Configure Okta OAuth for a Snowflake connection

ThoughtSpot supports Okta OAuth for a Snowflake connection.

To configure Okta OAuth for Snowflake, you create an app in the Identity Provider and use the app’s credentials to register it in Snowflake as an external token provider. Once these steps are completed, Snowflake will allow connections issued by the IdP.

The steps provided here are an example of how you can configure Okta for external OAuth. You can use any OAuth flow provided that you can get the information required for the security integration. The following steps provide a guide for getting the information required to create the security integration for Snowflake.

Be sure to consult your organization’s security policies for configuring an authorization server to make sure you meet all requirements.

Part 1: Configuring the IdP with Okta

The following steps detail the configuration of IdP with Okta as an example. You can set up any other OpenID Connect (OIDC)-based IdP providers following a similar process. For details, refer to the respective documentation for those.

To configure the IdP with Okta, do the following:

Sign in to the Okta console with a user having administrator privileges. Navigate to the Applications page in the console and select Create App Integration.
For sign-in method, choose OIDC - OpenID Connect.
For application type, choose Web Application
Select Next.
Under Grant type, make sure Authorization Code and Refresh Token are selected.
For Sign-in redirect URIs, add the ThoughtSpot redirect URI for the application.

It should follow this format:

https://<your-thoughtspot-instance-host>/callosum/v1/connection/generateTokens
Assign the application to everyone in the organization or to specific groups. This step may vary for other IdPs.
Collect the client credentials from the application home page and make a note of them. These will be required later for adding the external token provider in Snowflake.
Go to Security API, and make a note of the value for Audience. This is required in a later step for configuring the OpenID well-known URI for the authorization server.

For Okta, it should follow this format:

https://<organization>.okta..com/oauth2/<unique_id>/.well-known/oauth-authorization-server
Open the URL in a browser and make a note of the values for the following parameters:
- Issuer
- Authorization endpoint
- JWKS URI
- Token endpoint

Part 2: Create Snowflake scopes in Okta

To create scopes in Okta that correspond to your Snowflake database, do the following:

Navigate to Security API.
Select the authorization server used by the client application created in the previous steps to add scopes.
Add snowflake roles in the format: session:role:<snowflake_db_role>.

The scope "role-any" has a special purpose. For details, see Using ANY Role with External OAuth in Snowflake’s documentation.

Part 3: Create security integration in Snowflake

Create a security integration in your Snowflake database using the following command:

create security integration external_oauth_okta_2
    type = external_oauth
    enabled = true
    external_oauth_type = okta
    external_oauth_any_role_mode = 'ENABLE'
    external_oauth_issuer = '<OKTA_ISSUER>'
    external_oauth_jws_keys_url = '<OKTA_JWS_KEY_ENDPOINT>'
    external_oauth_audience_list = ('<SNOWFLAKE_AUDIENCE>')
    external_oauth_token_user_mapping_claim = 'sub'
    external_oauth_snowflake_user_mapping_attribute = 'login_name';

If you want to ensure your Okta OAuth configuration is correct for use with ThoughtSpot, you can validate it following procedures similar to those in Validating your Azure configuration.

Logging in to a connection created by another user using OAuth

As an admin user, you may run into an issue logging in to connections created using OAuth. To resolve this issue, complete the following steps:

Search on a table belonging to the connection you are trying to edit. The following error appears:
Click Login. You will be directed to the IDP login page.
Enter your login credentials.
You will now have access to edit the connection.

OAuth connection improvements

If you do not have a valid OAuth access token, you can now directly navigate to the OAuth authorization screen when performing one of the following actions on a connection shared with you:

View sample data
Create a custom SQL view
Edit the connection
Upload a CSV file

Related information

Add a Snowflake connection

Edit a Snowflake connection

Remap a Snowflake connection

Query external tables from your Snowflake connection

Delete a table from a Snowflake connection

Delete a table with dependent objects

Delete a Snowflake connection

Configure OAuth

Configure Azure AD OAuth

Best practices for Snowflake connections

Enabling an AWS PrivateLink between ThoughtSpot Cloud and your Snowflake data warehouse

Enable a GCP Private Service Connect between ThoughtSpot Cloud and your Snowflake data warehouse

Connection reference for Snowflake

ThoughtSpot query tags in Snowflake

Passthrough functions for Snowflake

Column indexing with connections that use OAuth

Was this page helpful?Give us feedback!

ThoughtSpot is the Modern Analytics Cloud company. Our Live Analytics services deliver personalized, actionable insights at the point of impact for every user, at every level.

Product

By Role

By Department

Solutions

About Us

Connect

(800) 508-7008