Single sign-on

Databricks account and workspace users authenticate with their Google Cloud Identity account (or GSuite account) using Google’s OAuth 2.0 implementation, which conforms to the OpenID Connect spec and is OpenID certified. Databricks provides the openid profile scope values in the authentication request to Google.

Optionally, you can configure your Google Cloud Identity account (or GSuite account) to federate with an external SAML 2.0 Identity Provider (IdP) to verify user credentials. Google Cloud Identity can federate with Azure Active Directory, Okta, Ping, and other IdPs. However, Databricks only interacts directly with the Google Identity Platform APIs.

Databricks does not have access to user credentials. This architecture reduces risks associated with storing or protecting user credentials because Databricks does not have access to them.

There are two pathways for a user to log in into Databricks:

  • Their workspace URL directly: All users can use their workspace URL directly. The user is authenticated through Databricks integration with Google’s Cloud Identity OAuth 2.0 implementation.

  • The account console to access the workspace: All users can authenticate with Google Identity OAuth 2.0 in the account console. The account console offers a list of available workspaces to choose from. Account admins can view all workspaces in the account and all other users can only view the workspaces that they have been granted access to. The user is redirected to the workspace login page with an authentication token. If the token is accepted, the user is not prompted to login again. On the first login, the user will be challenged to consent to OAuth scopes.