SAS Viya application access to Databricks using Service Principal (SIMBA Driver)
The SAS Viya platform facilitates connectivity to Databricks via the SAS/ACCESS Interface to Spark, which comes pre-packaged with the Simba Databricks JDBC driver.
While the SAS Viya platform supports various authentication methods—including standard credentials and Single Sign-On (SSO)—implementing Service Principal-based authentication requires a specific configuration. When using the Simba driver for this purpose, your connection string must include the OAuth2 OIDC Discovery Endpoint URL, the Service Principal ID, and the Service Principal Secret.
In this post, I discuss the database access from the SAS Compute Server and CAS to Databricks using an Azure Service Principal with the SIBMA JDBC driver.
SAS Viya applications can leverage an Azure Service Principal for automated, secure connectivity to Databricks. To establish this connection, the Service Principal must first be registered in Microsoft Entra ID, then added to the appropriate Databricks Workspace user group. Finally, it requires explicit access privileges to the necessary Databricks catalogs, databases, schemas, and tables to ensure full end-to-end data integration.
Prerequisites:
The following Prerequisites must be met before a Service Principal can be used to connect and access the Databricks database from SAS Viya applications.
- An Azure Service Principal configured with the Databricks API permission and a Secret.
- The Service Principal was added to the Databricks Workspace user group.
- The Service Principal has read-write access privileges to Databricks Catalog/database/tables.
- SAS Viya applications (Compute and CAS) are configured with the JRE options to support the Apache Arrow library.
An Azure Service Principal with the Databricks API permission and a Secret
The following pics describe a service principal configured with Databricks API Permission and a Secret.
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
Service Principal at the Databricks Workspace user group
The following pics describe the service principal that is part of the Databricks Workspace user group.
Read-write access privileges on Databricks Catalog/database/tables for the Service Principal
The following pics describe the read-write access privileges on the Databricks catalog and database tables for the service principal.
SAS Viya applications JRE option configuration to support the Apache Arrow library
The Simba Databricks JDBC Data Connector uses the Apache Arrow library to efficiently transfer result sets from Databricks to the client. The Arrow library requires the following JRE option for the SAS Compute Server, SAS batch Server, and CAS.
The JRE option for the SAS Studio compute context and the SAS batch server context JREOPTION --add-opens=java.base/java.nio=ALL-UNNAMED.
The JRE option for CAS compute context under sas.cas.instance config: config cas.jreoptions = string.sub(cas.jreoptions, 1, -2) .. ' –add opens=java.base/java.nio=ALL-UNNAMED)'.
Service-Principal-Based access from SAS Compute Server to Azure DataBricks (SIMBA Driver)
With Azure Databricks Workspace, SPARK Cluster, database table, the JDBC driver in place, and pre-requisites met, you can connect and access a Databricks database table from the SAS compute server.
The following code describes the Service-Principal-based access from SAS Compute Server to the Azure Databricks database. Notice, there is no user ID and password in the LIBNAME statement. The properties option contains the Service principal ID, Service Principal Secret, and Oauth2 OIDC Discovery Endpoint URL with AuthMech=11 and Auth_Flow=1.
To access the Unity catalog, the ConnCatalog=; parameter is used with the properties option.
Code:
%let MYDBRICKS=adb-7405619489303584.4.azuredatabricks.net;
%let MYHTTPPATH=sql/protocolv1/o/7405619489303584/0511-195411-cbz969s0;
%let MYSCHEMA=default;
%let MYCATALOG=ws_clove_p41951_viya4_data;
%let MYDRIVERCLASS=com.simba.databricks.jdbc.Driver;
%let MYTNTID=XXXXXXXXXXXX-fa07ff196d;
%let MYCLNT_ID=XXXXXXXXXXX-8ba5-6d06ee6ac1f6;
/* AppReg client secret */
%let MYCLNT_SECRET=XXXXXXXXXXXXXXXB12Tc1.;
libname dbricks spark platform=databricks
driverClass="&MYDRIVERCLASS"
server="&MYDBRICKS"
database="&MYSCHEMA"
port=443
httppath="&MYHTTPPATH"
properties="ConnCatalog=&MYCATALOG;AuthMech=11;Auth_Flow=1;OAuth2ClientId=&MYCLNT_ID;OAuth2Secret=&MYCLNT_SECRET;OIDCDiscoveryEndpoint=https://login.microsoftonline.com/&MYTNTID/v2.0/.well-known/openid-configuration;EnableOIDCDiscovery=true;"
bulkload=no
character_multiplier=1
;
Proc SQL outobs=10;
select * from dbricks.iot_device ;
run;quit;
data dbricks.prdsal2_sas3;
set sashelp.prdsal2 ;
run;
Log:
.........
.....
