Configure an OAuth application for Databricks

You can use OAuth to authenticate to your Sigma organization, your Databricks connection in Sigma, or both using supported Databricks authorization methods.

When using Databricks for OAuth with Sigma, you have 2 options:

Use Databricks OAuth for users (OAuth U2M).
Use a different IdP with Databricks OAuth token federation.

If you do not want to use Databricks authorization methods to authenticate to Sigma, or want to connect to a different data platform, see Configure a Sigma OAuth application.

This document covers the steps required to configure an OAuth application for Databricks.

User requirements

In Databricks, you must be an account admin. See What are account admins? in the Databricks documentation.

High-level overview

To configure a custom OAuth application for Databricks, complete the following steps:

Step 1: Create your custom OAuth application
Step 2: Configure relevant OAuth options.
Step 3: Determine the metadata URI.

Step 1: Create your OAuth application

The steps to create an OAuth application differ depending on your IdP:

If you want to use Databricks as your IdP, see Option 1: Create a custom OAuth application with Databricks OAuth for users (OAuth U2M).
If you want to use another platform as your IdP, see Option 2: Configure a custom OAuth application using Databricks OAuth token federation.

No matter which option you choose, record your client ID and client secret to use for your OAuth configuration in Sigma.

Option 1: Create a custom OAuth application with Databricks OAuth for users

To enable a custom OAuth application with Databricks OAuth for users (OAuth U2M), see the relevant Databricks documentation:

For Databricks on Azure, see Enable custom OAuth applications using the Azure Databricks UI in the Azure Databricks documentation.
For Databricks on AWS, see Enable custom OAuth applications using the Databricks UI in the Databricks documentation.
For Databricks on GCP, see Enable or disable partner OAuth applications in the Databricks documentation.

After creating the application, proceed to Step 2: Configure relevant OAuth options.

Option 2: Configure a custom OAuth application using Databricks OAuth token federation

If you want to use a different IdP but still use OAuth to authenticate to Databricks, you must use Databricks OAuth token federation. This option is only relevant if you plan to connect to Databricks using OAuth.

Before you can set up token federation, you must have the following information:

Prerequisite information	Details
Issuer URL	For most IdPs, you obtain the issuer URL from your authorization server’s well-known endpoint, which often ends with `well-known/oauth-authorization-server`. For example, `https://test-eng.idp.com/oauth2/xxxxx/.well-known/oauth-authorization-server`. The JSON object returned by the well-known endpoint contains an issuer key with the issuer URL. If you're using Microsoft Entra ID, in addition to the Issuer URL, you must provide a JWKS URI value. Retrieve this value from the `jwks_uri` field of the JSON object returned by the well-known endpoint. Enter the `jwks_uri` value when prompted for Token signature validation.
Audiences	Found in the authorization server's access token payload.
Subject claim	Your Databricks user identifier, such as the email address associated with your Databricks account.

For more information, see the Databricks documentation on Account-wide token federation.

To configure Databricks OAuth token federation with a custom OAuth application, complete steps 1–4 and step 6 in Configure a Sigma OAuth application, then continue to Step 2: Configure relevant OAuth options.

Step 2: Configure relevant OAuth options

To use the OAuth configuration with Sigma, configure the following options as follows:

Redirect URLs: Set a redirect URL that matches where your Sigma organization is hosted:
- If you set up connection-level OAuth, the redirect URL is listed in the OAuth features section in the Redirect URI field.
- If you plan to set up organization-level OAuth, construct a redirect URL using the following format: https://{{baseUrl}}/v2/oauth/1/authcode. Manually update the URL to use the {{baseUrl}} specific to where your Sigma organization is hosted. The {{baseUrl}} value is listed in the API endpoint column of the Supported cloud platforms and regions table.
  
  For example, https://api.sigmacomputing.com/api/v2/oauth/1/authcode for a Sigma organization hosted on GCP-US.
Access scopes: When prompted to select an access scope, select All APIs.

📘
If you use Microsoft Entra ID as your IdP, you must also create a custom databricks scope.
Client secret: Enable the option to generate a client secret, as Sigma requires this for secure connection.
Refresh token time-to-live (TTL): This value determines how long users can be signed in to Sigma before being prompted to sign in again. Set a value consistent with your organization's security policies. To avoid frequent interruptions for your users, Sigma recommends a TTL value of 90 days. To avoid disruption to scheduled exports, do not set a value lower than 7 days.

After you configure the options in this step, proceed to Step 3: Determine your metadata URI.

Step 3: Determine your metadata URI

Determine the metadata URI that Sigma requires to complete the OAuth configuration. The metadata URI includes the unique ID for your Databricks account, and is required to complete your OAuth configuration in Sigma. Store this value for later use when creating your connection in Sigma.

The process to determine your metadata URI depends on your chosen IdP:

If you are using Databricks as your IdP, see Determine your metadata URI for Databricks OAuth for users.
If you are using another IdP, see Determine your metadata URI for your external IdP.

Determine your metadata URI for Databricks OAuth for users

If you use Databricks OAuth for users (OAuth U2M), construct your metadata URI using your Databricks account ID based on your environment and other configurations:

Retrieve your Databricks account ID. For instructions, see Locate your account ID in the Databricks documentation.
Construct your metadata URI based on your setup:
- For Databricks on Azure: https://accounts.azuredatabricks.net/oidc/accounts/<your-databricks-account-id>/.well-known/openid-configuration
- For Databricks on AWS, if your organization uses workspace-level legacy SSO, and has unified login enabled: https://<server_hostname>/oidc/.well-known/openid-configuration
- For Databricks on AWS and your organization does not use workspace-level legacy SSO, or does not have unified login enabled: https://accounts.cloud.databricks.com/oidc/accounts/<your-databricks-account-id>/.well-known/openid-configuration
- For Databricks on GCP: https://accounts.gcp.databricks.com/oidc/accounts/<your-databricks-account-id>/.well-known/openid-configuration

Determine your metadata URI for your external IdP

The process to determine your metadata URI is specific to your IdP. Check the documentation for your IdP for guidance. For more information on setting up OAuth for specific IdPs, see the Sigma Community post on Guidelines For Configuring OAuth and SAML Authentication.

Updated 2 days ago

Related resources