Skip to main content
For authenticating Snowflake users directly through Snowflake, see Snowflake native OAuth.
Snowflake External OAuth allows each Omni user to authenticate to Snowflake using their own identity through an external identity provider instead of Snowflake’s built-in OAuth server. Each user’s queries run under their own Snowflake role and session, so Snowflake’s row-level security and role restrictions apply automatically. Looking for another IdP? Guides for Microsoft Entra ID (Azure AD) and Ping Identity are coming soon.

Requirements

To follow the steps in this guide, you’ll need:
  • Permissions in Okta that allow you to create an app integration and authorization server
  • In Omni:
    • To have the OAuth database connection feature enabled
    • Organization Admin permissions
    • An existing Snowflake connection. Refer to Connecting a Snowflake database before continuing.
  • In Snowflake:
    • ACCOUNTADMIN or SECURITYADMIN privileges to create a security integration
    • A service account with access to all schemas and tables you want to use in Omni. This is required even when OAuth is enabled, because Omni uses the service account to build the model.
    • To assign regular user roles to your Snowflake users. Snowflake blocks ACCOUNTADMIN, ORGADMIN, and SECURITYADMIN from external OAuth authentication by default.
Before continuing, review the OAuth limitations.

Setup

1

Create an Okta application

  1. In the Okta admin console, navigate to Applications > Applications.
  2. Click Create App Integration.
  3. Select OIDC - OpenID Connect as the sign-in method and Web Application as the application type.
  4. Give it a descriptive name (e.g., Omni Snowflake External OAuth).
  5. Under Grant type, enable Refresh Token in addition to Authorization Code.
  6. Add the Omni redirect URI to Sign-in redirect URIs: https://callbacks.<your-omni-domain>/callback/oauth
  7. Save the app.
  8. Copy the Client ID and Client Secret — you’ll need these in Omni.
2

Create an Okta authorization server

  1. In Okta, navigate to Security > API and click Add Authorization Server.
  2. Set the Audience to your Snowflake account URL (e.g., https://<account>.snowflakecomputing.com).
  3. Open the server’s Metadata URI and note the following values — you’ll need them for both Snowflake and Omni:
    • Issuer (issuer)
    • Authorization endpoint (authorization_endpoint)
    • Token endpoint (token_endpoint)
    • JWK Set URI (jwks_uri)
  4. Add a Scope named session:role-any. This allows the token to work with any role the user holds in Snowflake.
  5. Under Access Policies, create a policy that assigns your app to this authorization server.
  6. Add a rule with appropriate token lifetimes — Okta’s defaults (1-hour access token, 90-day refresh token) are reasonable starting points.
3

Create a Snowflake security integration

Run this in Snowflake as ACCOUNTADMIN or SECURITYADMIN, substituting values from your Okta metadata URI.
User mapping: The email_address value is used to map Okta users to Snowflake. Each user’s Okta email must exactly match the LOGIN_NAME or EMAIL on their Snowflake user record. Verify this before going live.
CREATE SECURITY INTEGRATION omni_external_oauth
  TYPE = EXTERNAL_OAUTH
  ENABLED = TRUE
  EXTERNAL_OAUTH_TYPE = OKTA
  EXTERNAL_OAUTH_ISSUER = '<issuer from Okta metadata>'
  EXTERNAL_OAUTH_JWS_KEYS_URL = '<jwks_uri from Okta metadata>'
  EXTERNAL_OAUTH_AUDIENCE_LIST = ('<your Snowflake account URL>')
  EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'sub'
  EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'email_address'
  EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';
4

Configure the connection in Omni

You must still configure a service account on this connection. Omni uses the service account to build the model, which provides the foundation for all user queries.
This guide assumes you have an existing Snowflake connection in Omni. If you don’t, refer to Connecting a Snowflake database for more information.
  1. In Omni, navigate to Settings > Connections and click on the Snowflake connection you want to use.
  2. Under Authentication type, select External OAuth User Authentication.
  3. Fill in the fields as follows:
    FieldValue
    Authorization URLauthorization_endpoint from Okta metadata
    Token URLtoken_endpoint from Okta metadata
    OAuth Client IDClient ID from your Okta app
    OAuth Client SecretClient Secret from your Okta app
    AudienceLeave blank
  4. Save the connection.
5

Verify the user experience

After saving, each Omni user who wants to query this connection will need to authorize once through the OAuth flow. They’ll be redirected to Okta to sign in, then redirected back to Omni. After that, Omni will automatically refresh their token in the background.

Troubleshooting

Double-check that each user’s Okta email matches their Snowflake LOGIN_NAME or EMAIL exactly (case-sensitive). Mismatches are the most common cause of auth failures.
If users experience frequent re-authentication prompts, verify that:
  • The refresh token lifetime in Okta is sufficient (90 days is recommended)
  • The Snowflake security integration is correctly configured with the IdP’s token endpoint

Next steps

To ensure database permissions align with what users see in Omni, we recommend implementing:
  • Access grants to control which fields and tables are visible to each user in the model and field browser
  • Content permissions to control which dashboards and documents users can access