Reputation: 665
I've enabled SSO in Snowflake and can't connect to Power BI
I got a bit of a weird one. So our Snowflake account is in AWS, we recently had to integrate Okta SSO in Snowflake and we are using Power BI to visualize the data. I've integrated the SSO and works well on the Snowflake Web UI. However, in Power BI it doesn't work to sign in anymore.
These are the steps I've done so far:
- I've got the certificate string and
ssoUrlfrom the staff in charge of Okta and ran the below scripts
alter account set saml_identity_provider =
'{ "certificate": "<CERT STRING>",
"ssoUrl": "<SSO URL>",
"type" : "OKTA",
"label" : "<LABEL>"
}';
alter account set sso_login_page = true;
- I've added a user to the security group that was added to Okta and created that user in Snowflake. The test user was able to successfully sign in to the Web UI for Snowflake using the SSO Integration
- I've followed the documentation from snowflake and compiled my query as follows:
create or replace security integration powerbi
type = external_oauth
enabled = true
external_oauth_type = azure
external_oauth_issuer = 'https://sts.windows.net/<TENANT_ID>/'
external_oauth_jws_keys_url = 'https://login.windows.net/common/discovery/keys'
external_oauth_audience_list = ('https://analysis.windows.net/powerbi/connector/Snowflake')
external_oauth_token_user_mapping_claim = 'upn'
external_oauth_snowflake_user_mapping_attribute = 'login_name'
external_oauth_any_role_mode = 'ENABLE';
However, I am still getting the above error (We couldn't authenticate with the credentials provided. Please try again.), although it is redirecting me to the Okta page successfully.
I am not using a Network Policy or a Gateway so it should be able to sign in directly.
Can anyone help?
Upvotes: 2
Views: 3458
Answers (3)
Reputation: 665
I have found the issue. It seems the external_oauth_issuer I was using was from the tenant in which we published our reports which is not the same tenant in which we have our Azure accounts. I've changed that and now it seems to work.
Upvotes: 2
Reputation: 51
For PowerBI SSO- Snowflake validates the token, extracts the username from the token, maps it to the Snowflake user, and creates a Snowflake session for the Power BI service using the user’s default role. Therefore, As suggested above, Please ensure the Power BI user used for SSO login must have default role set in Snowflake. See the below article for more details. https://community.snowflake.com/s/article/PowerBI-Service-displays-credentials-related-error-when-logging-in-or-publishing-report-from-PowerBI-Desktop
Upvotes: 1
Reputation: 1640
The most probable reason for this issue would be either one of the following:
User which is being used from PBI does not have 'default_role' set with a value.
If it is set with a value then the role does not have USAGE privilege on the WH which is being set from PBI.
Run the following to check this:
show grants on warehouse ;
Upvotes: 3
Related Questions
- Snowflake reader account, add SSO
- Not able to connect to Snowflake database with snowsql
- Get Data - from Snowflake in Power BI - Load never finishes - using ODBC - SAML Windows
- Error when Connecting PowerBI to Snowflake
- Power BI to Snowflake via AAD SSO with MFA
- ODBC: ERROR [28000] Invalid OAuth access token when connectig to Snowflake from Power BI using SSO
- How do you connect to Snowflake from DBEAVER using SAML2.0 for sso
- we couldn't authenticate with the credentials provided POWER BI
- Power BI + Snowflake SSO
- Not able to connect to snowflake from powerbi using odbc driver