Sync users and groups from your identity provider

This article describes how to configure your identity provider (IdP) and Databricks to provision users and groups to Databricks using SCIM, or System for Cross-domain Identity Management, an open standard that allows you to automate user provisioning.

About SCIM provisioning in Databricks

SCIM lets you use an identity provider (IdP) to create users in Databricks, give them the proper level of access, and remove access (deprovision them) when they leave your organization or no longer need access to Databricks.

You can use a SCIM provisioning connector in your IdP or invoke the Identity and Access Management SCIM APIs to manage provisioning. You can also use these APIs to manage identities in Databricks directly, without an IdP.

Account-level and workspace-level SCIM provisioning

You can either configure one SCIM provisioning connector from your identity provider to your Databricks account, using account-level SCIM provisioning, or configure separate SCIM provisioning connectors to each workspace, using workspace-level SCIM provisioning.

• Account-level SCIM provisioning: Databricks recommends that you use account-level SCIM provisioning to create, update, and delete all users from the account. You manage the assignment of users and groups to workspaces within Databricks. Your workspaces must be enabled for identity federation to manage users’ workspace assignments.

Requirements

To provision users and groups to Databricks using SCIM:

• Your Databricks account must have the Premium plan.

• To provision users to your Databricks account using SCIM (including the SCIM REST APIs), you must be a Databricks account admin.

• To provision users to a Databricks workspace using SCIM (including the SCIM REST APIs), you must be a Databricks workspace admin.

For more information about admin privileges, see Manage users, service principals, and groups.

You can have a maximum of 10,000 combined users and service principals and 5000 groups in an account. Each workspace can have a maximum of 10,000 combined users and service principals and 5000 groups.

Note

When you use SCIM provisioning, user and group attributes stored in your identity provider can override changes you make using the Databricks admin settings page, account console, or SCIM (Groups) API.

For example, if a user is assigned the Allow Cluster Creation entitlement in your identity provider and you remove that entitlement using the Databricks admin settings, the user will be re-granted that entitlement the next time the IdP syncs with Databricks, if the IdP is configured to provision that entitlement. The same behavior applies to groups.

Provision identities to your Databricks account

You can use SCIM to provision users and groups from your identity provider to your Databricks account using a SCIM provisioning connector or directly using the SCIM APIs.

Add users and groups to your Databricks account using an IdP provisioning connector

You can sync users and groups from your IdP to your Databricks account using a SCIM provisioning connector.

If you configure Google Cloud Identity to federate with an external IdP, that IdP may have built-in SCIM integrations. Note that if you use Google Cloud Identity as your only IdP (you do not configure it to federate with an external IdP), there is no built-in SCIM integration.

Important

If you already have SCIM connectors that sync users and groups directly to your workspaces and those workspaces are enabled for identity federation, Databricks recommends that you disable those SCIM connectors when the account-level SCIM connector is enabled. If you have workspaces that are not identity federated, we recommend that you continue to use any SCIM connectors you have configured for those workspaces, running in parallel with the account-level SCIM connector.

To configure a SCIM connector to provision users and groups to your account:

1. As an account admin, log in to the Databricks account console.

2. In the sidebar, click Settings.

3. Click User Provisioning.

4. Click Enable user provisioning.

   Copy the SCIM token and the Account SCIM URL. You will use these to configure your IdP.

5. Log in to your IdP as a user who can configure a SCIM connector to provision users.

6. Enter the following values in your IdP’s SCIM connector:

   • For the SAML provisioning URL, enter the SCIM URL you copied from Databricks.

   • For the provisioning API token, enter the SCIM token you copied from Databricks.

You can also follow these IdP-specific instructions for your IdP:

• Configure SCIM provisioning using Microsoft Azure Active Directory

• Configure SCIM provisioning for Okta

• Configure SCIM provisioning for OneLogin

Add users, service principals, and groups to your account using the SCIM API

Account admins can add users, service principals, and groups to the Databricks account using the SCIM API for Accounts. Account admins call the API on accounts.gcp.cloud.databricks.com ({account_domain}/api/2.0/accounts/{account_id}/scim/v2/) and use a SCIM token.

