Migrating to Databricks SSO: What You Need to Know

As of June 24, 2024, Databricks announced they are no longer supporting Databricks-managed passwords, effective July 10, 2024. This change will impact how all users authenticate to the Databricks UI and APIs. As a Databricks user, here’s what you need to know to prepare for this transition and ensure your workflows remain seamless.  

What’s Changing?

Databricks-managed passwords, also known as basic authentication, will no longer be supported after July 10, 2024. This means you will be unable to use these passwords to log in to the Databricks UI or Databricks APIs.

Note, “passwords” in this context refer to logging in to your Databricks account and workspaces – not to be confused with Databricks’ in-platform Secrets Management.

Recommended Actions for Your Databricks Account ‍

Migrate to Single Sign-On (SSO)

Databricks strongly recommends configuring single sign-on (SSO) with unified login for all workspaces. Here’s why and how you can do it:

• Unified login: This allows you to manage one SSO configuration for your entire account, simplifying authentication management across all Databricks workspaces.
• Multi-Factor Authentication (MFA): You can enhance security by enforcing MFA from your identity provider. Users configured for emergency access can still sign in using MFA with a FIDO 2 security key: either a physical security key or mobile authenticator app.

How to Configure SSO

1. Go to the SSO section of your Databricks account console
2. Set up and enforce MFA for added security
3. Ensure all workspaces under your account are integrated with the unified login configuration

If SSO is not configured in your Databricks account by July 10, 2024, all users will have to use a one-time passcode (OTP) each time they log in. With OTP, a unique code is sent to the user’s registered email, which must be entered on the login page to verify their identity. This adds a layer of security, ensuring only users with access to that email account can log in. ‍

Migrate to OAuth Authentication for APIs

After July 10, 2024, Databricks-managed passwords will no longer be viable for API authentication. Instead, you should migrate to OAuth authentication. OAuth offers a more secure and robust method for API access. ‍

How to Migrate to OAuth

1. Refer to the Databricks documentation on OAuth machine-to-machine (M2M) authentication.
2. If OAuth is not available for your use case, you can use personal access tokens instead.

Failure to migrate to OAuth or personal access tokens will result in automation failures, as basic authentication will no longer be supported. ‍

How to Identify Users Using Basic Authentication

To ensure a smooth transition, you can generate a list of workspace users currently using basic authentication, using the notebook below provided by Databricks.

This resource will help you identify and generate a list of users who need to migrate to the new authentication methods: https://docs.databricks.com/en/_extras/notebooks/source/admin/password-access.html

Transitioning from Databricks-Managed Passwords

To maintain secure access to your Databricks environments, it is crucial to move from Databricks-managed passwords to SSO and OAuth authentication. By following the recommended steps, you can ensure your workflows continue without interruption, and your organization has the enhanced security measures it needs.

For additional assistance and information, please visit the Databricks documentation or get in touch with our knowledgeable Databricks team by clicking the "Meet an Expert" button. As the 2024 Databricks Digital Native Partner of the Year, Aimpoint Digital's expert team is available to assist with strategy, engineering, AI/ML, and analytics. We are committed to helping ensure a secure and smooth transition for your organization.