Strategy ONE

Configure OAuth Parameters

Starting in Strategy One (March 2025), to connect Snowflake to Microsoft Entra ID and Okta for OIDC sign in, you must configure OAuth parameters.

Determine the OAuth Workflow

Strategy supports two different OAuth workflows in which an OAuth Client can get an access token.

  1. Authorization Code: The authorization server can grant the OAuth client an access token on behalf of the user. This method should be chosen for interactive end users to manually fill in login information.

  2. Client Credential: The authorization server can grant the OAuth client an access token for the OAuth client itself. This method should be chosen for programmatic, machine-to-machine scenarios.

Configure OAuth Parameters with Microsoft Entra ID (Formerly Known as Azure AD)

Step 1: Create a Snowflake OAuth Resource

Follow Configure the OAuth resource in Microsoft Entra ID to configure the OAuth resource in Microsoft Entra ID. Strategy recommends that you set the Application ID URI and note this value as it will be used in the future.

For testing purposes, the "session:role-any" role can be set to bypass the role check when it connects to Snowflake using OAuth connections.

Microsoft Entra ID does not allow the same role format for both OAuth workflows. You must use a different role for each method.

For example, you can add two scopes: USER1_ROLE and USER2_ROLE. USER1_ROLE maps to workflow 1 and USER2_ROLE maps to workflow 2.

Step 2: Create an OAuth Client in Microsoft Entra ID

Follow Create an OAuth client in Microsoft Entra ID to create an OAuth client in Microsoft Entra ID.

Redirect URLS

The following steps in this section are only required if you are using the Authorization Code workflow. If you are following the Client Credential workflow, the following steps in this section are not required.

In the Authentication Page of the OAuth client in the Azure Portal, add the following required redirect URLs:

To integrate with Strategy using OAuth:

Web

https://<ISERVER_HOST>/MicroStrategyLibrary/auth/DIOAuthRedirect.jsp

To integrate with Strategy Library or Workstation using OIDC:

Web

https://<ISERVER_HOST>/MicroStrategyLibrary/auth/DIOAuthRedirect.jsp

https://<ISERVER_HOST>/MicroStrategyLibrary/static/oidc/success.html

https:// <ISERVER_HOST> /MicroStrategyLibrary/auth/oidc/login

Mobile and desktop applications

http://127.0.0.1

com.microstrategy.hypermobile://auth

com.microstrategy.dossier.mobile://auth

Step 3: Collect Azure AD Information for Snowflake

Follow Collect Azure AD information for Snowflake to collect Azure AD information for Step 4 of this topic. You will need the following information:

  • <AZURE_AD_ISSUER> from the Federation metadata document.

  • <AZURE_AD_JWS_KEY_ENDPOINT> from the OpenID Connect metadata

If you used and noted the Application ID URI in Step 1: Create a Snowflake OAuth Resource, collect that value. This will be used as the <SNOWFLAKE_APPLICATION_ID_URI> value in step 4 of this topic.

Step 4: Create a Security Integration in Snowflake

Authorization Code Workflow

Execute the following SQL to create a security integration. For more information, see Create a Security Integration in Snowflake.

Copy 
create security integration external_oauth_azure_2
    type = external_oauth
    enabled = true
    external_oauth_type = azure
    external_oauth_issuer = '<AZURE_AD_ISSUER>'
    external_oauth_jws_keys_url = '<AZURE_AD_JWS_KEY_ENDPOINT>'
    external_oauth_audience_list = ('<SNOWFLAKE_APPLICATION_ID_URI>')
    external_oauth_token_user_mapping_claim = 'upn'
    external_oauth_snowflake_user_mapping_attribute = 'login_name';

If you do not use the Application ID URI, create a security integration with audiences using the Snowflake Account URL (for example, <account_identifier>.snowflakecomputing.com).

Client Credential Workflow

Execute the following SQL to create a security integration using a Snowflake Account Admin user.

