Configure workspace-level SCIM provisioning using OneLogin (legacy)

Important

This documentation has been retired and might not be updated. Workspace-level SCIM provisioning is legacy. Databricks recommends that you use account-level SCIM provisioning, see Sync users and groups from your identity provider.

Preview

This feature is in Public Preview.

When you follow these steps, log into the Databricks admin settings page in one browser tab and log into the OneLogin admin console in another.

Generate a Databricks personal access token

As a Databricks workspace administrator, generate a personal access token. See Token management. Store the personal access token in a secure location. OneLogin will use this personal access token to authenticate to Databricks.

Important

The user who owns this personal access token must not be managed within OneLogin. Otherwise, removing the user from OneLogin would disrupt the SCIM integration.

Configure the OneLogin SCIM provisioning app

  1. Log in to OneLogin as a Super User or Account Owner, and launch the OneLogin admin console.

  2. Go to Applications and click Add App.

  3. Search for and select SCIM Provisioner with SAML (SCIM v2 Core).

  4. Click Save. New configuration tabs appear at the left.

  5. Click Configuration.

  6. In Databricks subdomain, enter https://<databricks-instance>/api/2.0/preview/scim/v2. Replace <databricks-instance> with the workspace URL of your Databricks deployment. See Get identifiers for workspace objects.

  7. In the SCIM Bearer Token field, enter the Databricks personal access token.

  8. Under API Connection, click Enable. The application authenticates to Databricks.

  9. Go to Provisioning to enable and configure provisioning.

    1. Under Workflow, select Enable provisioning.

    2. Configure whether to require admin approval to create, delete, or update a user.

      Note

      Databricks recommends that you enable admin approval for all operations as an initial safeguard, so that you don’t trigger automatic provisioning for your users before setup and testing have been completed. After you have tested and verified that provisioning is working as expected, you can configure these settings to override admin approval.

    3. Configure the behavior in Databricks when a user is deleted from OneLogin:

      • Do nothing does not modify the user in Databricks.

      • Suspend disables the user in Databricks. The user can’t log in, but the user’s resources are not modified. This is reversible.

      • Delete deletes the user in Databricks and archives the user’s resources. This is not reversible.

    4. Configure the behavior in Databricks when a user is suspended in OneLogin.

      • Do nothing does not modify the user in Databricks.

      • Suspend disables the user in Databricks. The user can’t log in, but the user’s resources are not modified. This is reversible.

    1. Under Entitlements, click Refresh. In OneLogin, groups are called entitlements. This imports groups from Databricks into OneLogin. Importing OneLogin entitlements into Databricks is not supported.

  10. Click Save.

Continue to Use OneLogin to manage users and groups in Databricks to provision users and groups in your Databricks workspace.

Note

When you remove a user from the admins group in OneLogin and the change is synced to Databricks, the user is no longer a Databricks workspace administrator.