Configure OAuth
You can configure OAuth as an authentication method for your Sigma organization, for your connections to your data platforms, or both.
Using OAuth has several advantages:
- Authenticating Sigma users with OAuth minimizes the risk of password leaks or misuse, which is crucial for maintaining data security and privacy.
- Connections authenticated with OAuth allow your users to read data and use write-back features like input tables, warehouse views, materializations, and CSV uploads with their own individual credentials instead of a service account.
- Admins have the option to configure individual workbooks to run queries using the service account instead of each user’s OAuth credentials. See Run a workbook with service account credentials.
Requirements
- You must be assigned the Admin account type to manage authentication for your Sigma organization.
About OAuth for permissions management
OAuth is an authorization framework that allows your users to securely log in to applications without the need for a username and password. This authorization happens between a client (you and your users) and one or more resources (i.e. Sigma and your data platform) via your Identity Provider (IdP). Your IdP uses an authorization server and short-lived tokens to authenticate your application’s users.
The OAuth framework supports the OpenID Connect (OIDC) open authentication protocol, which verifies user identities and authorizes access to digital services. In Sigma's product and documentation, the term OAuth is used to refer to both the OAuth framework and the OIDC protocol for authentication.
Configuring OAuth on the connections between Sigma and your data platforms allows your users to see only the data that they are permitted to see in the data platform. This is accomplished by establishing a chain of trust between your IdP, your data platform, and Sigma.
Use different OAuth configurations for authenticating users to your connections than you use for your Sigma organization (Beta)
Using OAuth for both the organization-level and connection-level authentication is generally available. Configuring a unique OAuth application to authenticate users to a connection – in other words, opting to not re-use the OAuth configuration you use at the organization level – is in public beta.
This documentation describes a public beta feature and is under construction. This documentation should not be considered part of our published documentation until this notice, and the corresponding Beta flag on the feature in Sigma, are removed. As with any beta feature, the feature discussed below is subject to quick, iterative changes. The latest experience in the Sigma service may differ from the contents of this document.
Beta features are subject to the disclaimer on Beta features.
You can enable OAuth as the method of authenticating users to your Sigma organization, or on a per-connection basis in Sigma for any of your connections that support OAuth, or both. If you use multiple IdPs and data platforms, you can create connections with different OAuth configurations.
While this feature is in public beta, if you choose the option to use a unique OAuth configuration at the connection level rather than re-using your organization-level OAuth configuration, only users with a license type of Pro are able to access the connection. See License and account type overview. To avoid this restriction and still use OAuth to authenticate a connection, configure OAuth at the organization level and then re-use that configuration when you create your connection.
Limitations of using OAuth in Sigma
When authenticating a connection with OAuth, note the following:
- OAuth is only supported for the following connection types:
- Snowflake
- Databricks
- OAuth tokens can expire if the owner goes a significant amount of time without logging in to Sigma. If this happens, scheduled exports and other schedules fail. This limitation can be avoided by running the workbook as a service account. See Run a workbook with service account credentials.
- Any Sigma user that is not provisioned with an account in your IdP cannot access data on OAuth-authenticated connections. These users are still able to see data from these connections in workbooks that are run with service account credentials.
- OAuth connections that do not re-use an organization level OAuth can only be accessed by users with a Pro license type. For more about this beta feature limitation, see Use different OAuth configurations for authenticating users to your connections than you use for your Sigma organization (Beta).
When authenticating users to your Sigma organization with OAuth, note the following:
- When users configured in your IdP do not already have a Sigma account associated with their email address, Sigma auto-provisions them with a Sigma account with a Lite account type upon their first login. To change the account type for these users, an admin needs to manually adjust the account type assignments in Sigma. See Reassign members from a specific account type. This manual reassignment of account types is not required if you use SCIM for user and account management. See Manage users and teams with SCIM.
- If you enable guest users in your Sigma organization, those guest users need to be provisioned with an account in your IdP in order to log into Sigma. As a workaround, you can configure OAuth or password as your authentication method so that guest users can log in with username and password.
Plan your OAuth configuration
- Configure a Sigma OAuth application to enable authentication via your IdP. See Configure a Sigma OAuth application .
- [optional] If you want to use OAuth to authenticate users to your Sigma organization, configure OAuth as your authentication method. See Configure OAuth authentication for your Sigma organization .
- [optional] If you require write-back features in OAuth-enabled connections, prepare your schema in your data platform. See Configure OAuth with write access.
- [optional] Update existing connections to use OAuth, or create new ones. See:
Updated about 1 hour ago