I need help connecting tableau to snowflake using single sign on. I don't have a personal account, I'm only open to using a single sign on. Can I get help achieving this? Do I have to be on the same database?
Tableau to Snowflake connection is achieved using the Snowflake OAuth mechanism. This involves setting up the OAuth security object on SF as detailed here: https://docs.snowflake.com/en/user-guide/oauth-partner.html#examples
Once this is done, you can then use OAuth + SAML SSO to authenticate user logging in from Tableau to SF as detailed here: https://help.tableau.com/current/pro/desktop/en-us/snowflake_oauth.htm
Related
Is it possible to add for example azure aadb2c for Snowflake reader account ? There is no real documentation about it.
For the regular account you can do that, but for reader there is really no info about it.
The purpose of the Snowflake Reader account is used by a non-Snowflake customer to consume the database shared by the Provider.
The operation such as Okta SSO configuration is the same as the regular account.
Interesting question! I did set up Okta on the reader accounts and can confirm it works! The steps are exactly the same as a normal account.
Everything in the snowflake setup needs to be done by the consumer account admin role (the reader account owner).
I would like to test my scim integration with Azure Active Directory.
I created provisioning in DataBricks, but the list of attributes is missing email.
How do I add it?
Update after the answer was accepted: I was trying to use DataBricks in order to test my SCIM implementation for Azure. The right way is to create an app, edit mappings according to the needs and submit the app to the Azure AD.
Your question is unclear. How are you trying to provision from Azure AD to Databricks? You should be adding the Databricks Enterprise App from the gallery (see documentation for exact steps). The gallery app has the mappings preconfigured in a way tailored to Databricks - specifically, it's set to not attempt updates on userName or email attributes as both are immutable in the Databricks system.
i am currently trying to make Snowflake PowerBI Integration via Azure AD SSO work.
What i have done so far:
Followed the Tutorial to create the Azure AD Enterprise Application:
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/snowflake-tutorial#adding-snowflake-from-the-gallery
Asked one of my colleagues to enable Snowflake SSO in our PowerBI Tenant:
https://learn.microsoft.com/en-us/power-bi/connect-data/service-connect-snowflake
Created the security integration as described here:
https://docs.snowflake.com/en/user-guide/oauth-powerbi.html
After running this query:
create security integration powerbi
type = external_oauth
enabled = true
external_oauth_type = azure
external_oauth_issuer = '<AZURE_AD_ISSUER>'
external_oauth_jws_keys_url = 'https://login.windows.net/common/discovery/keys'
external_oauth_audience_list = ('https://analysis.windows.net/powerbi/connector/Snowflake')
external_oauth_token_user_mapping_claim = 'upn'
external_oauth_snowflake_user_mapping_attribute = 'login_name';
Everything works like a charm for a few minutes. However after some minutes when refreshing or re-opening a PowerBI project i get:
ODBC: ERROR [28000] Invalid OAuth access token.
When re-running the above SQL to generate the security integration it works again for a few minutes.
Any ideas on what might be going on or how to investigate the issue further?
Thank you for your thoughts
This value needs to be set:
external_oauth_issuer = '<AZURE_AD_ISSUER>'
In general, we have some documentation on error messages with PowerBI OAuth which may be helpful:
https://docs.snowflake.com/en/user-guide/oauth-powerbi.html#error-messages
They are trying to migrate Oracle database into snowflake. THey are going to convert all existing oracle accounts to snowflake accounts. Now, if AD LDAP logon is enabled, does new users have to only be created in LDAP end, and will those be able to be tagged to accounts while conencting to snowflake? say currently there are 10 oracle accounts which was converted into 10 snowflake acccounts. If LDAP is enabled, can multiple employee IDs be added to use one of 10 snowflake account, by creating LDAP account.
Sorry if I sound dumb. I am not too experienced i LDAP/AD/admin work
You usually have one Azure AD and need configure every snowflake account to use it.
Which employee can access which snowflake account is controlled on the snowflake side, where you need to create a database user.
Say "Martina" needs access to Snowflake Account A and B. You need her in the Azure AD, as well as create her user in Account A and B.
You can find more details how to do this here:
https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-configure-snowflake.html
I built a community connector that uses service account to access the bigquery service and it works fine. However, when I was looking at Service.getEffectiveUser() I noticed that this always resolved to my user even when accessing the published report without any session. When I set the "Data credentials" from "Owner" to "Viewer" it asks to login. However, I plan to use a separate token based authentication by passing the token in the connector url parameter. So, is there a way to execute the community connector script without setting Data credentials to Owner or Viewer? Note that I already return AuthTypes.NONE for getAuthType.
Note that this community connector will not be published and will only be used for a SAAS application where the report will be embedded and accessible to the users of the SAAS application.