93 libname dbricks spark platform=databricks
94 driverClass="&MYDRIVERCLASS"
95 server="&MYDBRICKS"
96 database="&MYSCHEMA"
97 port=443
98 httppath="&MYHTTPPATH"
99 properties="ConnCatalog=&MYCATALOG;AuthMech=11;Auth_Flow=1;OAuth2ClientId=&MYCLNT_ID;OAuth2Secret=&MYCLNT_SECRET;
99 ! OIDCDiscoveryEndpoint=https://login.microsoftonline.com/&MYTNTID/v2.0/.well-known/openid-configuration;EnableOIDCDiscovery=true
99 ! ;"
NOTE: The quoted string currently being processed has become more than 262 bytes long. You might have unbalanced quotation marks.
100 bulkload=no
101 character_multiplier=1
102 ;
NOTE: Libref DBRICKS was successfully assigned as follows:
Engine: SPARK
103
104 Proc SQL outobs=10;
105 select * from dbricks.iot_device ;
WARNING: Statement terminated early due to OUTOBS=10 option.
106 run;quit;
NOTE: PROC SQL statements are executed immediately; The RUN statement has no effect.
NOTE: The PROCEDURE SQL printed page 1.
NOTE: PROCEDURE SQL used (Total process time):
real time 17.86 seconds
cpu time 0.10 seconds
107
111
112 data dbricks.prdsal2_sas3;
113 set sashelp.prdsal2 ;
114 run;
NOTE: SAS variable labels, formats, and lengths are not written to DBMS tables.
NOTE: There were 23040 observations read from the data set SASHELP.PRDSAL2.
NOTE: The data set DBRICKS.PRDSAL2_SAS3 has 23040 observations and 11 variables.
NOTE: DATA statement used (Total process time):
real time 1:15.23
cpu time 10.54 seconds
....
...........
Service-Principal-Based access from CAS to Azure DataBricks (SIMBA Driver)
With Azure Databricks Workspace, SPARK Cluster, database table, the JDBC driver in place, and pre-requisites met, you can connect and load/save a CAS table from the Azure Databricks table.
The Service Principal (aka Entra ID application) must have an API permission for the Azure DataBricks. The Databricks Workspace and catalogs are configured with the access permissions for the service principal.
The following code describes the Service-Principal-based access from CAS to the Azure Databricks database. Notice, there is no user ID and password in the CASLIB statement. The properties option contains the Service principal ID, Service Principal Secret, and Oauth2 OIDC Discovery Endpoint URL with AuthMech=11 and Auth_Flow=1.
To access the Unity catalog, the ConnCatalog=; parameter is used with the properties option.
Code:
%let MYDBRICKS=adb-7405619489303584.4.azuredatabricks.net;
%let MYHTTPPATH=sql/protocolv1/o/7405619489303584/0511-195411-cbz969s0;
%let MYSCHEMA=default;
%let MYCATALOG=ws_clove_p41951_viya4_data;
%let MYDRIVERCLASS=com.simba.databricks.jdbc.Driver;
%let MYTNTID=XXXXXXXXXXXX-fa07ff196d;
%let MYCLNT_ID=XXXXXXXXXXX-8ba5-6d06ee6ac1f6;
/* AppReg client secret */
%let MYCLNT_SECRET=XXXXXXXXXXXXXXXB12Tc1.;
CAS mySession SESSOPTS=( CASLIB=casuser TIMEOUT=99 LOCALE="en_US");
/* Service Principal based CASLIB to Databricks */
caslib Cdtspkcaslib datasource=(srctype='spark',
platform=databricks,
schema="&MYSCHEMA",
server="&MYDBRICKS",
httpPath="&MYHTTPPATH",
driverclass="&MYDRIVERCLASS",
bulkload=no,
port=443,
useSsl=yes,
charMultiplier=1,
dbmaxText=50, properties="ConnCatalog=&MYCATALOG;AuthMech=11;Auth_Flow=1;OAuth2ClientId=&MYCLNT_ID;OAuth2Secret=&MYCLNT_SECRET;OIDCDiscoveryEndpoint=https://login.microsoftonline.com/&MYTNTID/v2.0/.well-known/openid-configuration;EnableOIDCDiscovery=true;"
);
/* Load CAS from DataBricks database table */
proc casutil outcaslib="Cdtspkcaslib" incaslib="Cdtspkcaslib" ;
load casdata="iot_device" casout="iot_device" replace;
list tables;
quit;
/* Save CAS data to DataBricks database */
proc casutil outcaslib="Cdtspkcaslib" incaslib="Cdtspkcaslib";
load data=sashelp.cars casout="cars" replace;
save casdata="cars" casout="cars_sas" replace;
list files;
quit;
CAS mySession TERMINATE;
Log:
95 /* Service Principal based CASLIB to Databricks */
96 caslib Cdtspkcaslib datasource=(srctype='spark',
97 platform=databricks,
98 schema="&MYSCHEMA",
99 server="&MYDBRICKS",
100 httpPath="&MYHTTPPATH",
101 driverclass="&MYDRIVERCLASS",
102 bulkload=no,
103 port=443,
104 useSsl=yes,
105 charMultiplier=1,
106 dbmaxText=50,
107 properties="ConnCatalog=&MYCATALOG;AuthMech=11;Auth_Flow=1;OAuth2ClientId=&MYCLNT_ID;OAuth2Secret=&MYCLNT_SECRET;
107! OIDCDiscoveryEndpoint=https://login.microsoftonline.com/&MYTNTID/v2.0/.well-known/openid-configuration;EnableOIDCDiscovery=true
107! ;"
NOTE: The quoted string currently being processed has become more than 262 bytes long. You might have unbalanced quotation marks.
