Authentication: SSO, MFA, and Identity Provider Integration
Who this is for:
Architecture / Concept Overview: Authentication: SSO, MFA, and Identity Provider Integration
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
flowchart LR
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
User[User Browser] --> IdP[Identity Provider]
IdP --> |"SAML Assertion"| Databricks[Databricks SSO Endpoint]
Databricks --> MFA[MFA Challenge]
MFA --> Session[Authenticated Session]
Session --> Workspace[Workspace Access]
User:::source
IdP:::ingestion
Databricks:::processing
MFA:::governance
Session:::storage
Workspace:::serving
*SAML-based SSO flow: users authenticate with their IdP, receive a SAML assertion, complete MFA, and access Databricks.*
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
graph TD
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
IdP[Identity Provider] --> SCIM[SCIM Endpoint]
SCIM --> AccountUsers[Account Users]
SCIM --> AccountGroups[Account Groups]
AccountUsers --> WsAssignment[Workspace Assignment]
AccountGroups --> WsAssignment
WsAssignment --> Permissions[Role & Permission Mapping]
IdP:::source
SCIM:::ingestion
AccountUsers:::processing
AccountGroups:::processing
WsAssignment:::storage
Permissions:::serving
*SCIM provisioning: identity provider pushes user and group changes to Databricks, which propagates assignments to workspaces.*
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
flowchart LR
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
PAT[Personal Access Token] --> API[REST API]
OAuth[OAuth M2M Token] --> API
SP[Service Principal] --> OAuth
API --> AuthZ[Authorization Check]
AuthZ --> Resource[Protected Resource]
PAT:::source
OAuth:::ingestion
SP:::processing
API:::storage
AuthZ:::governance
Resource:::serving
*Programmatic authentication: service principals use OAuth machine-to-machine tokens while legacy integrations use PATs, both validated at the API gateway.*
Key Terms
Prerequisites and Setup
- Databricks Premium or Enterprise account with account admin access
- Identity provider supporting SAML 2.0 or OIDC (Entra ID, Okta, OneLogin, PingFederate)
- IdP admin access to create enterprise applications and configure SCIM
- DNS access if configuring custom SSO login URLs
- Test user accounts for validation before enforcing SSO
Step-by-Step Implementation
Configuration Reference
| Setting | Scope | Values | Default |
|---|---|---|---|
| SSO Protocol | Account | SAML / OIDC | Not configured |
| Password Access | Account | Enabled / Disabled | Enabled |
| SCIM Provisioning | Account | Enabled / Disabled | Disabled |
| MFA Enforcement | IdP (Conditional Access) | Required / Optional | IdP-dependent |
| Token Lifetime | Workspace | 1-730 days | 90 days |
| Session Duration | Account | 1-24 hours | 24 hours |
| OAuth M2M | Workspace | Enabled / Disabled | Enabled |
| Emergency Access | Account | Break-glass accounts | Recommended |