Copy 
create security integration EXTERNAL_OAUTH_AZURE
    type = external_oauth
    enabled = true
    external_oauth_type = azure
    external_oauth_issuer = '<AZURE_AD_ISSUER>'
    external_oauth_jws_keys_url = '<AZURE_AD_JWS_KEY_ENDPOINT>'
    external_oauth_audience_list = ('<SNOWFLAKE_APPLICATION_ID_URI>')
    external_oauth_token_user_mapping_claim = 'sub' 
    external_oauth_snowflake_user_mapping_attribute = 'login_name';
Considerations

If you use session:role-any, external_oauth_any_role_mode should be enabled. Using Authorization Code workflow as an example:

Copy 
create security integration external_oauth_azure_2
    type = external_oauth
    enabled = true
    external_oauth_type = azure
    external_oauth_issuer = '<AZURE_AD_ISSUER>'
    external_oauth_jws_keys_url = '<AZURE_AD_JWS_KEY_ENDPOINT>'
    external_oauth_audience_list = ('<SNOWFLAKE_APPLICATION_ID_URI>')
           external_oauth_token_user_mapping_claim = 'upn'
           external_oauth_any_role_mode= 'ENABLE'
    external_oauth_snowflake_user_mapping_attribute = 'login_name';

Only one security integration can be created with the same Azure AD Issuer. If you want to use both the workflows, update the security integration using the following snippet:

Copy 
Alter security intergration external_oauth_azure set EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = ('upn','sub');

Step 5: Create/Alter a User for Snowflake OAuth Login

Authorization Code

Create a user for the OAuth login to Snowflake. For example, you can use the following snippet:

Copy 
CREATE USER Taylor PASSWORD = 'password' LOGIN_NAME = 'taylor@strategy.com' DISPLAY_NAME = 'Taylor' FIRST_NAME = 'Taylor' LAST_NAME = 'Taylor' EMAIL = 'taylor@strategy.com' DEFAULT_ROLE = "PUBLIC" DEFAULT_WAREHOUSE = 'TEST_WH' DEFAULT_NAMESPACE = 'TEST' MUST_CHANGE_PASSWORD = FALSE;

The login_name should match the actual Azure AD upn for user authentication.

Client Credential

  1. Request the OAuth Access Token

    Prepare the cURL command to request the Access Token using the CC grant. For example, credentials of the client.

    Execute the command in the terminal using the following template:

    Copy 
    curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
      --data-urlencode "client_id=<Client_ID>" \
      --data-urlencode "client_secret=<Client_Secret>" \
      --data-urlencode "grant_type=client_credentials" \
      --data-urlencode "scope=<Scope>/.default" \
    '<Token_Endpoint>'

    After successful execution, the following response displays:

    Copy 
    {
    "token_type":"Bearer",
    "expires_in":3599,
    "ext_expires_in":3599,
    "access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsIm.......FTU5nctRpmaA"
    }

  2. Decode the OAuth Access Token

    Copy the access_token value and decode it on an online decoder of your choice (for example, jwt.ms). It will provide the details in the token, such as:

    Copy 
    https://sts.windows.net/4c481368-xxxx-xxxx-xxxx-3844f846d0ca/",
      "oid": "3d63d2ef-abb5-4029-bea5-c72c0652895d",
      "rh": "1.AYIAaBNITGZFAUGcDDhE-EbQyi7MprcWchxIhpzKmCKYJ8CCAACCAA.",
      "roles": [
        "session:role:ANALYST"
      ],
      "sub": "3d63d2ef-abb5-4029-bea5-c72c0652895d",
      "tid": "4c481368-xxxx-xxxx-xxxx-3844f846d0ca",
      "uti": "LcudwZszi06vgEbDZmqUAA",
      "ver": "1.0"
    }.[Signature]

    Note the value of sub.

  3. Create a system user for the OAuth login to Snowflake for client credential, such as the following.

    Set LOGIN_NAME to the sub value you noted above.

    Copy 
    CREATE USER SNOWSQL_OAUTH_USER 
    LOGIN_NAME = '3d63d2ef-abb5-4029-bea5-c72c0652895d' 
    DISPLAY_NAME = 'SnowSQL OAuth User for client credential' COMMENT = 'A system user for SnowSQL client to be used for OAuth based connectivity';

Step 6 (Optional): Request the OAuth Access Token and Validate

Prepare the cURL command to request the Access Token using the CC grant. For example, credentials of the client.

Copy 
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
  --data-urlencode "client_id=<Client_ID>" \
  --data-urlencode "client_secret=<Client_Secret>" \
  --data-urlencode "grant_type=client_credentials" \
  --data-urlencode "scope=<Scope>" \
'<Token_Endpoint>'

Copy the token from the response and validate it in Snowflake using the following command:

Copy 
SELECT SYSTEM$VERIFY_EXTERNAL_OAUTH_TOKEN('<Access_Token>');

After successful execution, the following response displays:

Copy 
Token Validation finished.
{
"Validation Result":"Passed",
"Issuer":"https://sts.windows.net/91ccae45-xxxx-xxxx-xxxx-xxxxxxxxxxxx/",
"Extracted User claim(s) from token":"4c99a1d6-50ce-4e7d-9cc2-429c26d613df"
}

Step 7: Collect Azure AD Information for Strategy

You need the following information:

  • <CLIENT_ID> and <CLIENT_SECRET> noted in step 3 when creating an OAuth client.

