Set Up Identity Provider Based Authentication

Before you begin:

• Make sure that you copy the generated external ID in Data 360.

1. In your Databricks workspace, click your user icon on the top right and then click Settings.

2. In the Settings sidebar, under Workspace admin, click Identity and access.

3. Against Service principals, click Manage, and then click Add service principal. If you have an Azure managed Databricks instance, make sure that Databricks manages the service principal.

4. In the Add service principal page, click Add new.

5. Enter a name for the service principal and click Add. You can see a service principal with the name you gave and an alphanumeric Application ID. Use this Application ID as Client ID in the Data 360 connections window.

6. Create a federation policy and attach it to the service principal that you created. You can create a policy by using the Databricks Command-Line Interface (CLI) or the Databricks user interface (UI).

   Using the Databricks CLI

   Sample JSON

   1. In the sample JSON file, for the issuer field, enter your org’s My Domain URL (from Salesforce org) followed by /services/connectors. For example, https://yourcompany.my.salesforce.com/services/connectors.

   2. For the audiences field, enter your org’s My Domain URL. For example, https://yourcompany.my.salesforce.com. See, My Domain.

   3. For the subject field, enter the external ID copied from the Data 360 new connection dialog box.

   4. For the service ID field, enter the service ID of the service principal. To get the service ID, run

      If you haven't installed the Databricks CLI, see install or Update the Databricks CLI.

   Using the Databricks UI

   1. From the left pane, select User management and then click the Service principals tab.
   2. In the Filter service principals field, search for and open the service principal you created earlier.
   3. In the service pricipal details page, select the Credentials & secrets tab.
   4. Click Create policy and then select Custom.
   5. For the Issuer field, enter your org’s My Domain URL followed by /services/connectors. For example, _https://yourcompany.my.salesforce.com/services/connectors_.
   6. In the Create federation policy window, for the Audiences field, enter your org’s My Domain URL. For example, https://yourcompany.my.salesforce.com.
   7. For the Subject field, enter the external ID copied from the New connection dialog box in Data 360.
   8. Click Create policy.

7. Grant permissions for the service principal to access the warehouse.

   1. In the left navigation panel of the Databricks instance, select SQL Warehouse.

   2. On the SQL warehouses tab, select any of the available warehouses that you can access.

   3. Click Permissions.

   4. In the Type to add multiple users or groups text box, enter the service principal details.

   5. In the service principal window, add ‘Can use’ permissions.

8. Grant permissions for the service principal to access catalog.

   1. In the left navigation panel of the Databricks instance, select Catalog.

   2. Select the catalog from the catalog explorer.

   3. In the Permissions tab, click Grant.

   4. In the Type to add multiple users or groups textbox, enter the service principal details.

   5. Provide appropriate privileges for this service principal. Make sure you have SELECT privileges.

9. In the Data Cloud connection setup, in the Client Id field, paste the application ID of the service principal that you created.