AWS Partner Network (APN) Blog

Enabling AWS Single Sign-On (SSO) Service Integration with Databricks Control Plane

By Denis Dubeau, Partner Solution Architect at Databricks
By Igor Alekseev, Sr. Partner Solutions Architect at AWS

AWS-Single-Sign-OnAWS Single Sign-On (SSO) makes it easy to centrally manage SSO access to multiple Amazon Web Services (AWS) accounts and business applications. With AWS SSO, users sign in to a central portal to access all of their AWS accounts and applications.

If you’re an IT administrator of a growing workforce, your users will require access to a growing number of business applications and AWS accounts. You can use AWS SSO to create and manage users centrally and grant access to AWS accounts and business applications, such as Databricks.

In this post, we will show you how to configure Databricks to authenticate using AWS SSO.

Instead of having to sign in separately to Databricks Control Plane and other business applications, with this configuration enabled users can access Databricks with their corporate credentials using AWS SSO. This delivers a better user experience without the need for managing separate sets of credentials.

Databricks, an AWS Partner Network (APN) Advanced Technology Partner, helps organizations make all of their data ready for analytics, empower data science and data-driven decisions across the organization, and rapidly adopt machine learning (ML) to outpace the competition.

By providing data teams with the ability to process massive amounts of data in the cloud and power artificial intelligence (AI) with that data, Databricks helps organizations innovate faster and tackle challenges like treating chronic disease through faster drug discovery, improving energy efficiency, and protecting financial markets.

The diagram below depicts the configuration we will implement, and how AWS SSO and Databricks interact. Optionally, on-premises Active Directory (AD) can be connected to AWS SSO.

Databricks-AWS-SSO-1

Figure 1 – Databricks and AWS Single Sign-On use cases.

Configuration Steps

Through the AWS console, administrators can configure and manage permissions for SSO-enabled applications like Databricks.

AWS SSO supports Security Assertion Markup Language (SAML) 2.0, which means you can extend SSO access to Databricks by using the AWS SSO application configuration wizard. This is possible because both Databricks and AWS SSO support SAML 2.0.

In our configuration, Databricks acts as an SAML-enabled application while AWS SSO acts as an identity provider. Note that SSO is available only in the Databricks Operational Security Package.

Here are the steps to configure Databricks SSO to integrate with your AWS SSO:

  • Click the user account icon on the right of the workspace user interface, and select Admin Console from the drop-down menu.
  • Select the Single Sign-On tab.

Databricks-AWS-SSO-2.1

The following steps describe how to populate the three values in the provider information section from the AWS Management Console.

  • Type AWS SSO in the AWS Management Console search bar.
  • From the Welcome to AWS Single Sign-On page, select Applications from the left pane.
  • Select Add a New Application and on search for “databricks” in the Application Catalog. Choose the Databricks application icon.
  • Select View Instructions on the Configure Databricks page.

Databricks-AWS-SSO-3

  • Copy the Single Sign-On URL, Identity Provider Entity ID, and download the x.509 Certificate, as depicted by the three red arrows in the screen shot below.

Databricks-AWS-SSO-4

  • Next, insert the values into the Databricks console corresponding.
  • Click Enable SSO and copy the Databricks SAML URL.

Databricks-AWS-SSO-5.3

  • Go back to the AWS SSO console page where you are configuring the application.
  • Under Application Metadata, choose “If you don’t have a metadata file, you can manually type your metadata values” to display the application metadata settings.
  • Insert these values and click Save Changes:
    • Application ACS URL: Databricks SAML URL
    • Application SAML Audience: Databricks SAML URL
  • Assign a user to the application in AWS SSO.
  • Once a user is added, you can log in with your shared URL using SSO now.

Databricks-AWS-SSO-6

The configuration is now complete. You can log in seamlessly to Databricks by clicking on the Single Sign-On button.

This brings you to the Databricks Workspace UI without supplying your password. If you need to access Admin UI, it’s available as a separate link on the page.

Summary

In this post, we introduced AWS Single Sign-On (SSO) and explained how it integrates with Databricks.

AWS SSO provides a portal so your users can find and access all of their assigned accounts and applications from one place, using their existing corporate credentials.

AWS SSO is integrated with AWS Organizations to enable you to manage access to AWS accounts in your company. To start using AWS SSO, navigate to the AWS SSO console.

If you have feedback or questions about AWS SSO, start a new thread on the AWS SSO forum.

If you would like to start using Databricks, sign up at databricks.com/try-databricks.

.
Databricks-APN-Blog-CTA-1
.

Databricks – APN Partner Spotlight

Databricks is an AWS Competency Partner. They help organizations make all of their data ready for analytics, empower data science and data-driven decisions across the organization, and rapidly adopt machine learning to outpace the competition.

Contact Databricks | Solution Overview | AWS Marketplace

*Already worked with Databricks? Rate this Partner

*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.