External OAuth for Snowflake¶
Availability information
The ability to set up external identity providers for Snowflake is off by default. Contact your DataRobot representative or administrator for information on enabling the feature.
Feature flag: Enables External Identity Providers for Snowflake SSO
Now available for public preview, you can set up Snowflake data connections using an external identity provider (IdP)—either Okta or Azure Active Directory— for user authentication through OAuth single sign-on (SSO). Identity providers create and maintain identity information and provide authentication services to other applications, allowing a user to securely access applications without creating new passwords or usernames.
Before creating a data connection in DataRobot, you must first configure Snowflake as an OAuth Resource and Okta or Azure Active Directory as an External OAuth authorization server.
There are two ways to add external IdP credentials for a Snowflake data connection—by testing a new data connection or on the Credentials Management page. Select a tab below to learn how to set up External OAuth for Snowflake:
To create a new Snowflake data connection using external IdP parameters:
- Navigate to User Settings > Data Connections.
- Create a new Snowflake data connection.
- Test the data connection.
-
In the Test Data Connection window, select your OAuth provider from the dropdown—either Okta or Azure AD— and fill in the additional required fields.
-
To finish setup, follow the remaining instructions for Snowflake data connections with OAuth.
To add stored credentials for an external IdP:
- Navigate to User Settings > Credentials Management.
- To add a new set of stored credentials, click Add new.
-
In the Add Credentials window, select Snowflake OAuth as the credential type.
-
Select your OAuth provider from the dropdown—either Okta or Azure AD— and fill in the additional required fields.
External IdP parameters¶
The table below describes the additional required fields to connect to Okta or Azure AD:
Parameter | Description |
---|---|
IssuerURL | The IdP that DataRobot will use to redirect users for authorization. |
Scope | Used during the token acquisition process and must be pre-configured in Snowflake. |
Example parameters
Okta
IssuerURL: https://<your_company>.oktapreview.com/oauth2/<auth_server_id>
; https://<your_company>.okta.com/oauth2/<auth_server_id>
Scope:session:role:public
Azure AD
IssuerURL: https://login.microsoftonline.com/<snowflake_resource_app_id>
Scope: <client_app_id>/session:scope:public
The following are examples of <client_app_id>
in an Azure AD Scope:
api://2a1c2c3d-2b27-4542-8f36-d5d4f444149a
https://<org_name>.snowflakecomputing.com
Reach out to your administrator for the appropriate values for these fields.