External OAuth for Snowflake

Starting in Tableau 2024.3, you can use OAuth 2.0/OIDC to federate identity from an external identity provider to Snowflake.

Depending on the identity provider, there are different steps needed to configure the integration. This is a high-level overview intended to guide your configuration without providing the necessary details you'll find in your identity provider documentation. It is assumed you are familiar with configuring OAuth and understand the technical details required in setting up authentication with an external identity provider.

Configure IDP on Snowflake

For information on configuring your IDP, see External OAuth overview(Link opens in a new window) in Snowflake's help system.

Configure the IDP on Tableau

  1. Create OAuth clients on the IDP for Tableau Desktop, and on Tableau Cloud or Tableau Server. The Desktop client enables PKCE(Link opens in a new window) and uses http://localhost redirects.
  2. Create the Tableau OAuth config file. For details on how to do this, see OAuth Configuration and Usage(Link opens in a new window) on github, and examples here. We welcome additional examples for other IDPs.
    1. Be sure to prefix the Tableau OAuth config IDs with “custom_”.
    2. If your IDP supports dynamic localhost port, disable OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL. If your IDP does not support this, make sure to add several localhost callback URLs to the allowlist in the config file and on the IDP.
  3. Install the new Tableau OAuth configuration files in the OAuthConfigs folder associated with each application on desktop hosts (Tableau Desktop, Tableau Prep Builder, Tableau Bridge), and on each Tableau Server and Tableau Cloud site that will be using OAuth via site settings page. For more details, see Custom OAuth Configs on Desktop(Link opens in a new window) and Site Level OAuth Clients(Link opens in a new window).

Connect to Snowflake

When connecting, you must select OAuth and choose the OAuth configuration installed earlier.

Okta

If using Okta it’s better to use a “custom authorization server” rather than the “org authorization server.” The custom authorization servers are more flexible. There’s a custom authorization server created by default, which is called “default”. The authorization URL should look like this:

https://${yourOktaDomain}/oauth2/{authServerName}/v1/authorize

okta dashboard

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!