@Generated public class AccountFederationPolicyAPI extends Object
Account federation policies allow users and service principals in your Databricks account to securely access Databricks APIs using tokens from your trusted identity providers (IdPs).
With token federation, your users and service principals can exchange tokens from your IdP for Databricks OAuth tokens, which can be used to access Databricks APIs. Token federation eliminates the need to manage Databricks secrets, and allows you to centralize management of token issuance policies in your IdP. Databricks token federation is typically used in combination with [SCIM], so users in your IdP are synchronized into your Databricks account.
Token federation is configured in your Databricks account using an account federation policy. An account federation policy specifies: * which IdP, or issuer, your Databricks account should accept tokens from * how to determine which Databricks user, or subject, a token is issued for
To configure a federation policy, you provide the following: * The required token __issuer__, as specified in the “iss” claim of your tokens. The issuer is an https URL that identifies your IdP. * The allowed token __audiences__, as specified in the “aud” claim of your tokens. This identifier is intended to represent the recipient of the token. As long as the audience in the token matches at least one audience in the policy, the token is considered a match. If unspecified, the default value is your Databricks account id. * The __subject claim__, which indicates which token claim contains the Databricks username of the user the token was issued for. If unspecified, the default value is “sub”. * Optionally, the public keys used to validate the signature of your tokens, in JWKS format. If unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys.
An example federation policy is: ``` issuer: "https://idp.mycompany.com/oidc" audiences: ["databricks"] subject_claim: "sub" ```
An example JWT token body that matches this policy and could be used to authenticate to Databricks as user `username@mycompany.com` is: ``` { "iss": "https://idp.mycompany.com/oidc", "aud": "databricks", "sub": "username@mycompany.com" } ```
You may also need to configure your IdP to generate tokens for your users to exchange with Databricks, if your users do not already have the ability to generate tokens that are compatible with your federation policy.
You do not need to configure an OAuth application in Databricks to use token federation.
[SCIM]: https://docs.databricks.com/admin/users-groups/scim/index.html
| Constructor and Description |
|---|
AccountFederationPolicyAPI(AccountFederationPolicyService mock)
Constructor for mocks
|
AccountFederationPolicyAPI(ApiClient apiClient)
Regular-use constructor
|
| Modifier and Type | Method and Description |
|---|---|
FederationPolicy |
create(CreateAccountFederationPolicyRequest request)
Create account federation policy.
|
FederationPolicy |
create(FederationPolicy policy) |
void |
delete(DeleteAccountFederationPolicyRequest request)
Delete account federation policy.
|
void |
delete(String policyId) |
FederationPolicy |
get(GetAccountFederationPolicyRequest request)
Get account federation policy.
|
FederationPolicy |
get(String policyId) |
AccountFederationPolicyService |
impl() |
Iterable<FederationPolicy> |
list(ListAccountFederationPoliciesRequest request)
List account federation policies.
|
FederationPolicy |
update(String policyId,
FederationPolicy policy) |
FederationPolicy |
update(UpdateAccountFederationPolicyRequest request)
Update account federation policy.
|
public AccountFederationPolicyAPI(ApiClient apiClient)
public AccountFederationPolicyAPI(AccountFederationPolicyService mock)
public FederationPolicy create(FederationPolicy policy)
public FederationPolicy create(CreateAccountFederationPolicyRequest request)
public void delete(String policyId)
public void delete(DeleteAccountFederationPolicyRequest request)
public FederationPolicy get(String policyId)
public FederationPolicy get(GetAccountFederationPolicyRequest request)
public Iterable<FederationPolicy> list(ListAccountFederationPoliciesRequest request)
public FederationPolicy update(String policyId, FederationPolicy policy)
public FederationPolicy update(UpdateAccountFederationPolicyRequest request)
public AccountFederationPolicyService impl()
Copyright © 2025. All rights reserved.