Identity Management and SCIM Provisioning
Who this is for:
Architecture / Concept Overview: Identity Management and SCIM Provisioning
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
flowchart LR
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
IdP[Identity Provider] --> SCIM[SCIM Protocol]
SCIM --> AccountLevel[Account-Level SCIM]
AccountLevel --> Users[Account Users]
AccountLevel --> Groups[Account Groups]
Users --> WsAssign[Workspace Assignment]
Groups --> WsAssign
WsAssign --> WS1[Workspace 1]
WsAssign --> WS2[Workspace 2]
IdP:::source
SCIM:::ingestion
AccountLevel:::processing
Users:::storage
Groups:::storage
WsAssign:::serving
WS1:::governance
WS2:::governance
*Account-level SCIM: identity provider pushes users and groups to the Databricks account, which distributes them to assigned workspaces.*
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
graph TD
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
Create[User Created in IdP] --> Sync[SCIM Sync Triggered]
Sync --> Provision[User Provisioned in Databricks]
Provision --> Assign[Workspace Assigned]
Update[Attributes Changed in IdP] --> SyncUpdate[SCIM Update Pushed]
SyncUpdate --> UpdateDB[Databricks Profile Updated]
Deactivate[User Deactivated in IdP] --> SyncDeactivate[SCIM Deactivation]
SyncDeactivate --> Revoke[Access Revoked]
Create:::source
Sync:::ingestion
Provision:::processing
Assign:::serving
Update:::source
SyncUpdate:::ingestion
UpdateDB:::storage
Deactivate:::source
SyncDeactivate:::governance
Revoke:::governance
*User lifecycle management: SCIM handles creation, attribute updates, and deactivation automatically as changes occur in the identity provider.*
Key Terms
Prerequisites and Setup
- Databricks Premium or Enterprise account
- Identity provider supporting SCIM 2.0 (Entra ID, Okta, OneLogin, PingFederate)
- Account admin access in Databricks for SCIM token generation
- IdP admin access for enterprise application configuration
- Planned group structure mapping IdP groups to Databricks roles
Step-by-Step Implementation
Configuration Reference
| Setting | Account-Level SCIM | Workspace-Level SCIM (Legacy) |
|---|---|---|
| Endpoint | /api/2.0/accounts/{id}/scim/v2 | /api/2.0/preview/scim/v2 |
| Scope | All workspaces | Single workspace |
| Authentication | Service principal token | PAT or service principal |
| User Operations | Create, Update, Deactivate | Create, Update, Deactivate |
| Group Operations | Create, Update, Delete, Push | Create, Update, Delete, Push |
| Nested Groups | Supported | Not supported |
| Recommended | Yes | Deprecated — migrate to account-level |