Configure Okta OAuth for a Snowflake connection
ThoughtSpot supports Okta OAuth for a Snowflake connection.
To configure Okta OAuth for Snowflake, you create an app in the Identity Provider and use the app’s credentials to register it in Snowflake as an external token provider. Once these steps are completed, Snowflake will allow connections issued by the IdP.
The steps provided here are an example of how you can configure Okta for external OAuth. You can use any OAuth flow provided that you can get the information required for the security integration. The following steps provide a guide for getting the information required to create the security integration for Snowflake. |
Be sure to consult your organization’s security policies for configuring an authorization server to make sure you meet all requirements. |
Part 1: Configuring the IdP with Okta
The following steps detail the configuration of IdP with Okta as an example. You can set up any other OpenID Connect (OIDC)-based IdP providers following a similar process. For details, refer to the respective documentation for those.
To configure the IdP with Okta, do the following:
-
Sign in to the Okta console with a user having administrator privileges. Navigate to the Applications page in the console and select Create App Integration.
-
For sign-in method, choose OIDC - OpenID Connect.
-
For application type, choose Web Application
-
Select Next.
-
Under Grant type, make sure Authorization Code and Refresh Token are selected.
-
For Sign-in redirect URIs, add the ThoughtSpot redirect URI for the application.
It should follow this format:
https://<your-thoughtspot-instance-host>/callosum/v1/connection/generateTokens
-
Assign the application to everyone in the organization or to specific groups. This step may vary for other IdPs.
-
Collect the client credentials from the application home page and make a note of them. These will be required later for adding the external token provider in Snowflake.
-
Go to
, and make a note of the value for Audience. This is required in a later step for configuring the OpenID well-known URI for the authorization server.For Okta, it should follow this format:
https://<organization>.okta..com/oauth2/<unique_id>/.well-known/oauth-authorization-server
-
Open the URL in a browser and make a note of the values for the following parameters:
-
Issuer
-
Authorization endpoint
-
JWKS URI
-
Token endpoint
-
Part 2: Create Snowflake scopes in Okta
To create scopes in Okta that correspond to your Snowflake database, do the following:
-
Navigate to
. -
Select the authorization server used by the client application created in the previous steps to add scopes.
-
Add snowflake roles in the format: session:role:<snowflake_db_role>.
The scope “role-any” has a special purpose. For details, see Using ANY Role with External OAuth in Snowflake’s documentation.
Part 3: Create security integration in Snowflake
-
Create a security integration in your Snowflake database using the following command:
create security integration external_oauth_okta_2 type = external_oauth enabled = true external_oauth_type = okta external_oauth_any_role_mode = 'ENABLE' external_oauth_issuer = '<OKTA_ISSUER>' external_oauth_jws_keys_url = '<OKTA_JWS_KEY_ENDPOINT>' external_oauth_audience_list = ('<SNOWFLAKE_AUDIENCE>') external_oauth_token_user_mapping_claim = 'sub' external_oauth_snowflake_user_mapping_attribute = 'login_name';
If you want to ensure your Okta OAuth configuration is correct for use with ThoughtSpot, you can validate it following procedures similar to those in Validating your Azure configuration. |
Related information
Delete a table with dependencies from a Snowflake connection
Partner Connect, with an accompanying Tutorial