Skip to content

Click in-app to access the full platform documentation for your version of DataRobot.

External OAuth for Snowflake

Availability information

The ability to set up external identity providers for Snowflake is off by default. Contact your DataRobot representative or administrator for information on enabling the feature.

Feature flag: Enables External Identity Providers for Snowflake SSO

Now available for public preview, you can set up Snowflake data connections using an external identity provider (IdP)—either Okta or Azure Active Directory— for user authentication through OAuth single sign-on (SSO). Identity providers create and maintain identity information and provide authentication services to other applications, allowing a user to securely access applications without creating new passwords or usernames.

Before creating a data connection in DataRobot, you must first configure Snowflake as an OAuth Resource and Okta or Azure Active Directory as an External OAuth authorization server.

There are two ways to add external IdP credentials for a Snowflake data connection—by testing a new data connection or on the Credentials Management page. Select a tab below to learn how to set up External OAuth for Snowflake:

To create a new Snowflake data connection using external IdP parameters:

  1. Navigate to User Settings > Data Connections.
  2. Create a new Snowflake data connection.
  3. Test the data connection.
  4. In the Test Data Connection window, select your OAuth provider from the dropdown—either Okta or Azure AD— and fill in the additional required fields.

  5. To finish setup, follow the remaining instructions for Snowflake data connections with OAuth.

To add stored credentials for an external IdP:

  1. Navigate to User Settings > Credentials Management.
  2. To add a new set of stored credentials, click Add new.
  3. In the Add Credentials window, select Snowflake OAuth as the credential type.

  4. Select your OAuth provider from the dropdown—either Okta or Azure AD— and fill in the additional required fields.

External IdP parameters

The table below describes the additional required fields to connect to Okta or Azure AD:

Parameter Description
IssuerURL The IdP that DataRobot will use to redirect users for authorization.
Scope Used during the token acquisition process and must be pre-configured in Snowflake.
Example parameters

Okta

IssuerURL: https://<your_company>.oktapreview.com/oauth2/<auth_server_id>; https://<your_company>.okta.com/oauth2/<auth_server_id>

Scope:session:role:public

Azure AD

IssuerURL: https://login.microsoftonline.com/<snowflake_resource_app_id>

Scope: <client_app_id>/session:scope:public

The following are examples of <client_app_id> in an Azure AD Scope:

  • api://2a1c2c3d-2b27-4542-8f36-d5d4f444149a
  • https://<org_name>.snowflakecomputing.com

Reach out to your administrator for the appropriate values for these fields.


Updated November 8, 2021
Back to top