How can you connect Snowflake to an IDE using Okta with MFA?

Question

We currently use Okta (which requires MFA) to manage our Snowflake users, so most of our Snowflake users do not have a password. We have developers who want to use an IDE like DataGrip or DBeaver but we are unable to connect using the Okta method.

When we try to connect with the connection parameter of authenticator='https://<your_okta_account_name>.okta.com' we get the error message of [08001][390400] Bad request; operation not supported.

When we try to connect with the connection parameter of authenticator= externalbrowser we get the error message of [08001][390400] !390400!

We can't find better error messages than those. We get those error messages with both DBeaver and DataGrip.

Is there any advice in getting this to work? We can't figure out if this a Snowflake or Okta issue.

We were referencing these pieces of documentation: https://docs.snowflake.net/manuals/user-guide/jdbc-configure.html#connection-parameters https://support.snowflake.net/s/article/How-to-Configure-Snowflake-connections-for-Datagrip

Answer 1

Our issue was actually different and didn't have anything to do with our Okta/Snowflake integration. We could have followed the Snowflake documentation on how to connect to Tableau or DataGrip.

There is an issue when using Okta with MFA for Snowflake using the externalbrowser authenticator method. We have an alias on our host name that we were trying to use for authentication.

For example, our real host name might be aaa111.snowflakecomputing.com and we have an alias of companyname.snowflakecomputing.com, you need to use the aaa111.snowflakecomputing.com host name when setting up the connection.

If you are on Okta with MFA, you do need to specify the externalbrowser authenticator method though.

Answer 2

Not sure about Okta specifically, but when you provide the SSO URL to Snowflake when updating the SAML_IDENTITY_PROVIDER account parameter, you'll want to provide the SP-initiated SSO URL, so you'll want to make sure that Okta is setup for SP-iniatied single sign-on.

SP-initiated is service provider initiated authentication, and IdP-initiated is identity provider initiated authentication.

I'm not an authentication expert but I learned enough (and I won't get into the details here) trying to set this up with my company to know that if you want to use non-browser based tools while using your company's identity provider with Snowflake then the authentication needs to be setup with the SP-initiated SSO URL.

Snowflake documentation makes no mention of any of this, so it can be tricky to navigate.

Here are a couple of authentication related details if you're interested: http://jamsheert.blogspot.com/2015/08/difference-between-idp-initiated-sso.html

Differences between SP initiated SSO and IDP initiated SSO