Skip to main content
Reach out to Omni support to have database OAuth enabled.
By default, Omni queries your Snowflake database using a shared service account. With OAuth, each user authenticates with their own credentials, and Omni enforces that user’s Snowflake database-level permissions when they run queries. This lets you manage data access in Snowflake and have it filter down to Omni automatically.

OAuth types

Omni supports two OAuth modes for Snowflake. Both enforce per-user database permissions, but they differ in how users authenticate.
Before configuring OAuth, review the limitations that apply to both types.

Native OAuth

With native OAuth, users authenticate directly with Snowflake’s built-in OAuth server. When a user runs a query for the first time, they’re prompted to sign in with their Snowflake credentials. This is the simpler option — it doesn’t require an external identity provider and can be configured entirely between Omni and Snowflake.

Snowflake native OAuth

Set up native OAuth for Snowflake

External OAuth

With External OAuth, users authenticate through an external identity provider (IdP) such as Okta, Entra ID (Azure AD), or Ping Identity. The IdP issues a token that Snowflake trusts, so users sign in with their existing corporate identity rather than separate database credentials. This option is more complex to configure — it involves setup in the IdP, Snowflake, and Omni — but it centralizes authentication through the identity provider your organization already uses.

Snowflake + Okta External OAuth

Set up federated OAuth for Snowflake connections using Okta

Snowflake + Microsoft Entra ID External OAuth

Set up federated OAuth for Snowflake connections using Microsoft Entra ID (Azure AD)
Looking for another IdP? A guide for Ping Identity is coming soon.

Warehouse configuration

Omni’s Snowflake OAuth integration supports per-user warehouse routing through a user’s assign DEFAULT_WAREHOUSE. This is useful for organizations that manage role-to-warehouse mappings in Snowflake for per-user or per-team cost attribution. Instead of pinning all users to a single warehouse in Omni, each user’s queries route to their assigned warehouse based on their Snowflake configuration. Before implementing, note that:
  • Your users must have an assigned DEFAULT_WAREHOUSE in Snowflake to use this feature. Otherwise they’ll receive No active warehouse errors when they try to run queries in Omni.
  • Model-level compute_routing and warehouse_override settings take precedence over user default warehouses.
See the OAuth setup guides for more information.

Limitations

Before enabling OAuth for Snowflake, review the Limitations for OAuth. These limitations apply to both Native and External OAuth.