Single sign-on

Databricks workspace users authenticate with their Google Cloud Identity account (or GSuite account) using Google’s OAuth 2.0 implementation, which conforms to the OpenID Connect spec and is OpenID certified. Databricks provides the openid profile scope values in the authentication request to Google.

Optionally, you can configure your Google Cloud Identity account (or GSuite account) to federate with an external SAML 2.0 Identity Provider (IdP) to verify user credentials. Google Cloud Identity can federate with Azure Active Directory, Okta, Ping, and other IdPs. However, Databricks only interacts directly with the Google Identity Platform APIs.

Databricks does not have access to user credentials. This architecture reduces risks associated with storing or protecting user credentials because Databricks does not have access to them.

There are two pathways for a workspace user to log in into a workspace:

  • All users can use their workspace URL directly: Both non-admin users and admin users (account owners) can use the workspace URL directly. The user is authenticated through Databricks integration with Google’s Cloud Identity OAuth 2.0 implementation.
  • Admin users (account owners) can additionally use the Google Cloud Console to access the workspace: Admin users (account owners) authenticate with Google Identity OAuth 2.0 in the account console. The account console offers a list of available workspaces to choose from. The user is redirected to the workspace login page with an authentication token. If the token is accepted, the user is not prompted to login again. On the first login, the user will be challenged to consent to OAuth scopes.