108 );
NOTE: 'CDTSPKCASLIB' is now the active caslib.
NOTE: Cloud Analytic Services added the caslib 'CDTSPKCASLIB'.
NOTE: Action to ADD caslib CDTSPKCASLIB completed for session MYSESSION.
109
114 /* Load CAS from DataBricks database table */
115 proc casutil outcaslib="Cdtspkcaslib" incaslib="Cdtspkcaslib" ;
NOTE: The UUID 'c6570a39-a199-b64e-81ac-fb2e3148e45e' is connected using session MYSESSION.
116 load casdata="iot_device" casout="iot_device" replace;
NOTE: Performing serial LoadTable action using SAS Data Connector to Spark.
NOTE: Cloud Analytic Services made the external data from iot_device available as table IOT_DEVICE in caslib Cdtspkcaslib.
NOTE: The Cloud Analytic Services server processed the request in 7.784973 seconds.
117 list tables;
Caslib Information
Library CDTSPKCASLIB
Source Type spark
CharMultiplier 1
Session local Yes
Active Yes
Personal No
Hidden No
Transient No
TableRedistUpPolicy Not Specified
Schema default
HiveClass com.simba.databricks.jdbc.Driver
BulkLoad false
HttpPath sql/protocolv1/o/7405619489303584/0511-195411-cbz969s0
UseSsl yes
Server adb-7405619489303584.4.azuredatabricks.net
Port 443
DbmaxText 50
Platform databricks
Table Information for Caslib CDTSPKCASLIB
Number Number Indexed NLS Promoted Repeated
Table Name of Rows of Columns Columns encoding Created Last Modified Table Table
IOT_DEVICE 198164 15 0 utf-8 2026-05-12T14:57:11+00:00 2026-05-12T14:57:11+00:00 No No
Table Information for Caslib CDTSPKCASLIB
Java
Source Source Character Multi
Table Name View Name Caslib Compressed Accessed Set Part
IOT_DEVICE No iot_device CDTSPKCASLIB No 2026-05-12T14:57:11+00:00 UTF8 No
Table Information for Caslib CDTSPKCASLIB
Table
Redistribute Up
Table Name Creator Policy
IOT_DEVICE geldmui@gelenable.sas.com Not Specified
NOTE: Cloud Analytic Services processed the combined requests in 0.010191 seconds.
118 quit;
NOTE: PROCEDURE CASUTIL used (Total process time):
real time 7.83 seconds
cpu time 0.06 seconds
119
120 /* Save CAS data to DataBricks database */
121 proc casutil outcaslib="Cdtspkcaslib" incaslib="Cdtspkcaslib";
NOTE: The UUID 'c6570a39-a199-b64e-81ac-fb2e3148e45e' is connected using session MYSESSION.
122 load data=sashelp.cars casout="cars" replace;
NOTE: The INCASLIB= option is ignored when using the DATA= option in the LOAD statement.
NOTE: SASHELP.CARS was successfully added to the "CDTSPKCASLIB" caslib as "CARS".
123 save casdata="cars" casout="cars_sas" replace;
NOTE: Performing serial SaveTable action using SAS Data Connector to Spark.
NOTE: Cloud Analytic Services saved the file cars_sas in caslib CDTSPKCASLIB.
NOTE: The Cloud Analytic Services server processed the request in 6.079864 seconds.
124 list files;
Caslib Information
Library CDTSPKCASLIB
Source Type spark
CharMultiplier 1
Session local Yes
Active Yes
Personal No
Hidden No
Transient No
TableRedistUpPolicy Not Specified
Schema default
HiveClass com.simba.databricks.jdbc.Driver
BulkLoad false
HttpPath sql/protocolv1/o/7405619489303584/0511-195411-cbz969s0
UseSsl yes
Server adb-7405619489303584.4.azuredatabricks.net
Port 443
DbmaxText 50
Platform databricks
CAS File Information
Name Catalog Schema Type Description
cars_sas CDTSPKCASLIB default TABLE
iot_device CDTSPKCASLIB default TABLE
prdsal2_sas3 CDTSPKCASLIB default TABLE
NOTE: Cloud Analytic Services processed the combined requests in 0.865737 seconds.
125 quit;
NOTE: PROCEDURE CASUTIL used (Total process time):
real time 7.00 seconds
cpu time 0.08 seconds
............
..............
Important Links:
Scenario: OIDC with Microsoft Entra ID (Azure Active Directory)
Troubleshooting Spark Connection Problems
Find more articles from SAS Global Enablement and Learning here.
