Integrating SAP Databricks SCIM API with SAP Identity Services

This blog explores how Databricks SCIM API works, its Users and Groups endpoints, and how to integrate it with SAP’s identity services for automated user provisioning.

SAP Databricks provides a SCIM 2.0 API (System for Cross-domain Identity Management) primarily at the account level to create, read, update, and delete users, groups, and service principals. This is the recommended and most up-to-date way for provisioning [especially when syncing from IdPs like SAP Identity Authentication (IAS) with SAP Identity Provisioning Serivce (IPS) ].

This activity is purely managed by your BTP Administrator or Cloud Identity Admins or IT Admins.
Access to SAP Databricks is purely given to your Data Scientist or ML Engineer or Data Engineer.

Refer SAP Help Documentation : Managing SAP Databricks Users and Roles

Understanding Databricks SCIM API

What is SCIM?

SCIM 2.0 is an open standard protocol designed to simplify user identity management across cloud-based applications. It provides a RESTful API framework for creating, reading, updating, and deleting user accounts and group memberships.

Databricks SCIM Implementation

Databricks implements SCIM 2.0 to enable automated user provisioning from identity providers (IdPs). The API supports:

User Management: Create, read, update, and deactivate user accountsGroup Management: Manage group memberships and entitlementsService Principals: Automate authentication for applicationsWorkspace Administration: Centralized identity governance

API Endpoint Structure:

https://<sap-databricks-instance>/api/2.0/preview/scim/v2/

Users API: Core Operations

Authentication

All SCIM API calls require authentication using a Databricks personal access token or service principal token:

Authorization: Bearer <access-token>
Content-Type: application/scim+json

How to get Service Principal Token (Recommended for Production)

Service principals are the best practice for application-to-application authentication which is needed for SAP Identity Provisioning to sync Users from SAP IAS (Identity Authentication User Store).

Step 1: Create a Service Principal

Via SAP Databricks UI:

Go to Settings → Admin ConsoleNavigate to Identity and access → Service principals
Click Add service principalFill in details:
Name: sap-ips-integration
Application ID: (auto-generated or specify)Click Add and Go to the Service principal details which you createdClick on Secrets to generateSet the days (Rotate every 90days or never)

Copy the Secret and Client ID which is required to make SCIM API calls.

Test Locally to check Token is generated successfully

https://accounts.cloud.databricks.com/oidc/accounts/<accountID>/v1/token

Retrieving Users

GET /api/2.0/preview/scim/v2/Users
GET /api/2.0/preview/scim/v2/Users/{id}
GET /api/2.0/preview/scim/v2/Users?filter=userName eq “john.doe@company.com”

Retrieving Group Memberships

GET /api/2.0/preview/scim/v2/Groups/{group-id}
GET /api/2.0/preview/scim/v2/Groups?filter=displayName eq “Data Scientists”

To Know your Databricks Account ID :

Integrate SAP Databricks with SAP Cloud Identity Services securely to automate users and groups provisioning across systems.

Refer SAP Help Documentation : Provisioning Identities

How the integration works (at a glance)

Source: SAP Identity Authentication (IAS)

Holds the users and groups that should access SAP Databricks.Exposes identities via SCIM-compatible attributes to provisioning.

Orchestration: SAP Identity Provisioning (IPS)

Acts as the bridge: reads from IAS and writes to SAP Databricks.You define jobs, attribute mappings, filters, and schedules.Supports delta sync (changes only) and dry-runs.

Target: SAP Databricks (SCIM 2.0)

Receives Users and Groups via SCIM 2.0 REST API.Creates/updates accounts, group memberships, entitlements (e.g., allow-cluster-create, workspace-access).Deprovisions on disable/delete (soft-delete vs. hard-delete per IPS config).

Once the User Sync is successful, SAP Databricks Admin can see in users who have got access with approriate Role assigned.

This blog explores how Databricks SCIM API works, its Users and Groups endpoints, and how to integrate it with SAP’s identity services for automated user provisioning. SAP Databricks provides a SCIM 2.0 API (System for Cross-domain Identity Management) primarily at the account level to create, read, update, and delete users, groups, and service principals. This is the recommended and most up-to-date way for provisioning [especially when syncing from IdPs like SAP Identity Authentication (IAS) with SAP Identity Provisioning Serivce (IPS) ].This activity is purely managed by your BTP Administrator or Cloud Identity Admins or IT Admins.Access to SAP Databricks is purely given to your Data Scientist or ML Engineer or Data Engineer. Refer SAP Help Documentation : Managing SAP Databricks Users and RolesUnderstanding Databricks SCIM APIWhat is SCIM?SCIM 2.0 is an open standard protocol designed to simplify user identity management across cloud-based applications. It provides a RESTful API framework for creating, reading, updating, and deleting user accounts and group memberships.Databricks SCIM ImplementationDatabricks implements SCIM 2.0 to enable automated user provisioning from identity providers (IdPs). The API supports:User Management: Create, read, update, and deactivate user accountsGroup Management: Manage group memberships and entitlementsService Principals: Automate authentication for applicationsWorkspace Administration: Centralized identity governanceAPI Endpoint Structure:https://<sap-databricks-instance>/api/2.0/preview/scim/v2/Users API: Core OperationsAuthenticationAll SCIM API calls require authentication using a Databricks personal access token or service principal token:Authorization: Bearer <access-token>
Content-Type: application/scim+jsonHow to get Service Principal Token (Recommended for Production)Service principals are the best practice for application-to-application authentication which is needed for SAP Identity Provisioning to sync Users from SAP IAS (Identity Authentication User Store).Step 1: Create a Service PrincipalVia SAP Databricks UI:Go to Settings → Admin ConsoleNavigate to Identity and access → Service principalsClick Add service principalFill in details:Name: sap-ips-integration
Application ID: (auto-generated or specify)Click Add and Go to the Service principal details which you createdClick on Secrets to generateSet the days (Rotate every 90days or never) Copy the Secret and Client ID which is required to make SCIM API calls.Test Locally to check Token is generated successfully https://accounts.cloud.databricks.com/oidc/accounts/<accountID>/v1/tokenRetrieving UsersGET /api/2.0/preview/scim/v2/Users
GET /api/2.0/preview/scim/v2/Users/{id}
GET /api/2.0/preview/scim/v2/Users?filter=userName eq “john.doe@company.com” Retrieving Group MembershipsGET /api/2.0/preview/scim/v2/Groups/{group-id}
GET /api/2.0/preview/scim/v2/Groups?filter=displayName eq “Data Scientists”To Know your Databricks Account ID :Integrate SAP Databricks with SAP Cloud Identity Services securely to automate users and groups provisioning across systems.Refer SAP Help Documentation : Provisioning IdentitiesHow the integration works (at a glance)Source: SAP Identity Authentication (IAS)Holds the users and groups that should access SAP Databricks.Exposes identities via SCIM-compatible attributes to provisioning.Orchestration: SAP Identity Provisioning (IPS)Acts as the bridge: reads from IAS and writes to SAP Databricks.You define jobs, attribute mappings, filters, and schedules.Supports delta sync (changes only) and dry-runs.Target: SAP Databricks (SCIM 2.0)Receives Users and Groups via SCIM 2.0 REST API.Creates/updates accounts, group memberships, entitlements (e.g., allow-cluster-create, workspace-access).Deprovisions on disable/delete (soft-delete vs. hard-delete per IPS config).Once the User Sync is successful, SAP Databricks Admin can see in users who have got access with approriate Role assigned. Read More Technology Blog Posts by SAP articles

#SAP

#SAPTechnologyblog