Connect to Databricks with OAuth

If you want to authenticate to Databricks from Sigma using OAuth, follow the steps in this document after you complete the following steps to connect to Databricks:

1. Add a connection and specify connection details
2. Specify your connection credentials

This document describes how to connect Sigma to Databricks using one of the following OAuth configurations:

• Organization-level OAuth: Authenticate to a Databricks account using the same OAuth configuration that you use to manage authentication to your Sigma organization. When a user signs into Sigma using OAuth with Databricks as the IdP, Sigma receives an OAuth token which it uses to automatically sign the user in to Databricks. See Connect to Databricks with organization-level OAuth.
• Connection-level OAuth: Authenticate to your Databricks account using a unique OAuth configuration specific to the Databricks connection. See Connect to Databricks with connection-level OAuth.

After you set up your OAuth configuration, complete the configuration steps for OAuth. See Complete your OAuth configuration.

For more details about using OAuth with Sigma, see About using OAuth with Sigma.

Requirements

• You must be assigned the Admin account type or an account type with the Manage connections feature permission enabled.

• You must configure an OAuth application for Databricks. See Configure an OAuth application for Databricks.

• For connection-level OAuth, you must know your client ID, client secret, and metadata URI from that application:

  • The Client ID and Client secret were obtained as part of Step 1: Create your OAuth application.
  • The Metadata URI was obtained as part of Step 3: Determine your metadata URI.

Connect to Databricks with organization-level OAuth

If you use OAuth to authenticate users to your Sigma organization using Databricks as your IdP, and your organization does not have multiple identity providers enabled, you can reuse that OAuth configuration for this connection:

1. In the Connection credentials section, turn on the Use organization-level OAuth configuration toggle.
2. Complete the remaining configuration steps for OAuth. See Complete your OAuth configuration.

If you authenticate to Sigma with a non-OAuth authentication method, or use OAuth with an external IdP (such as Okta, Microsoft Entra ID, Auth0, PingIdentity, or others) you cannot connect to Databricks using organization-level OAuth. Instead, use connection-level OAuth. See Connect to Databricks with connection-level OAuth.

Connect to Databricks with connection-level OAuth

You can connect to Databricks with a different OAuth configuration than the one you use to authenticate users to Sigma. For example, you might configure connection-level OAuth if you have multiple identity providers enabled, or if you want to configure connections to multiple Databricks accounts using OAuth.

After completing the steps to start creating a Databricks connection and selecting OAuth for Authentication:

1. In the OAuth features section, select your OAuth provider.

2. (Optional) Enter any additional Scopes to further specify the access of the OAuth token.

   • The default scopes openid, profile, email, and all-apis are required.
   • The default scope offline_access is strongly recommended but not required. If this scope is not provided, users must log in every time their access token expires and any scheduled operations fail if the tasks run for a longer duration than the access token expiration configured in the IdP (such as 5 minutes).

   📘

   If you use Microsoft Entra ID as your IdP, also specify the databricks scope.

3. In the Metadata URL field, enter the OAuth metadata URI for your OAuth application.

4. In the Redirect URI field, select Copy to clipboard () and store the value somewhere. You need this value to complete the OAuth configuration in your IdP.

5. In the Client ID field, enter the client ID from your OAuth application.

6. In the Client secret field, enter the client secret from your OAuth application.

   After you enter and save this value, Sigma does not display it.

7. Complete the remaining steps. See Complete your OAuth configuration.

Complete your OAuth configuration

To complete your OAuth configuration, determine whether you plan to use functionality in Sigma that requires a service account. A service account is a Databricks service principal created for administrative purposes in Sigma.

There are two reasons to configure a service account:

• If you use public embedding features in Sigma, a service account is required. Service account credentials are used to run queries on publicly embedded dashboards.
• If you want users assigned the Admin account type to configure individual workbooks to run using a service account rather than each individual's OAuth credentials, a service account is required.

If you need a service account:

1. In the Service account configuration section, turn on the Service account toggle.

2. For Access token, enter an access token for the service account.

   For instructions on how to generate an access token, see Databricks personal access tokens for service principals in the Databricks documentation.

To finish setting up your connection, see Configure write access and Configure connection features for additional options. Or, if you are finished configuring your connection, click Create at the top right to create your connection.