We were trying to sync an active directory group to snowflake via the Okta SCIM integration and got the following error, wondering what causes it?
{"statusType":"BAD_REQUEST","entity":{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Invalid group membership value specified 45_1","status":400,"schemaTypeError":"invalidValue"},"entityType":"com.snowflake.security.scim.ScimErrorInfo","metadata":{"Content-Type":[{"type":"application","subtype":"json","parameters":{},"wildcardType":false,"wildcardSubtype":false}]},"status":400}
Found solution for it. The user 45_1 was deleted on the snowflake side, we had to remove and re-add them from Okta app assignment, afterwards it synced fine to Snowflake and re-created the user.
Related
BACKGROUND
The user is defined in Azure AD and in Azure SQL.
test.user#company.com is defined and active in Azure AD. I’m able to log in with this user in Azure portal.
I have created a contained database user with the clause "from external provider" in the Azure SQL database and added the user to the db_datareader system role. The commands commits without error. I have compared the Asset ID in Azure AD and the SID in database and they match. I have tried with different users.
I am able to login as an AD User assigned to the SQL servers assigned "Active Directory Admin"
SQL Server users also login without any issue
Login test in SSMS
I have set default database to the specific database I’m trying to log into (Options-Connect to database).
I have tried with different Authentication modes:
“Azure Active Directory – Universal with MFA” and
“Azure Active Directory – Password”
When I try to login with SSMS I get
Error: 18456, state 1, class 14.
When I query [sys].[event_log] it returns
[event_systype]= 4, [event_subtype_desc] = login_failed_for_user.
PROCESS FOLLOWED
I have a user defined in Azure AD. (test.user#company.com)
In my Azure SQL database, I have set an Active Directory administrator.
I have created a user in SSMS test.user#company.com with the following syntax:
CREATE USER [test.user#company.com] FROM EXTERNAL PROVIDER;
I have assigned the user to the db_datareader role with the following syntax:
ALTER ROLE db_datareader ADD MEMBER [test.user#company.com]
ISSUE: When I try to connect as test.user#company.com, the connection fails and I get this error:
Login Failed for user test.user#company.com
Details of error contains:
Error Number: 18456, State: 1, Class: 14
I have tried to find an answer on learn.microsoft.com, googled my ass off and found some useful resources on this, but none that actually helps me with pinpointing what to do to resolve the issue. If anybody have an Idea of what I'm doing wrong, ref "PROCESS FOLLOWED" I'd be forever grateful :)
I solved it by a workaround, setting up a new database.
I did not find the cause of the problem, but it must be related to database setup "DTU"-"Basic" or some setting that I have managed to set without remembering.
Anyways, my process works when I set up a new database with "DTU"-"Standard" Configuration.
It seems to be some kind of encoding problem. After almost giving up and using a different DB, I tried creating a new one, but without some special characters. And suddenly, it worked.
If you can't change your database's password, you can just edit the connection string in another editor and it works as well (Notepad, VS code, etc).
I'm working on improving the user experience for our org when logging into snowflake. We have adfs sso enabled and are provisioning mapping users to roles using azure ad. I had a colleague attempt to sign in with SSO who didn't have a user account created in snowflake and they were greeted with
"The signed in user <user#email.com> is not assigned to a role for the application (Snowflake)".
My question is, is it possible to have users sign into snowflake without being mapped to a default role, perhaps only have the public role assigned, and without being synced with azure ad.
If it is, i'd appreciate any pointers to documentation i can reference. The goal is to get all users that can SSO, to by default be able to login
AD group syncing occurs every 40 minutes in Microsoft, and I don't believe it's possible to force a sync or change this time frame. In addition, like the OP mentioned Snowflake cannot connect to an on-prem ADFS server so all users must be in Azure AD.
AD group syncing is somewhat configurable via the "Scope" (see Step 15 of this tutorial)
If your Scope is set to "Sync only assigned users and groups", you can either
Change the scope to "Sync all users and groups" (may cause issues if you don't want to import all this data into Snowflake)
or
Confirm that your desired users' AD group is one of those assigned to be synced to Snowflake (requires manually assigning these users, or that all of these users are part of the same AD group that you choose to sync to Snowflake).
By seeing the error its not allowing user who don't have appropriate role for the application.
In these why can't we create generic stored procedure to assign default role and instance to new user based on the group they belong to.! Each time if we add any new user then we have to run stored procedure to assign default role and object prior to his login to snowflake.
I have an Azure Active directory with SSO and provisioning enabled. Users from my company can SSO into snowflake just fine, but when I invite a user from GMail or another domain into our AD they get the SAML error. The Snowflake AD app has provisioned the user to Snowflake correctly from what I can see.
How do I troubleshoot this?
Thanks,
Phil
#suzy_lockwood It was the NameID attribute giving me the problem. I linked it back to the Snowflake Application in my Azure AD. The fix was to go to Manage > Single-Sign On > User Attributes and Claims. Under Required Claim I opened the claim "Unique User Identifier (Name ID) and changed the source attribute from UPN to be user.mail.
This error is due to unable to identify the user. Please specify the complete name if the user while authenticating:
snowsql -a mytest.us-east-1 -u xyz#abc.com
Looking for any documentation or reference for Azure AD Conditional Access Audit\Sign-In Logs. For example, i'd like to generate a report of all users who have been blocked due to a defined Conditional Access Policy.
It seems that events (such as blocking users through policy) do not appear in the Azure Active Directory Sign-In or Audit logs. Are these events recorded anywhere within OMS \ Azure Reporting?
If you go to Sign-ins logs, you can see a dropdown for Conditional Access where you can check if users are blocked.
When I try to deploy my SQL Server Analysis Services project to the server, I get the error message No mapping between user and security ids was done. I don't get where this is coming from!
I've checked the user credentials on the Data Source. I've previously deployed projects to the same server with the same credentials with no problems.
When I google this problem, I get a lot of hits for things to do with Active Directory, but nothing that directly links to SSAS. Where does this error spring from?
This error occurs when there are users defined in a role that are either not known to the server (i.e. a local account on the machine the project was designed on) or no longer available in the Active Directory. To solve this:
Open the cube in BIDS / Visual Studio
Go to the Roles node in the Solution Explorer
Per role, go to the tab "memberships"
Per member defined, check to see if that member still exists in the AD.
In my experience, it's advisable not to use local users in Roles, nor personal accounts. Instead, grant the rights to a role to a group, then add and remove users to that group in the Active Directory as needed.