Configure OAuth for Snowflake Connections

When you connect to your Snowflake data, you have three authentication options to choose from. In most cases, we recommend using OAuth. This option offers the best combination of functionality and security.

With OAuth, you can:

  • Leverage an identity provider (IdP) to facilitate access.
  • Configure it to provide a single sign-on (SSO) experience.
  • Enforce multi-factor authentication (MFA).

OAuth 2.0 is an industry-standard protocol for authorization. It is configured at the browser level and displays a sign-in dialog in a browser window to the user.

Note: Be careful not to confuse this with Tableau’s SAML IdP authentication option in the connection dialog. You should connect using the Sign in using OAuth option.

When you use OAuth, a key consideration is maintaining access for content published to Tableau Server or Tableau Online. When Tableau content connects live to Snowflake via OAuth, owners must reauthenticate the workbook connection each time the access token expires (every 90 days by default).

See the Snowflake help topic, Configure Snowflake OAuth for Partner Applications(Link opens in a new window), for details on setting the access token expiration limit. If you have a business need to extend this period to prevent errors on your Tableau content, contact Snowflake Support(Link opens in a new window) for assistance. If you do not manually refresh your content before this time period, it can cause an error when the Tableau workbook tries to load.

Configure OAuth between Snowflake and Tableau

In a connection between Tableau and Snowflake, each must have OAuth configured.

Note: Beginning with version 2020.4, your OAuth connection can use AWS PrivateLink or Azure Private Link. For more information, see Change Snowflake OAuth to Private Link with Saved Credentials(Link opens in a new window).

About using SSO with OAuth

Single Sign-On (SSO) adds another layer of security on top of OAuth authentication. A separate IdP configured for SSO manages authentication for all access activity across applications for your organization. All sign-in requests are routed to the SSO server, which displays a common sign-in dialog and checks the user’s credentials against a centralized database.

Tip: You can use saved credentials to avoid getting reprompted for your password. For more information, see Manage Saved Credentials for Data Connections(Link opens in a new window).

Configure OAuth between Okta and Snowflake

Snowflake uses Okta as the default identity provider (IdP) that provides access tokens and authenticates identities. You’ll need to configure settings in Snowflake and Okta for OAuth and single sign-on (SSO) capabilities.

In Okta, you will define Okta as an OAuth authentication server and identify Snowflake as an OAuth resource. Follow steps in this Snowflake help topic: Configuring an Identity Provider for Snowflake(Link opens in a new window).

About using MFA with OAuth

Multi-factor authentication (MFA) introduces yet another layer of security. It requires two or more different methods of identification before the user can access a resource. Methods might include:

  • A password
  • A token from a second device
  • Biometrics (fingerprint or eye scan, for example)
  • Answer to a security question

You can optionally set up multi-factor authentication (MFA) with Okta or other an IdP for your connections between Tableau and Snowflake. For more on configuring MFA with Okta, see Okta Help(Link opens in a new window).

Other connection options

When you connect to Snowflake from Tableau Desktop, you have two other options:

  • SAML IdP
  • Username and Password

The SAML IdP option works only if Okta is your identity provider and if MFA is disabled for users in Okta. The SAML IdP option supports SSO but does not support MFA. In this case, publishing with embedded credentials will use a specific user, but you can't employ per-user "viewer credentials" when you use Okta SAML.

Note: In the past, some customers have used the “external browser(Link opens in a new window)” option with SAML IdP as a workaround to achieve SSO between Tableau Desktop and Snowflake. It will not work for Tableau Server. We recommend that you use the OAuth connection instead.

The Username and Password option uses the password stored by Snowflake. This option requires users to re-authenticate with their credentials whenever they connect to Snowflake or to embed these credentials.

Frequently asked questions

Why do my published Snowflake extracts fail after a period of time?

It may be that your OAuth access token has expired. You will need to manually re-authenticate to the data source to refresh the token. If you need to extend the lifetime of these tokens in the future, you can contact Snowflake Support(Link opens in a new window).

How do I choose between "Prompt User" and "Embed Credentials" options when publishing a Snowflake data source?

If you would like any user accessing the data source to use their own credentials when connecting to the data source and associated content, use the Prompt User option. You can choose to embed credentials so everyone who accesses that data source uses those specific credentials. This method is functionally similar to using a "service account".

How do I leverage the row-level security that I've set up on Snowflake?

When users are prompted to enter their own credentials to access Snowflake from Tableau, those credentials map to the privileges they have in the Snowflake account.

See also

Thanks for your feedback!