Configure Okta OAuth for a Snowflake connection

ThoughtSpot supports Okta OAuth for a Snowflake connection.

To configure Okta OAuth for Snowflake, you create an app in the Identity Provider and use the app’s credentials to register it in Snowflake as an external token provider. Once these steps are completed, Snowflake will allow connections issued by the IdP.

The steps provided here are an example of how you can configure Okta for external OAuth. You can use any OAuth flow provided that you can get the information required for the security integration. The following steps provide a guide for getting the information required to create the security integration for Snowflake.
Be sure to consult your organization’s security policies for configuring an authorization server to make sure you meet all requirements.

Part 1: Configuring the IdP with Okta

The following steps detail the configuration of IdP with Okta as an example. You can set up any other OpenID Connect (OIDC)-based IdP providers following a similar process. For details, refer to the respective documentation for those.

To configure the IdP with Okta, do the following:

  1. Sign in to the Okta console with a user having administrator privileges. Navigate to the Applications page in the console and select Create App Integration.

    Select Applications > Create App Integration
  2. For sign-in method, choose OIDC - OpenID Connect.

  3. For application type, choose Web Application

  4. Select Next.

  5. Under Grant type, make sure Authorization Code and Refresh Token are selected.

    Select Authorization Code and Refresh Token
  6. For Sign-in redirect URIs, add the ThoughtSpot redirect URI for the application.

    It should follow this format:

    https://<your-thoughtspot-instance-host>/callosum/v1/connection/generateTokens

    Add the ThoughtSpot redirect URI
  7. Assign the application to everyone in the organization or to specific groups. This step may vary for other IdPs.

    Assign the application as necessary
  8. Collect the client credentials from the application home page and make a note of them. These will be required later for adding the external token provider in Snowflake.

    Make a note of the client credentials in the application home page
  9. Go to Security  API, and make a note of the value for Audience. This is required in a later step for configuring the OpenID well-known URI for the authorization server.

    Make a note of the value for Audience

    For Okta, it should follow this format:

    https://<organization>.okta..com/oauth2/<unique_id>/.well-known/oauth-authorization-server

  10. Open the URL in a browser and make a note of the values for the following parameters:

    • Issuer

    • Authorization endpoint

    • JWKS URI

    • Token endpoint

Part 2: Create Snowflake scopes in Okta

To create scopes in Okta that correspond to your Snowflake database, do the following:

  1. Navigate to Security  API.

    Select Security > API
  2. Select the authorization server used by the client application created in the previous steps to add scopes.

  3. Add snowflake roles in the format: session:role:<snowflake_db_role>.

    Add scopes
    The scope “role-any” has a special purpose. For details, see Using ANY Role with External OAuth in Snowflake’s documentation.

Part 3: Create security integration in Snowflake

  • Create a security integration in your Snowflake database using the following command:

    create security integration external_oauth_okta_2
        type = external_oauth
        enabled = true
        external_oauth_type = okta
        external_oauth_any_role_mode = 'ENABLE'
        external_oauth_issuer = '<OKTA_ISSUER>'
        external_oauth_jws_keys_url = '<OKTA_JWS_KEY_ENDPOINT>'
        external_oauth_audience_list = ('<SNOWFLAKE_AUDIENCE>')
        external_oauth_token_user_mapping_claim = 'sub'
        external_oauth_snowflake_user_mapping_attribute = 'login_name';
If you want to ensure your Okta OAuth configuration is correct for use with ThoughtSpot, you can validate it following procedures similar to those in Validating your Azure configuration.