  • <TENANT_ID> from the Overview page of the OAuth Client App from the Azure Portal.

  • Find the value of Scopes in the OAuth Resource App's Expose an API page in the Azure Portal and click Copy to clipboard.

    The <SCOPE> values should be in the following formats:

    • <SNOWFLAKE_APPLICATION_ID_URI>/session:role:<role_name>

    • <SNOWFLAKE_APPLICATION_ID_URI>/session:role-any

  • Download the manifest file from the Snowflake OAuth client app in the Azure portal. In the left navigation, click Manifest under Manage and click Download.

Configure OAuth Parameters with Okta

Authorization Code Workflow Setup

Step 1: Create an Okta Application

  1. Log in to Okta.

  2. In the Navigation pane, under Applications, click Applications.

  3. Click Create App Integration.

  4. Choose the OIDC - OpenID Connect sign-in method and choose Native Application.

  5. Click Next.

  6. Type a name for the integration and choose the Refresh Token and Token Exchange grant types.

  7. Add your sign-in redirect URIs.

  8. Choose the Allow everyone in your organization to access controlled access.

  9. Click Save.

Step 2: Edit the OpenID Connect ID Token

  1. Go to Sign On in your newly created application.

  2. In OpenID Connect ID Token, click Edit.

  3. In the Issuer drop-down list, choose your Okta URL.

  4. Click Save.

Step 3: Grant API Scopes

  1. Go to Okta API Scopes in your newly created application.

  2. Click Grant next to the following scopes:

    • okta.apps.read

    • okta.groups.read

    • okta.user.read

Step 4: Create an API (Authentication Server)

  1. In the Navigation pane, under Security, click API.

  2. Click Add Authorization Server.

  3. Type a Name and Audience. For example, the Audience can be a Snowflake account URL.

  4. Click Save.

Step 5: Update the API Issuer

  1. Go to Settings in your newly created API.

  2. Click Edit.

  3. In the Issuer drop-down list, choose your Okta URL.

  4. Click Save.

Step 6: Add a session:role-any Scope

  1. Go to Scopes in your newly created API.

  2. Click Add Scope.

  3. In Name, Display phrase, and Descriptions, type session:role-any.

  4. Click Create.

Step 7: Create an Access Policy and Rule

  1. Go to Access Policies in your newly created API.

  2. Click Add Policy.

  3. Type a name and description. Optionally edit Assign to.

  4. Click Create Policy.

  5. Click Add rule.

  6. Type your preferred rule options and ensure Authorization Code and Token Exchange are selected.

  7. Click Create rule.

Step 8: Enable the Okta Integration in Snowflake

  1. Open the Authentication server page and locate the <AUDIENCE> value and Metadata Document URL (for example, https://dev-XXXXXXXX.okta.com/oauth2/XXXXXXXXXXXXXXXXX/.well-known/oauth-authorization-server).

  2. Open the Authentication server Metadata Document and locate the issuer and jwks_uri values.

  3. Run the following SQL query in Snowflake:

    Copy 
    CREATE OR REPLACE SECURITY INTEGRATION external_oauth_demo
        type = external_oauth
        enabled = true
        external_oauth_type = 'okta'
        external_oauth_any_role_mode = 'ENABLE'
        external_oauth_issuer = '<ISSUER>'
        external_oauth_jws_keys_url = '<JWKS_URI>'
        external_oauth_audience_list = ('<AUDIENCE>')
        external_oauth_token_user_mapping_claim = 'sub'
        external_oauth_snowflake_user_mapping_attribute = 'login_name';

    Replace <ISSUER> with the issuer value and <JWKS_URI> with the jwks_uri value you located in the Metadata page.

Step 9: Create/Alter a User for Snowflake OAuth Login

Create a user for the OAuth login to Snowflake such as:

Copy 
CREATE USER Taylor PASSWORD = 'password' 
    LOGIN_NAME = 'taylor@microstrategy.com' DISPLAY_NAME = 'Taylor' FIRST_NAME = 'Taylor' LAST_NAME = 'Taylor' 
    EMAIL = 'taylor@microstrategy.com' 
    DEFAULT_ROLE = "PUBLIC" DEFAULT_WAREHOUSE = 'TEST_WH' DEFAULT_NAMESPACE = 'TEST' MUST_CHANGE_PASSWORD = FALSE;

LOGIN_NAME must match the Okta sub for user authentication.

