About using OAuth with Sigma

You can configure OAuth as an authentication method for your Sigma organization, for your connections to your data platforms, or both. Using OAuth only to authenticate a connection is referred to as connection-level OAuth, while using OAuth to authenticate users to Sigma is referred to as organization-level OAuth.

Connection-level OAuth

Authenticate to your data platform with a connection-specific OAuth configuration. Users can sign in to Sigma through any method, but when they access data, they use OAuth to sign in.

Recommended when you want the same role-based access control (RBAC) in your data platform to apply in Sigma, but you want to use a separate authentication method or OAuth server for Sigma. Required if you use multiple identity providers or want to use OAuth to authenticate to multiple data platforms.

Organization-level OAuth

Manage authentication to your Sigma organization and connections to your data platform using the same OAuth configuration. When a user signs in to Sigma with OAuth, Sigma uses their token to automatically sign them in to your data platform.

Recommended when Sigma users have accounts in your data platform and you want the same RBAC to apply in Sigma, and you want to use the same OAuth server for both Sigma and your data platform.

🚩
This is a premium feature. To enable it for your Sigma organization, contact your Sigma Account Executive.

Using OAuth has several advantages over other authentication methods:

Authenticating Sigma users with OAuth minimizes the risk of password leaks or misuse, which is crucial for maintaining data security and privacy.
Connections authenticated with OAuth allow your users to read data and use write-back features like input tables, warehouse views, materialization, and CSV uploads, with their own individual credentials instead of a service account.
Manage user access in your identity provider (IdP) instead of separately in Sigma.

Requirements

You must be assigned the Admin account type to manage authentication for your Sigma organization.

About OAuth for permissions management

OAuth is an authorization framework that allows your users to securely sign in to applications without a username and password. The authorization happens between a client (you and your users) and 1 or more resources (Sigma and/or your data platform) via your Identity Provider (IdP). Your IdP uses an authorization server and short-lived tokens to authenticate your application's users.

The OAuth framework supports the OpenID Connect (OIDC) open authentication protocol, which verifies user identities and authorizes access to digital services. In the Sigma product and documentation, the term OAuth is used to refer to both the OAuth framework and the OIDC protocol for authentication.

If you configure OAuth on a connection between Sigma and a data platform, your users can access only the data that they're permitted to access in the data platform. This access control is accomplished by establishing a chain of trust between your IdP, your data platform, and Sigma.

Configure connection-level OAuth

You can configure OAuth as the authentication method for a specific connection to a data platform, even if you do not use OAuth to authenticate users to Sigma. If your organization uses multiple identity providers, you must authenticate to your connections using connection-level OAuth.

To set up connection-level OAuth, see the instructions for your data platform:

💡
You can also use OAuth to authenticate embed users to the connection used by your application. See the JSON web token claims reference and refer to the connection_oauth_tokens claim.

Considerations for connection-level OAuth

When authenticating a connection with OAuth, note the following:

Connection-level OAuth is only supported for the following connection types:
- Snowflake
- Databricks
- BigQuery
A user's OAuth token expires if they do not sign in to Sigma frequently. If the OAuth token expires, scheduled exports and other scheduled jobs fail. To prevent the risk of scheduled jobs failing when a user's OAuth token expires, configure a service account for the connection and run the workbook as a service account. See Run a workbook with service account credentials.
If a Sigma user does not have an account provisioned in the IdP used to manage access to the connection, that user cannot access data from an OAuth-authenticated connection. These users can still see data from these connections in workbooks that run with service account credentials.
If your organization has multiple identity providers enabled, you must use connection-level OAuth. See Considerations for existing organizations using organization-level OAuth.

Configure organization-level OAuth

To configure organization-level OAuth and use the same OAuth configuration to authenticate users to Sigma and your data platform, see Configure OAuth authentication for your Sigma organization.

💡
You can use OAuth to authenticate embed users to your application. See the JSON web token claims reference and refer to the oauth_token claim.

Considerations of organization-level OAuth

When authenticating users to your Sigma organization with OAuth, note the following:

If users configured in your IdP do not already have a Sigma account associated with their email address, they're automatically provisioned with a Sigma account with a Lite or View account type when they first log in. To change the account type for these users, an admin must manually change the account type assignments in Sigma. See Reassign members from a specific account type. If you use SCIM to manage users and account types, manually reassigning account types is not required. See Manage users and teams with SCIM.
Guest users require a password-based authentication method to access Sigma.

💡
When transitioning authentication methods for your Sigma organization from basic authentication to OAuth, the best practice is to transition first to the OAuth or password option rather than directly to requiring OAuth-only login for all users. With the authentication method set to OAuth or password, you retain the ability to log in with a password during the transition to your IdP-based login, ensuring that you're not locked out during the configuration change. After you have confirmed that users are able to log in using OAuth, you can transition to OAuth-only login.

Plan your OAuth configuration

If you plan to use OAuth for authentication, complete the relevant steps for your desired configuration:

Configure a Sigma OAuth application to enable authentication via your IdP.
- To use Databricks as your IdP, see Configure an OAuth application for Databricks.
- To use any other IdP, see Configure a Sigma OAuth application.
Follow the configuration steps for your chosen method:
- To set up connection-level OAuth, refer to the instructions for your data platform:
- To set up organization-level OAuth, see Configure OAuth authentication for your Sigma organization.

For IdP-specific guidance, you can also review the Guidelines For Configuring OAuth and SAML Authentication in the Sigma Community.

Updated 7 days ago

Related resources