To get the SCIM token, do the following:

1. As an account admin, log in to the account console.

2. In the sidebar, click Settings.

3. Click User Provisioning.

   If provisioning isn’t enabled, click Enable user provisioning and copy the token.

   If provisioning is already enabled, click Regenerate token and copy the token.

Workspace admins can add users and service principals using the same API. Workspace admins cannot add groups to the account, but they can read (Get/List) them. Workspace admins call the API on the workspace domain {workspace-domain}/api/2.0/account/scim/v2/.

See the Account Groups API.

Rotate the account-level SCIM token

If the account-level SCIM token is compromised or if you have business requirements to rotate authentication tokens periodically, you can rotate the SCIM token.

1. As a Databricks account admin, log in to the account console.

2. In the sidebar, click Settings.

3. Click User Provisioning.

4. Click Regenerate token. Make a note of the new token. The previous token will continue to work for 24 hours.

5. Within 24 hours, update your SCIM application to use the new SCIM token.

Provision identities to a Databricks workspace

Preview

This feature is in Public Preview.

If you want to use an IdP connector to provision users and groups and you have a workspace that is not identity federated, you must configure SCIM provisioning at the workspace level.

Add users and groups to your workspace using an IdP provisioning connector

If you configure Google Cloud Identity to federate with an external IdP, that IdP may have built-in SCIM integrations. Note that if you use Google Cloud Identity as your only IdP (you do not configure it to federate with an external IdP), there is no built-in SCIM integration.

Follow the instructions in the appropriate IdP-specific article:

• Configure SCIM provisioning using Microsoft Azure Active Directory

• Configure SCIM provisioning for Okta

• Configure SCIM provisioning for OneLogin

Add users, groups, and service principals to your workspace using the SCIM API

Workspace admins can add users, groups, and service principals to the Databricks account using the SCIM APIs for workspaces. See the Identity and Access Management section in the API Explorer.

Migrate workspace-level SCIM provisioning to the account level

If you already have workspace-level SCIM provisioning set up for workspaces that you are enabling for identity federation, Databricks recommends that you set up account-level SCIM provisioning and turn off the workspace-level SCIM provisioner.

1. Create a group in your identity provider that includes all of the users and groups that you are currently provisioning to Databricks using your workspace-level SCIM connectors.

   Databricks recommends that this group include all users in all workspaces in your account.

2. Configure a new SCIM provisioning connector to provision users and groups to your account, using the instructions in Provision identities to your Databricks account.

   Use the group or groups that you created in step 1.

3. Confirm that the new SCIM provisioning connector is successfully provisioning users and groups to your account.

4. Shut down the old workspace-level SCIM connectors that were provisioning users and groups to your workspaces.

   Shut down only the SCIM connectors that are provisioning users and groups to workspaces that are enabled for identity federation. Keep the provisioning connectors in service for any workspaces that are not enabled for identity federation, but ensure that any identity that you add using the workspace-level connector is also being added using the account-level connector. IdP groups can help you manage this parallel provisioning scenario.

5. Migrate workspace-local groups to account groups.

   If you have existing groups in your identity-federated workspaces, they are known as workspace-local groups. You cannot manage workspace-local groups using account-level interfaces. Databricks recommends that you convert them to account groups. See Migrate workspace-local groups to account groups

Important

When you remove a user from the account-level SCIM connector, that user is also removed from the account and all of their workspaces, regardless of whether or not identity federation has been enabled. When you remove a group from the account-level SCIM connector, all users in that group are deleted from the account and lose access to any workspaces they had access to, unless they are members of another group or have been directly granted access to the account or any workspaces. We recommend that you refrain from removing users and groups unless you want them to lose access to all workspaces in the account. Be aware of the following consequences of deleting users:

• Applications or scripts that use the tokens generated by the user will no longer be able to access the Databricks API

• Jobs owned by the user will fail

• Clusters owned by the user will stop

• Queries or dashboards created by the user and shared using the Run as Owner credential will have to be assigned to a new owner to prevent sharing from failing