> ## Documentation Index
> Fetch the complete documentation index at: https://docs.omni.co/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.omni.co/feedback

```json
{
  "path": "/connect-data/oauth/snowflake/external-okta",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Configuring Snowflake External OAuth with Okta

> Configure Snowflake External OAuth to authenticate users through Okta.

<Note>
  For authenticating Snowflake users directly through Snowflake, see [Snowflake native OAuth](/connect-data/oauth/snowflake/native).
</Note>

[Snowflake External OAuth](https://docs.snowflake.com/en/user-guide/oauth-ext-overview) allows each Omni user to authenticate to Snowflake using their own identity through an external identity provider instead of Snowflake's built-in OAuth server. Each user's queries run under their own Snowflake role and session, so Snowflake's row-level security and role restrictions apply automatically.

**Looking for another IdP?** Guides for Microsoft Entra ID (Azure AD) and Ping Identity are coming soon.

## Requirements

To follow the steps in this guide, you'll need:

* **Permissions in Okta** that allow you to create an app integration and authorization server
* **In Omni**:
  * To have the **OAuth database connection** feature enabled
  * **Organization Admin** permissions
  * **An existing Snowflake connection.** Refer to [Connecting a Snowflake database](/connect-data/setup/snowflake) before continuing.
* **In Snowflake**:
  * **`ACCOUNTADMIN` or `SECURITYADMIN`** privileges to create a security integration
  * **A service account** with access to all schemas and tables you want to use in Omni. This is required even when OAuth is enabled, because Omni uses the service account to build the model.
  * **To assign regular user roles to your Snowflake users.** Snowflake blocks `ACCOUNTADMIN`, `ORGADMIN`, and `SECURITYADMIN` from external OAuth authentication by default.

<Warning>
  Before continuing, review the [OAuth limitations](/connect-data/oauth#limitations).
</Warning>

## Setup

<Steps>
  <Step title="Create an Okta application" titleSize="h3">
    1. In the Okta admin console, navigate to **Applications > Applications**.
    2. Click **Create App Integration**.
    3. Select **OIDC - OpenID Connect** as the sign-in method and **Web Application** as the application type.
    4. Give it a descriptive name (e.g., *Omni Snowflake External OAuth*).
    5. Under **Grant type**, enable **Refresh Token** in addition to **Authorization Code**.
    6. Add the Omni redirect URI to **Sign-in redirect URIs**: `https://callbacks.<your-omni-domain>/callback/oauth`
    7. Save the app.
    8. Copy the **Client ID** and **Client Secret** — you'll need these in Omni.
  </Step>

  <Step title="Create an Okta authorization server" titleSize="h3">
    1. In Okta, navigate to **Security > API** and click **Add Authorization Server**.
    2. Set the **Audience** to your Snowflake account URL (e.g., `https://<account>.snowflakecomputing.com`).
    3. Open the server's **Metadata URI** and note the following values — you'll need them for both Snowflake and Omni:
       * **Issuer** (`issuer`)
       * **Authorization endpoint** (`authorization_endpoint`)
       * **Token endpoint** (`token_endpoint`)
       * **JWK Set URI** (`jwks_uri`)
    4. Add a **Scope** named `SESSION:ROLE-ANY`. This allows the token to work with any role the user holds in Snowflake.
    5. Under **Access Policies**, create a policy that assigns your app to this authorization server.
    6. Add a rule with appropriate token lifetimes — Okta's defaults (1-hour access token, 90-day refresh token) are reasonable starting points.
  </Step>

  <Step title="Create a Snowflake security integration" titleSize="h3">
    Run this in Snowflake as `ACCOUNTADMIN` or `SECURITYADMIN`, substituting values from your Okta metadata URI.

    <Note>
      **User mapping**: The `email_address` value is used to map Okta users to Snowflake. Each user's Okta email must exactly match the `LOGIN_NAME` or `EMAIL` on their Snowflake user record. Verify this before going live.
    </Note>

    ```sql theme={null}
    CREATE SECURITY INTEGRATION omni_external_oauth
      TYPE = EXTERNAL_OAUTH
      ENABLED = TRUE
      EXTERNAL_OAUTH_TYPE = OKTA
      EXTERNAL_OAUTH_ISSUER = '<issuer from Okta metadata>'
      EXTERNAL_OAUTH_JWS_KEYS_URL = '<jwks_uri from Okta metadata>'
      EXTERNAL_OAUTH_AUDIENCE_LIST = ('<your Snowflake account URL>')
      EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'sub'
      EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'email_address'
      EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';
    ```
  </Step>

  <Step title="Configure the connection in Omni" titleSize="h3">
    <Note>
      You must still configure a service account on this connection. Omni uses the service account to build the model, which provides the foundation for all user queries.
    </Note>

    This guide assumes you have an existing Snowflake connection in Omni. If you don't, refer to [Connecting a Snowflake database](/connect-data/setup/snowflake) for more information.

    1. In Omni, navigate to **Settings > Connections** and click on the Snowflake connection you want to use.

    2. Under **Authentication type**, select **External OAuth User Authentication**.

    3. Fill in the fields as follows:

       | Field               | Value                                       |
       | ------------------- | ------------------------------------------- |
       | Authorization URL   | `authorization_endpoint` from Okta metadata |
       | Token URL           | `token_endpoint` from Okta metadata         |
       | OAuth Client ID     | Client ID from your Okta app                |
       | OAuth Client Secret | Client Secret from your Okta app            |
       | Audience            | Leave blank                                 |

    4. Save the connection.
  </Step>

  <Step title="Verify the user experience" titleSize="h3">
    After saving, each Omni user who wants to query this connection will need to authorize once through the OAuth flow. They'll be redirected to Okta to sign in, then redirected back to Omni. After that, Omni will automatically refresh their token in the background.
  </Step>
</Steps>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Authentication failures">
    Double-check that each user's Okta email matches their Snowflake `LOGIN_NAME` or `EMAIL` exactly (case-sensitive). Mismatches are the most common cause of auth failures.
  </Accordion>

  <Accordion title="Token expiration issues">
    If users experience frequent re-authentication prompts, verify that:

    * The refresh token lifetime in Okta is sufficient (90 days is recommended)
    * The Snowflake security integration is correctly configured with the IdP's token endpoint
  </Accordion>
</AccordionGroup>

## Next steps

To ensure database permissions align with what users see in Omni, we recommend implementing:

* [**Access grants**](/modeling/models/access-grants) to control which fields and tables are visible to each user in the model and field browser
* [**Content permissions**](/administration/users/permissions) to control which dashboards and documents users can access