Skip to content

Click in-app to access the full platform documentation for your version of DataRobot.

External OAuth for Snowflake

Availability information

The ability to set up external identity providers for Snowflake is off by default. Contact your DataRobot representative or administrator for information on enabling the feature.

Feature flag: Enables External Identity Providers for Snowflake SSO

Now available for public preview, you can set up Snowflake data connections using an external identity provider (IdP)—either Okta or Azure Active Directory— for user authentication through OAuth single sign-on (SSO). Identity providers create and maintain identity information and provide authentication services to other applications, allowing a user to securely access applications without creating new passwords or usernames.

For more information on connecting to Snowflake, including troubleshooting steps, see the Snowflake documentation.

Prerequisites

The following is required before connecting to Snowflake in DataRobot:

  • A Snowflake account.
  • External OAuth configured in Snowflake for Okta.

External OAuth with security integrations

If using Okta as the external identity provider (IdP), you must specify http://localhost/account/snowflake/snowflake_authz_return as a Sign-in redirect URI when creating a new App integration in Okta.

  • A Snowflake account.
  • External OAuth configured in Snowflake for Microsoft Azure AD.

External OAuth with security integrations

If using Azure AD as the external identity provider (IdP), you must specify https://<datarobot_app_server>/account/snowflake/snowflake_authz_return as a Redirect URI when registering both applications in Azure AD.

External IdP setup

Note

This section uses example configurations for setting up an external IdP. For information on setting up an external IdP based on your specific environment and requirements, see the documentation for Okta or Azure AD.

In the appropriate external IdP, create the Snowflake application(s):

Create a new App Integration in Okta:

  1. Go to Applications > Applications.
  2. Click Create App Integration.
  3. For the Sign-in method, select OIDC - OpenID Connect.
  4. For the Application type, select Web Application.
  5. Click Next.
  6. Make sure the following options are selected:

    • Client Credentials
    • Authorization Code
    • Refresh Token
    • Require consent
  7. Under LOGIN, add http://localhost/account/snowflake/snowflake_authz_return to the Sign-in redirect URIs.

  8. This results in your Client ID and Client secret.

Now, create a new Authorization Server:

  1. Go to Security > API > Add Authorization Server.

    • Set Audience to https://<partner_name>.snowflakecomputing.com/. <partner_name> is the datarobot_partner for the current DataRobot Snowflake instance.
  2. Go to Scopes > Add Scope.

    • Set Name to session:role:public (refers to the Snowflake role).
    • For Check-in, add Require user consent for this scope and Block services from requesting this scope.
    • (Optional) Set the offline_access scope to require consent.
  3. Go to Access Policies > Add Rule and add the following rules:

    • Add Check-in Client Credentials.
    • Add Check-in Authorization Code.
    • Add the client integration (created above) to the Assigned to clients field.
  4. Go to Token and click Create token.

  5. This results in the following:

    • Issuer, for example, https://dev-11863425.okta.com/oauth2/aus15ca55wkdOxplJ5d7.
    • Auth Token for programmatic access to the Okta API.
    • Auth server metadata JSON (found in Settings > Metadata URI).

Okta API calls

Get current user
curl --location --request GET 'https://<OKTA_ACCOUNT>.okta.com/api/v1/users/me' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <TOKEN>'
Get the user's grants
curl --location --request GET 'https://<OKTA_ACCOUNT>.okta.com/api/v1/users/<USER_ID>/clients/<CLIENT_ID>/grants' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <TOKEN>'
Revoke grant/consent
curl --location --request DELETE 'https://<OKTA_ACCOUNT>.okta.com/api/v1/users/<USER_ID>/grants/<GRANT_ID>' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <TOKEN>'

Register an application for Snowflake Resource in Azure AD:

  1. Go to MS Azure > Azure AD > App registrations.
  2. Click New registration.

    • Under Name, enter Snowflake Resource.
    • Under Supported account types, select Accounts in this organizationl directory only.
    • Under Redirect URI, select Web and enter http://localhost/account/snowflake/snowflake_authz_return.
    • Click Register.
  3. Expose the API.

    • Set the Application ID URI to refer to the Snowflake URI (e.g., https://hl91180.us-east-2.aws.snowflakecomputing.com).
    • Add a scope to reference the existing Snowflake role; the scope is prefixed with the Application ID URI (e.g., https://hl91180.us-east-2.aws.snowflakecomputing.com/session:scope:public).

Register an application for Snowflake Client App in Azure AD:

  1. Go to MS Azure > Azure AD > App registrations.
  2. Click New registration.

    • Under Name, enter Snowflake Resource.
    • Under Supported account types, select Accounts in this organizationl directory only.
    • Under Redirect URI, select Web and enter http://localhost/account/snowflake/snowflake_authz_return.
    • Click Register.
  3. Go to Client Credentials > New client secret and copy the value. Note that this value will not be available after this step.

