When running Databricks across an entire organization, the "create users directly in Databricks" model breaks down. The standard design is to manage users and groups centrally in your IdP (Entra ID, Okta, Google Workspace, etc.) and federate those identities into Databricks.
This article walks through SSO authentication via SAML 2.0/OIDC, automated identity provisioning via SCIM, the relationship between Account Console and Workspace, and identity management best practices in the Unity Catalog era.
SSO (Single Sign-On) lets a user authenticate once at the IdP and have that session carry over into Databricks. Databricks supports two SSO protocols.
| Protocol | Standards body | Token format | Major IdPs | Databricks recommendation |
|---|---|---|---|---|
| SAML 2.0 | OASIS | XML assertion | Entra ID, Okta, ADFS, OneLogin | Long-standing standard (still supported) |
| OIDC (OpenID Connect) | OpenID Foundation | JWT token | Entra ID, Okta, Google Workspace | Recommended for new deployments |
SAML 2.0 has a long track record but is XML-based and somewhat complex to configure. OIDC is a lightweight, modern, JWT-based protocol, and Databricks recommends OIDC for new setups. You do not need to forcibly migrate existing SAML configurations.
The SAML 2.0 SSO authentication flow consists of the following steps.
With OIDC (Authorization Code Flow), an ID Token (JWT) is used in place of the SAML assertion. From the user's perspective, the experience is identical: authenticate at the IdP login screen and you are automatically logged in to Databricks.
SCIM (System for Cross-domain Identity Management) is a protocol that automatically syncs user and group changes from the IdP to Databricks. While SSO unifies authentication (login), SCIM unifies the identity lifecycle (creation, updates, deactivation, deletion).
| Action on the IdP | Resulting change in Databricks via SCIM |
|---|---|
| Create a user | A user is automatically created in Databricks |
| Add a user to a group | The user is added to the corresponding group in Databricks |
| Update user attributes (display name, etc.) | The attributes are updated in Databricks |
| Deactivate a user | The user is deactivated in Databricks (active=false) |
| Delete a group | The corresponding group is deleted in Databricks |
If you use SSO alone without SCIM, deactivating a user in the IdP leaves the Databricks user record in place. If their PAT is still valid, they can keep accessing the API — a real risk. For production, configuring both SSO and SCIM is mandatory.
Databricks has two levels — Account and Workspace — and identity management mirrors that two-tier structure.
| Level | Managed scope | SSO configuration | SCIM endpoint |
|---|---|---|---|
| Account | All users, groups, and workspaces in the account | Account Console SSO | Account-level SCIM API |
| Workspace | Users assigned to that specific workspace | Workspace SSO (can inherit from Account SSO) | Workspace-level SCIM API |
The recommended Unity Catalog-era configuration is to sync with the IdP via Account-level SCIM and manage users and groups centrally at the account. Each workspace then assigns account-level users and groups to itself. Workspace-level SCIM remains supported as a legacy configuration, but Account-level SCIM is the recommended approach for new deployments.
Here is the typical enterprise Identity Federation setup flow.
Group management under Identity Federation is critical because it ties directly into Unity Catalog permission management.
| IdP | SSO protocol | SCIM support | Setup notes |
|---|---|---|---|
| Entra ID (Azure AD) | SAML 2.0 / OIDC | Supported via gallery app | Search for "Databricks" in the gallery and add it. Generate the SCIM token in the Account Console |
| Okta | SAML 2.0 / OIDC | Supported via OIN catalog | Use the "Databricks" app from the Okta Integration Network. Register the API Token in the Provisioning settings |
| Google Workspace | SAML 2.0 | Supported via a custom SCIM app | Manually add a SAML app in the Google Admin Console. For SCIM integration, consider third-party tooling |
| OneLogin | SAML 2.0 / OIDC | Supported via connector | Add "Databricks" from the OneLogin app catalog. Configure provisioning via the SCIM connector |
Security & Governance
問題 1
A company uses Okta as its IdP and has configured SSO (SAML 2.0) with Databricks. After deactivating the Okta account of a recently departed employee, that employee can still access the Databricks REST API using a Personal Access Token (PAT) they issued earlier. Which option provides a structural fix for this problem?
正解: A
SSO alone only unifies login-time authentication — it doesn't manage the lifecycle of API tokens like PATs. With SCIM configured, an IdP Deactivate flows through to the Databricks user being deactivated, and the deactivated user's PAT becomes invalid as well. IP restrictions are unreliable because the former employee's IP could change. Switching to OIDC is just a protocol change and doesn't solve the problem. Shortening PAT expiration is a mitigation, not a structural fix.
What is the difference between SCIM provisioning and SSO (SAML/OIDC)?
SSO is the authentication mechanism — the protocol (SAML 2.0 or OIDC) used when a user logs in to Databricks via an IdP. SCIM is the identity lifecycle management mechanism that automatically reflects user/group additions, changes, and deletions from the IdP into Databricks. If you only configure SSO, deleting a user from the IdP leaves the Databricks user record intact. Adding SCIM means a Deactivate in the IdP automatically deactivates the Databricks user, so the security best practice is to configure both SSO and SCIM.
What is the difference between Account Console SSO and Workspace SSO?
Account Console SSO is the SSO configuration used to log in to the Databricks account-wide admin console. Workspace SSO is used for logging in to individual workspaces. The Unity Catalog-era best practice is to configure SSO at the Account Console level and have each workspace inherit that configuration. This removes the need to manage SSO per workspace and consolidates the IdP integration point to one place.
How does Identity Federation appear on the Databricks certification exams?
It is tested in the Security & Governance domain of the Data Engineer Professional exam. Typical question patterns include: which protocols integrate the IdP with Databricks, the role of SCIM, the relationship between Account Console and Workspace SSO settings, and what happens on the Databricks side when a user is deleted from the IdP. You will not be asked to write specific XML or JSON syntax — the focus is on understanding concepts and operational best practices.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)
Complete guide to all 7 Databricks certifications — Data Eng...
Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)
Every Databricks certification ranked by difficulty, with st...
Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)
How to pass Databricks certifications efficiently. Official ...
Databricks Data Engineer Associate: Complete Guide (2026)
Domain-by-domain breakdown of the Databricks Certified Data ...
Databricks Data Engineer Professional: Complete Guide (2026)
Tactics for the Databricks Certified Data Engineer Professio...