Step 10: Collect Okta Information for Strategy

Note the following Okta information to use in Strategy:

  • Authentication Server Metadata URI from Step 8.

  • <CLIENT_ID> from Step 1.

  • <OAUTH_URL> is the authorization_endpoint value in the Authentication Server Metadata Document.

  • <TOKEN_URL> is the token_endpoint value in the Authentication Server Metadata Document.

  • <ISSUER> is the token_endpoint value in the Authentication Server Metadata Document.

  • <SCOPE> should be in a format similar to the following: offline_access openid email profile session:role-any

Client Credential Workflow Setup

Step 1: Create an Okta Application

  1. Log in to Okta.

  2. In the Navigation pane, under Applications, click Applications.

  3. Click Create App Integration.

  4. Choose the API Services sign-in method and click Next.

  5. Type a name for the application integration and click Save.

  6. Note the Client ID and Client Secret. These values will be used as for <OKTA_OAUTH_CLIENT_ID> and <OKTA_OAUTH_CLIENT_SECRET>.

  7. Click Edit in General Settings.

  8. Clear Proof of possession and leave Token Exchange unselected.

Step 2: Create an API (Authentication Server), Update API Issuer, and Add a Scope

  1. In the Navigation pane, under Security, click API.

  2. Click Add Authorization Server.

  3. Type a Name and Audience. For example, the Audience can be a Snowflake account URL.

  4. Click Save.

  5. Go to Settings in your newly created API.

  6. Click Edit.

  7. In the Issuer drop-down list, choose your Okta URL.

  8. Click Save.

  9. Go to Scopes in your newly created API.

  10. Click Add Scope.

  11. In Name, Display phrase, and Descriptions, type session:role-any.

  12. Click Create.

Step 3: Create an Access Policy and Rule

  1. Go to Access Policies in your newly created API.

  2. Click Add Policy.

  3. Type a name and description. In Assign to, enter the previously created application.

  4. Click Create Policy.

  5. Click Add rule.

  6. Type a name for the rule.

  7. Ensure Client Credentials is the only Grant type selected. The other options must be cleared.

  8. In Scope requested, select The following scopes.

  9. Type the scopes you defined in Step 2: Create an API (Authentication Server), Update API Issuer, and Add a Scope and select them from the list.

  10. Click Create Rule.

Step 4: Collect Okta Information for Snowflake and Strategy

  1. Open the Authentication server page and note the <AUDIENCE> value.

  2. Open the Metadata Document URL (for example, https://dev-XXXXXXXX.okta.com/oauth2/XXXXXXXXXXXXXXXXX/.well-known/oauth-authorization-server) and note the issuer, authorization_endpoint, token_endpoint, and jwks_uri values.

  3. Go to Token Preview.

  4. Select your OAuth Client, Grant Type, and Scopes to generate a preview of a decoded JWT token.

  5. Ensure the scp claim matches your scopes and note the sub value. The sub value is used for the login_name for the user the client will authorized against in Snowflake.

Step 5: Collect Okta Information for Strategy

Ensure you noted the following Okta information to use in Strategy:

  • OKTA_OAUTH_CLIENT_ID

  • OKTA_OAUTH_CLIENT_SECRET

  • OKTA_ISSUER

  • Metadata URI

  • JWKS_URI

  • sub

  • AUTHORIZATION_ENDPOINT

  • TOKEN_ENDPOINT

Step 6: Create the Integration and User in Snowflake

  1. Create the security integration by running the following SQL query in Snowflake:

    Copy 
    CREATE OR REPLACE SECURITY INTEGRATION external_oauth_demo
        type = external_oauth
        enabled = true
        external_oauth_type = 'okta'
        external_oauth_any_role_mode = 'ENABLE'
        external_oauth_issuer = '<ISSUER>'
        external_oauth_jws_keys_url = '<JWKS_URI>'
        external_oauth_audience_list = ('<AUDIENCE>')
        external_oauth_token_user_mapping_claim = 'sub'
        external_oauth_snowflake_user_mapping_attribute = 'login_name';

  2. Create the Snowflake programmatic user by running the following SQL query in Snowflake:

    Copy 
    CREATE USER SNOW_CC_OKTA LOGIN_NAME = '<sub>' 
    DISPLAY_NAME = 'OAuth User for client credential on okta' 
    COMMENT = 'A system user for client to be used for OAuth based connectivity';