  4. Go to API Permission > Add Permission > My APIs > Snowflake Resource and choose the scope created above for Snowflake Resource (session:scope:public).
  5. This results in the following:

    • Snowflake Client App: Client ID and Client secret
    • Issuer URL (<external_oauth_jws_keys_url> in Snowflake integration)

      • Go to Snowflake Client App > Overview > Endpoints > OpenID Connect metadata document, open the document in a browser, and search for jwks_uri (e.g., https://login.microsoftonline.com/6064c47c-80e4-4a2b-82ee-1fc5643b37a2/discovery/v2.0/keys).
    • Entity ID (<external_oauth_issuer> in Snowflake integration)

      • Go to Snowflake Client App > Overview > Endpoints > Federation metadata document, open the document in a browser, and search for entityID (e.g., https://sts.windows.net/6064c47c-80e4-4a2b-82ee-1fc5643b37a2/).

Snowflake setup

Note

This section uses example configurations for setting up an external IdP in Snowflake. For information on setting up an external IdP in Snowflake based on your specific environment and requirements, see the Snowflake documentation.

In Snowflake, create an integration for the appropriate external IdP:

create security integration external_oauth_okta_2
    type = external_oauth
    enabled = true
    external_oauth_type = okta
    external_oauth_issuer = '<OKTA_ISSUER>'
    external_oauth_jws_keys_url = '<JWKS_URI>'
    external_oauth_audience_list = ('<AUDIENCE>')
    external_oauth_token_user_mapping_claim = 'sub'
    external_oauth_snowflake_user_mapping_attribute = 'login_name';

CREATE OR REPLACE USER <user_name>
  LOGIN_NAME = '<okta_user_name>';

alter user <user_name> set DEFAULT_ROLE = 'PUBLIC';

Reference values:

  • OKTA_ISSUER: https://dev-11863425.okta.com/oauth2/aus15ca55wkdOxplJ5d7
  • AUDIENCE: https://hl91180.us-east-2.aws.snowflakecomputing.com/
  • JWKS_URI: https://dev-11863425.okta.com/oauth2/aus15ca55wkdOxplJ5d7/v1/keys (retrieved from Okta Auth server Metadata JSON)
  • okta_user_name (retrieved from Okta > Directory > People, select a user, and then go to Profile > Username/login )
create security integration external_oauth_azure_1
    type = external_oauth
    enabled = true
    external_oauth_type = azure
    external_oauth_issuer = 'https://sts.windows.net/6064c47c-80e4-4a2b-82ee-1fc5643b37a2/'
    external_oauth_jws_keys_url = 'https://login.microsoftonline.com/6064c47c-80e4-4a2b-82ee-1fc5643b37a2/discovery/v2.0/keys'
    external_oauth_audience_list = ('https://hl91180.us-east-2.aws.snowflakecomputing.com/')
    external_oauth_token_user_mapping_claim = 'upn'
    external_oauth_snowflake_user_mapping_attribute = 'login_name';

DataRobot setup

In DataRobot, add the external IdP credentials to set up the Snowflake data connection. There are two ways to do this: by testing a new data connection or on the Credentials Management page.

To create a new Snowflake data connection using external IdP parameters:

  1. Navigate to User Settings > Data Connections.
  2. Create a new Snowflake data connection.
  3. Test the data connection.
  4. In the Test Data Connection window, select your OAuth provider from the dropdown—either Okta or Azure AD— and fill in the additional required fields.

  5. To finish setup, follow the remaining instructions for Snowflake data connections with OAuth.

To add stored credentials for an external IdP:

  1. Navigate to User Settings > Credentials Management.
  2. To add a new set of stored credentials, click Add new.
  3. In the Add Credentials window, select Snowflake OAuth as the credential type.

  4. Select your OAuth provider from the dropdown—either Okta or Azure AD— and fill in the additional required fields.

Required parameters

In addition to the required fields listed below, you can learn about other available configuration options in the Snowflake documentation.

Required field Description Documentation
Required fields for data connection
address A connection object that stores a secure connection URL to connect to Snowflake.

Example: {account_name}.snowflakecomputing.com
Snowflake documentation
warehouse A unique identifier for your virtual warehouse. Snowflake documentation
db A unique identifier for your database. Snowflake documentation
Required fields for credentials
Client ID The public identifier for your application.

In the Okta Admin console, go to Applications > Applications > Your OpenID Connect web app > Sign On tab > Sign On Methods.

In Azure AD, this is also known as the applicationID.
Okta or Azure AD documentation
Client secret A confidential identifier used to authenticate your application.

In the Okta Admin console, go to Applications > Applications > Your OpenID Connect web app > Sign On tab > Sign On Methods.

In Azure AD, this is also known as the application secret.
Okta or Azure AD documentation
Snowflake account name A unique identifier for your Snowflake account within an organization. Snowflake documentation
Issuer URL A URL that uniquely identifies your SAML identity provider. "Issuer" refers to the Entity ID of your identity provider.

Examples:
  • Okta: https://<your_company>.okta.com/oauth2/<auth_server_id>
  • Azure AD:
    https://login.microsoftonline.com/<snowflake_resource_app_id>
Okta or Azure AD documentation
Scopes Contains the name of your Snowflake role.

Examples:
Parameters for a Snowflake Analyst.
  • Okta: session:role:analyst
  • Azure AD: <client_app_id>/session:scope:analyst
Snowflake documentation

Reach out to your administrator for the appropriate values for these fields.


Updated December 2, 2022
Back to top