HomeCommunityQuickStartsStatus

OAuth with Snowflake and Azure AD

Suggest Edits

Step 1: Register an App for Sigma in Azure AD

  1. Go to the Microsoft Azure Portal and authenticate.
  2. Go to to Azure Active Directory.
  3. Click on App Registrations.
  4. Click on New Registration.
  5. Enter β€œSigma Oauth App” or similar.
  6. Verify the Supported account types are set to Single Tenant.
  7. Click Register.
  8. From the Overview page click on Add a Redirect URI
  9. Click on Expose an API.
  10. Click on the Set link next to Application ID URI, and set the Application ID URI to:
    https://**<your-azure-verified-domain-name>**.com/**<your-application-(client)-id>**
  11. Click on Add a scope to add a scope representing the Snowflake role.
    • Set β€œScope name” to β€œsession:role-any”
    • Select β€œAdmins only” for consent.
    • Enter a recognizable name for consent display name: ex. β€œSigma - Snowflake consent”
    • Consent description:
      Ex. β€œAllows Sigma to inherit Snowflake user roles”
    • Click on the β€œAdd scope” button at the bottom.
  12. Click on Certificates & secrets and then New client secret.
  • Enter description ex. β€œSigma Client Secret”
  • Select expiration period.
    Note: For testing purposes select β€œNever”
  • Click Add
  • Copy the secret, aka β€œClient Secret” to be used in Sigma later.
    Note: Copy the new client secret value. You won't be able to retrieve it after you perform another operation or leave this blade. You can always create a new one.
  1. Click on API permissions from the navigation bar on the left.
    • You should already have the User.Read permission from the Microsoft Graph API listed.
    • Click on Microsoft Graph API
    • On the blade opening on the right click on Delegated permissions.
    • On the Permission list below expand the OpenID permissions.
    • Select email, offline_access, openid, profile permissions.
    • Click on the Update permissions button at the bottom.
    • Click on Grant admin consent
    • Click on the Yes button.

Step 2: Collect Azure Information

  1. Navigate to the Microsoft Azure Portal and authenticate.

  2. Navigate to Azure Active Directory.

  3. Click on App Registrations.

  4. Click on the β€œSigma Oauth App” app created in Step 1.

    1. From the Overview interface click on Endpoints and copy the OpenID Connect metadata document

    2. From the Overview interface copy the Application ID URI

    3. Client secret from Step 1.11
      Note: If you did not make a copy earlier, create a new secret.

    4. From the Overview interface click on Endpoints.

    5. Copy the Federation metadata document url and open in a new browser.

    6. Locate the β€œentityID” parameter and copy its value.

    7. This is known as the β€œexternal_oauth_issuer” in Snowflake.

    8. From the same Endpoints view:

    9. Copy the OpenID Connect metadata document url and open in a new browser.

    10. Locate the β€œjwks_uri” parameter and copy its value.

    11. This is known as β€œexternal_oauth_jws_keys_url” in Snowflake.

    12. From the Overview interface copy the Application ID URI which should be in the form of β€œhttps://”

  5. Items for Sigma:

  6. Items for Snowflake:

Step 3: Create a Security Integration in Snowflake

This step involves creating a security integration in Snowflake to ensure that Snowflake can communicate with Microsoft Azure AD securely, validate the tokens from Azure AD, and provide the appropriate Snowflake data access to Sigma users based on the user role associated with the OAuth token.

Important:
Only account administrators (i.e. users with the ACCOUNTADMIN role) or a role with the global CREATE INTEGRATION privilege can execute this SQL command.

The security integration parameter values are case-sensitive, and the values you put into the security integration must match those values in your environment. If the case does not match, it's possible that the access token will not be validated, resulting in a failed authentication attempt.

Verify all values are an exact match. For example, if the Issuer value does not end with a backslash and the security integration is created with a backslash character at the end of the URL, an error message will occur. It would then be necessary to drop the security integration object (using DROP INTEGRATION) and then create the object again with the correct Issuer value (using CREATE SECURITY INTEGRATION).

In order to run the following SQL statement in Snowflake please have the values from Step 2 - 4.b ready:

  1. Execute create statement:
 create security integration <enter_a_name_for_integration>

 type = external\_oauth  
  
 enabled = true  
  
 external\_oauth\_type = azure  
  
 external\_oauth\_issuer = '<external\_oauth\_issuer>' //entityID from 4.b.i  
  
 external\_oauth\_jws\_keys\_url = β€˜<external\_oauth\_jws\_keys\_url>’ //jwks\_uri from 4.b.ii  
  
 external\_oauth\_audience\_list = (β€˜<application\_id\_uri>') //application\_id\_uri from 4.b.iii  
  
 external\_oauth\_token\_user\_mapping\_claim = 'upn'  
  
 external\_oauth\_snowflake\_user\_mapping\_attribute = 'login\_name'  
  
 external\_oauth\_any\_role\_mode = 'ENABLE';

Step 4: Configure OAuth in Sigma

  1. Open your Admin Portal by selecting Administration in the user menu at the top right of your screen.
  2. Select the Authentication page from the left hand panel.
  3. Click the blue Edit button under Authentication Method and Options.
  4. Select β€˜OAuth or Password’ from the Authentication Method dropdown menu.
  5. Under Metadata URI, enter the OAuth metadata URI from Step 2: 4.a.i
  6. Under Client ID, enter the Application ID URI from Step 2: 4.a.ii
  7. Under Client Secret, enter the client secret from Step 2: 4.a.iii
  8. Click Save.
  9. Test your OAuth configuration by logging out and logging back into Sigma. Your organization’s login page should now display a Log in with SSO button.

Updated 3 months ago

Resources
Sigma home
Blog
Learn
Product FAQs
© 2023 Sigma Computing