Provision identities to a Databricks workspace (legacy)

Important

This documentation has been retired and might not be updated. Workspace-level SCIM provisioning is legacy. Databricks recommends that you use account-level SCIM provisioning, see Sync users and groups from your identity provider.

Preview

This feature is in Public Preview.

If you want to use an IdP connector to provision users and groups and you have a workspace that is not identity federated, you must configure SCIM provisioning at the workspace level.

Note

Workspace-level SCIM does not recognize account groups that are assigned to your identity federated workspace and workspace-level SCIM API calls will fail if they involve account groups. If your workspace is enabled for identity federation, Databricks recommends that you use the account-level SCIM API instead of the workspace-level SCIM API and that you set up account-level SCIM provisioning and turn off the workspace-level SCIM provisioner. For detailed instructions, see Migrate workspace-level SCIM provisioning to the account level.

Add users and groups to your workspace using an IdP provisioning connector

If you configure Google Cloud Identity to federate with an external IdP, that IdP may have built-in SCIM integrations. Note that if you use Google Cloud Identity as your only IdP (you do not configure it to federate with an external IdP), there is no built-in SCIM integration.

Follow the instructions in the appropriate IdP-specific article:

• Configure workspace-level SCIM provisioning using Microsoft Entra ID (legacy)

• Configure workspace-level SCIM provisioning using Okta (legacy)

• Configure workspace-level SCIM provisioning using OneLogin (legacy)

Add users, groups, and service principals to your workspace using the SCIM API

Workspace admins can add users, groups, and service principals to the Databricks account using workspace-level SCIM APIs. See Workspace Users API, Workspace Groups API, and Workspace Service Principals API