Configure SCIM provisioning for Okta

This article describes how to set up Databricks provisioning using Okta. Your Okta tenant must be using the Okta Lifecycle Management feature in order to provision users and groups to Databricks.

Databricks users authenticate to the account and workspace using their Google Cloud Identity account (or GSuite account), see Single sign-on using Google Cloud Identity. If you provision a user to the account or workspace using Okta, that user must also have a Google Cloud Identity account in order to authenticate.

Databricks recommends that you provision users, service principals, and groups to the account level and assign users and groups to workspaces using identity federation.

SCIM provisioning for Okta overview

Databricks is available as a provisioning app in the Okta Integration Network (OIN), enabling you to use Okta to provision users and groups with Databricks automatically.

The Databricks Okta application allows you to:

  • Invite users to a Databricks account or workspace

  • Add invited or active users to groups

  • Deactivate existing users in a Databricks account or workspace

  • Manage groups and group membership

  • Update and manage profiles

Requirements

  • Your Databricks account must have the Premium plan.

  • You must be an Okta developer user.

  • You must be Databricks account admin.

Set up account-level SCIM provisioning using Okta

This section describes how to configure an Okta SCIM connector to provision users and groups to your account.

Get the SCIM token and account SCIM URL in Databricks

  1. As an account admin, log in to the Databricks account console.

    1. Click User Settings Icon Settings.

    2. Click User Provisioning.

    3. Click Set up user provisioning.

      Copy the SCIM token and the Account SCIM URL. You will use these to configure your connector in Okta.

Note

The SCIM token is restricted to the Account SCIM API /api/2.1/accounts/{account_id}/scim/v2/ and cannot be used to authenticate to other Databricks REST APIs.

Configure SCIM provisioning in Okta

  1. Log in to the Okta admin portal.

  2. Go to Applications and click Browse App Catalog.

  3. Search for Databricks in the Browse App Integration Catalog.

  4. Click Add integration.

  5. In Add Databricks configure the following:

    • In Application label, enter a name for your application.

    • Select Do not display application icon to users.

    • Select Do not display application icon in the Okta Mobile App.

  6. Click Done.

  7. Click Provisioning and enter the following:

    • In Provisioning Base URL, enter the SCIM URL you copied from Databricks.

    • In Provisioning API Token, enter the SCIM token you copied from Databricks.

  8. Click Test API Credentials, verify the connection was successful, and then click Save.

  9. Reload the Provisioning tab. Additional settings appear after a successful test of the API credentials.

  10. To configure the behavior when pushing Okta changes to Databricks, click Provisioning to App.

    • Click Edit. Enable the features you need. Databricks recommends enabling Create users, Update user attributes, and Deactivate users.

    • In Databricks Attribute Mappings, verify your Databricks Attribute Mappings. These mappings will depend on the options you enabled above. You can add and edit mappings to fit your needs. See Map application attributes on the Provisioning page in the Okta documentation.

  11. To configure the behavior when pushing Databricks changes to Okta, click To Okta. The default settings work well for Databricks provisioning. If you want to update the default settings and attribute mappings, see Provisioning and Deprovisioning in the Okta documentation.

Test the integration

To test the configuration, use Okta to invite a user to your Databricks account.

  1. In Okta, go to Applications and click Databricks.

  2. Click Provisioning.

  3. Click Assign, then Assign to people.

  4. Search for an Okta user, and click Assign.

  5. Confirm the user’s details, click Assign and go back, and then click Done.

  6. Log in to the account console, click Account Console user management icon User management, and then confirm that the user has been added.

After this simple test, you can perform bulk operations as described in Use Okta to manage users and groups in Databricks.

Use Okta to manage users and groups in Databricks

This section describes bulk operations you can perform using Okta SCIM provisioning to your Databricks account.

Import users from Databricks to Okta

To import users from Databricks to Okta, go to the Import tab and click Import Now. You are prompted to review and confirm assignments for any users who are not automatically matched to existing Okta users by email address.

Add user and group assignments to your Databricks account

To verify or add user and group assignments, go to the Assignments tab. Databricks recommends adding the Okta group named Everyone to the account-level SCIM provisioning application. This syncs all users in your organization to the Databricks account.

Push groups to Databricks

To push groups from Okta to Databricks, go to the Push Groups tab. Users who already exist in Databricks are matched by email address.

Delete a user or group from the account

If you delete a user from the account-level Databricks application in Okta, the user is deleted in the Databricks account and loses access to all workspaces, whether or not those workspaces are enabled for identity federation.

If you delete a group from the account-level Databricks application in Okta, all users in that group are deleted from the account and lose access to any workspaces they had access to (unless they are members of another group or have been directly granted access to the account or any workspaces). Databricks recommends that you refrain from deleting account-level groups unless you want them to lose access to all workspaces in the account.

Be aware of the following consequences of deleting users:

  • Applications or scripts that use the tokens generated by the user can no longer access Databricks APIs

    • Jobs owned by the user fail

    • Clusters owned by the user stop

    • Queries or dashboards created by the user and shared using the Run as Owner credential have to be assigned to a new owner to prevent sharing from failing

Troubleshooting and tips

  • Users without either First Name or Last Name in their Databricks profiles cannot be imported to Okta as new users.

  • Users who existed in Databricks prior to provisioning setup:

    • Are automatically linked to an Okta user if they already exist in Okta and are matched based on email address (username).

    • Can be manually linked to an existing user or created as a new user in Okta if they are not automatically matched.

  • User permissions that are assigned individually and duplicated through membership in a group remain after the group membership is removed for the user.

  • You cannot rename groups in Databricks; do not attempt to rename them in Okta.

  • You cannot update Databricks usernames and email addresses.