When you connect to your Snowflake data, you have three authentication options to choose from. In most cases, we recommend using OAuth. This option offers the best combination of functionality and security.
With OAuth, you can:
- Leverage an identity provider (IdP) to facilitate access.
- Configure it to provide a single sign-on (SSO) experience.
- Enforce multi-factor authentication (MFA).
OAuth 2.0 is an industry-standard protocol for authorization. It is configured at the browser level and displays a sign-in dialog in a browser window to the user.
Note: Be careful not to confuse this with Tableau’s SAML IdP authentication option in the connection dialog. You should connect using the Sign in using OAuth option.
When you use OAuth, a key consideration is maintaining access for content published to Tableau Server or Tableau Online. When Tableau content connects live to Snowflake via OAuth, owners must reauthenticate the workbook connection each time the access token expires (every 90 days by default).
See the Snowflake help topic, Configure Snowflake OAuth for Partner Applications(Link opens in a new window), for details on setting the access token expiration limit. If you have a business need to extend this period to prevent errors on your Tableau content, contact Snowflake Support(Link opens in a new window) for assistance. If you do not manually refresh your content before this time period, it can cause an error when the Tableau workbook tries to load.
Configure OAuth between Snowflake and Tableau
In a connection between Tableau and Snowflake, each must have OAuth configured.
- Tableau: Tableau includes credentials for Snowflake to allow access. This happens automatically when you use the Snowflake connector in Tableau. No additional OAuth configuration is required in Tableau. For more information, see OAuth Connections(Link opens in a new window) in Tableau Help.
- Snowflake: In Snowflake, you will enable OAuth to grant access to Tableau. Follow steps in this Snowflake help topic: Configure Snowflake OAuth for Partner Applications(Link opens in a new window).
Note: Beginning with version 2020.4, your OAuth connection can use AWS PrivateLink or Azure Private Link. For more information, see Change Snowflake OAuth to Private Link with Saved Credentials(Link opens in a new window).
About using SSO with OAuth
Single Sign-On (SSO) adds another layer of security on top of OAuth authentication. A separate IdP configured for SSO manages authentication for all access activity across applications for your organization. All sign-in requests are routed to the SSO server, which displays a common sign-in dialog and checks the user’s credentials against a centralized database.
Tip: You can use saved credentials to avoid getting reprompted for your password. For more information, see Manage Saved Credentials for Data Connections(Link opens in a new window).
Configure OAuth between Okta and Snowflake
Snowflake uses Okta as the default identity provider (IdP) that provides access tokens and authenticates identities. You’ll need to configure settings in Snowflake and Okta for OAuth and single sign-on (SSO) capabilities.
In Okta, you will define Okta as an OAuth authentication server and identify Snowflake as an OAuth resource. Follow steps in this Snowflake help topic: Configuring an Identity Provider for Snowflake(Link opens in a new window).
About using MFA with OAuth
Multi-factor authentication (MFA) introduces yet another layer of security. It requires two or more different methods of identification before the user can access a resource. Methods might include:
- A password
- A token from a second device
- Biometrics (fingerprint or eye scan, for example)
- Answer to a security question
You can optionally set up multi-factor authentication (MFA) with Okta or other an IdP for your connections between Tableau and Snowflake. For more on configuring MFA with Okta, see Okta Help(Link opens in a new window).
Other connection options
When you connect to Snowflake from Tableau Desktop, you have two other options:
The SAML IdP option works only if Okta is your identity provider and if MFA is disabled for users in Okta. The SAML IdP option supports SSO but does not support MFA. In this case, publishing with embedded credentials will use a specific user, but you can't employ per-user "viewer credentials" when you use Okta SAML.
Note: In the past, some customers have used the “external browser(Link opens in a new window)” option with SAML IdP as a workaround to achieve SSO between Tableau Desktop and Snowflake. It will not work for Tableau Server. We recommend that you use the OAuth connection instead.
The Username and Password option uses the password stored by Snowflake. This option requires users to re-authenticate with their credentials whenever they connect to Snowflake or to embed these credentials.
Frequently asked questions
Why do my published Snowflake extracts fail after a period of time?
It may be that your OAuth access token has expired. You will need to manually re-authenticate to the data source to refresh the token. If you need to extend the lifetime of these tokens in the future, you can contact Snowflake Support(Link opens in a new window).
How do I choose between "Prompt User" and "Embed Credentials" options when publishing a Snowflake data source?
If you would like any user accessing the data source to use their own credentials when connecting to the data source and associated content, use the Prompt User option. You can choose to embed credentials so everyone who accesses that data source uses those specific credentials. This method is functionally similar to using a "service account".
How do I leverage the row-level security that I've set up on Snowflake?
When users are prompted to enter their own credentials to access Snowflake from Tableau, those credentials map to the privileges they have in the Snowflake account.
OAuth Connections — Learn more about OAuth support with Tableau.
OAuth (Snowflake Help) — Learn about Snowflake with OAuth.
Summary of Security Features (Snowflake Help) — Find information about how Snowflake supports OAuth, SSO, and other security features.
Manage Your Account Settings — Read about how to create and revoke personal access tokens.