For authenticating Snowflake users directly through Snowflake, see Snowflake native OAuth.
Requirements
To follow the steps in this guide, you’ll need:- Permissions in Okta that allow you to create an app integration and authorization server
- In Omni:
- To have the OAuth database connection feature enabled
- Organization Admin permissions
- An existing Snowflake connection. Refer to Connecting a Snowflake database before continuing.
- In Snowflake:
ACCOUNTADMINorSECURITYADMINprivileges to create a security integration- A service account with access to all schemas and tables you want to use in Omni. This is required even when OAuth is enabled, because Omni uses the service account to build the model.
- To assign regular user roles to your Snowflake users. Snowflake blocks
ACCOUNTADMIN,ORGADMIN, andSECURITYADMINfrom external OAuth authentication by default.
Setup
Create an Okta application
- In the Okta admin console, navigate to Applications > Applications.
- Click Create App Integration.
- Select OIDC - OpenID Connect as the sign-in method and Web Application as the application type.
- Give it a descriptive name (e.g., Omni Snowflake External OAuth).
- Under Grant type, enable Refresh Token in addition to Authorization Code.
- In Sign-in redirect URIs, add the Omni callback:
https://callbacks.<your-omni-domain>/callback/oauthFor vanity-domain embeds: If you’re using OAuth with vanity-domain embeds, also addhttps://<your-vanity-domain>/oauth/callbackto Sign-in redirect URIs. Replace<your-vanity-domain>with your vanity domain (e.g.,omni.myapp.com). - Save the app.
- Copy the Client ID and Client Secret — you’ll need these in Omni.
Create a Snowflake security integration
Run this in Snowflake as
ACCOUNTADMIN or SECURITYADMIN, substituting values from your Okta metadata URI.User mapping: The
email_address value is used to map Okta users to Snowflake. Each user’s Okta email must exactly match the LOGIN_NAME or EMAIL on their Snowflake user record. Verify this before going live.Configure the connection in Omni
You must still configure a service account on this connection. Omni uses the service account to build the model, which provides the foundation for all user queries.
- In Omni, navigate to Settings > Connections and click on the Snowflake connection you want to use.
- Under Authentication type, select External OAuth User Authentication.
-
Fill in the fields as follows:
-
Authorization URL - Enter the
authorization_endpointfrom Okta metadata -
Token URL - Enter the
token_endpointfrom Okta metadata - OAuth Client ID - Enter the Client ID from your Okta app
- OAuth Client Secret - Enter the Client Secret from your Okta app
- Audience - Leave blank
-
Warehouse - Optional: Leave blank to use each user’s
DEFAULT_WAREHOUSEfrom Snowflake. This enables per-user warehouse routing for organizations using role-to-warehouse mappings in Snowflake for cost attribution. Users must have an assigned default warehouse to use this feature. Otherwise, users without a default warehouse will receive aNo active warehouseerror when they attempt to run queries in Omni.
-
Authorization URL - Enter the
- Save the connection.
Next steps
To ensure database permissions align with what users see in Omni, we recommend implementing:- Access grants to control which fields and tables are visible to each user in the model and field browser
- Content permissions to control which dashboards and documents users can access

