Configure OAuth with Databricks (Beta)

🚩

This documentation describes a public beta feature and is under construction. This documentation should not be considered part of our published documentation until this notice, and the corresponding Beta flag on the feature in Sigma, are removed. As with any beta feature, the feature discussed below is subject to quick, iterative changes. The latest experience in the Sigma service may differ from the contents of this document.

Beta features are subject to the disclaimer on Beta features.

This document guides you through the steps to first set up a Sigma OAuth application to enable authentication through Databricks as your IdP, then connect to that OAuth application from Sigma.

This documentation applies to customers using Databricks for their CDW. If you are using Snowflake, see Configure OAuth with Snowflake.

Requirements

  • You must be assigned the Admin account type to manage authentication for your Sigma organization.
  • Account Admin privileges in Databricks. See What are account admins? in the Databricks documentation.

Configure a custom OAuth application for Sigma in Databricks

Enable a custom OAuth application in your Databricks account. See the Databricks documentation for detailed instructions:

When you create the connection for the application in Databricks, you have several configuration options. Sigma requires the following configurations for your OAuth connection to work:

  • Redirect URLs: Enter a redirect URL that matches your Sigma deployment.
DeploymentLogin redirect URL
GCPhttps://api.sigmacomputing.com/api/v2/oauth/1/authcode
AWShttps://aws-api.sigmacomputing.com/api/v2/oauth/1/authcode
AWS-CAhttps://api.ca.aws.sigmacomputing.com/api/v2/oauth/1/authcode
AWS-EUhttps://api.eu.aws.sigmacomputing.com/api/v2/oauth/1/authcode
AWS-UKhttps://api.uk.aws.sigmacomputing.com/api/v2/oauth/1/authcode
AWS-AUhttps://api.au.aws.sigmacomputing.com/api/v2/oauth/1/authcode
Azurehttps://api.us.azure.sigmacomputing.com/api/v2/oauth/1/authcode
  • Access scopes: When you are prompted to select an access scope, select All APIs.
  • Client secret: Enable the option to generate a client secret, as Sigma requires this for secure connection.

Record your client ID and client secret. You need these values for the Sigma configuration.

Configure OAuth in Sigma

In Sigma, configure your organization to use OAuth as the authentication method.

You will need the client ID and client secret from the OAuth application you configured in Databricks in the previous section. You will also need your Databricks account ID. For information about how to retrieve your Databricks account ID, see Locate your account ID in the Databricks documentation.

  1. Go to Administration > Authentication.

  2. In the Authentication Method and Options section, locate the Authentication Method setting and click Edit.

  3. In the Authentication Method & Options page, configure OAuth authentication:

    1. In the Authentication Method dropdown, select the OAuth or OAuth or password option.

    2. To enable enable guest users to access permitted content, turn on the Allow Guest Access switch. Guest users must have Databricks user accounts provisioned and be added as OAuth users in your IdP in order to access Sigma.

    3. To require two-factor authentication, turn on the 2-Factor Authentication Required switch. For more information, see Two-Factor Email Authentication.

    4. In the Metadata URI field, enter the OAuth metadata URI in the format that matches your Databricks environment. Replace with the unique ID for your Databricks account.

    EnvironmentMetadata URI
    Azurehttps://accounts.azuredatabricks.net/oidc/accounts/<your-databricks-account-id>/.well-known/openid-configuration
    AWS<https://accounts.cloud.databricks.com/oidc/accounts/><your-databricks-account-id>/.well-known/openid-configuration
    1. In the Client ID field, enter the client ID that you received when you created your custom OAuth application in Databricks.

    2. In the Client Secret field, enter the client secret you recorded when you created your custom OAuth application in Databricks. After you enter and save this value, Sigma does not display it.

    3. Click Save to apply the changes.

  4. Test your OAuth configuration by logging out and logging back in to Sigma. Your organization’s login page should now display a "Log in with SSO" prompt.

Now that you have OAuth enabled on your Sigma account, you can configure your Databricks connections to use OAuth. See Connect to Databricks.