

A company uses Okta as its IdP and has configured SSO (SAML 2.0) with Databricks. After deactivating the Okta account of a recently departed employee, that employee can still access the Databricks REST API using a Personal Access Token (PAT) they issued earlier. Which option provides a structural fix for this problem?

  1. Configure Account-level SCIM provisioning so that deactivations in Okta automatically deactivate the corresponding Databricks user
  2. Configure an IP Access List to block the former employee's IP address
  3. Change the SSO configuration from SAML 2.0 to OIDC
  4. Introduce a company-wide policy that sets PAT expiration to 7 days

正解: A

SSO alone only unifies login-time authentication — it doesn't manage the lifecycle of API tokens like PATs. With SCIM configured, an IdP Deactivate flows through to the Databricks user being deactivated, and the deactivated user's PAT becomes invalid as well. IP restrictions are unreliable because the former employee's IP could change. Switching to OIDC is just a protocol change and doesn't solve the problem. Shortening PAT expiration is a mitigation, not a structural fix.

Frequently Asked Questions

What is the difference between SCIM provisioning and SSO (SAML/OIDC)?

SSO is the authentication mechanism — the protocol (SAML 2.0 or OIDC) used when a user logs in to Databricks via an IdP. SCIM is the identity lifecycle management mechanism that automatically reflects user/group additions, changes, and deletions from the IdP into Databricks. If you only configure SSO, deleting a user from the IdP leaves the Databricks user record intact. Adding SCIM means a Deactivate in the IdP automatically deactivates the Databricks user, so the security best practice is to configure both SSO and SCIM.

What is the difference between Account Console SSO and Workspace SSO?

Account Console SSO is the SSO configuration used to log in to the Databricks account-wide admin console. Workspace SSO is used for logging in to individual workspaces. The Unity Catalog-era best practice is to configure SSO at the Account Console level and have each workspace inherit that configuration. This removes the need to manage SSO per workspace and consolidates the IdP integration point to one place.

How does Identity Federation appear on the Databricks certification exams?

It is tested in the Security & Governance domain of the Data Engineer Professional exam. Typical question patterns include: which protocols integrate the IdP with Databricks, the role of SCIM, the relationship between Account Console and Workspace SSO settings, and what happens on the Databricks side when a user is deleted from the IdP. You will not be asked to write specific XML or JSON syntax — the focus is on understanding concepts and operational best practices.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Databricks

Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)

Complete guide to all 7 Databricks certifications — Data Eng...

Databricks

Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)

Every Databricks certification ranked by difficulty, with st...

Databricks

Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)

How to pass Databricks certifications efficiently. Official ...

Databricks

Databricks Data Engineer Associate: Complete Guide (2026)

Domain-by-domain breakdown of the Databricks Certified Data ...

Databricks

Databricks Data Engineer Professional: Complete Guide (2026)

Tactics for the Databricks Certified Data Engineer Professio...

Browse all Databricks articles (110)
© 2026 NicheeLab All rights reserved.