I've enabled SSO in Snowflake and can't connect to Power BI

Question

I got a bit of a weird one. So our Snowflake account is in AWS, we recently had to integrate Okta SSO in Snowflake and we are using Power BI to visualize the data. I've integrated the SSO and works well on the Snowflake Web UI. However, in Power BI it doesn't work to sign in anymore.

These are the steps I've done so far:

1. I've got the certificate string and ssoUrl from the staff in charge of Okta and ran the below scripts

alter account set saml_identity_provider = 
 '{ "certificate": "<CERT STRING>",
 "ssoUrl": "<SSO URL>",
 "type" : "OKTA", 
 "label" : "<LABEL>"
  }';    
    
alter account set sso_login_page = true;

2. I've added a user to the security group that was added to Okta and created that user in Snowflake. The test user was able to successfully sign in to the Web UI for Snowflake using the SSO Integration
3. I've followed the documentation from snowflake and compiled my query as follows:

create or replace security integration powerbi
    type = external_oauth
    enabled = true
    external_oauth_type = azure
    external_oauth_issuer = 'https://sts.windows.net/<TENANT_ID>/'
    external_oauth_jws_keys_url = 'https://login.windows.net/common/discovery/keys'
    external_oauth_audience_list = ('https://analysis.windows.net/powerbi/connector/Snowflake')
    external_oauth_token_user_mapping_claim = 'upn'
    external_oauth_snowflake_user_mapping_attribute = 'login_name'
    external_oauth_any_role_mode = 'ENABLE';

However, I am still getting the above error ( We couldn't authenticate with the credentials provided. Please try again. ), although it is redirecting me to the Okta page successfully.

I am not using a Network Policy or a Gateway so it should be able to sign in directly.

Can anyone help?

Answer 1

I have found the issue. It seems the external_oauth_issuer I was using was from the tenant in which we published our reports which is not the same tenant in which we have our Azure accounts. I've changed that and now it seems to work.

Answer 2

The most probable reason for this issue would be either one of the following:

1. User which is being used from PBI does not have 'default_role' set with a value.

2. If it is set with a value then the role does not have USAGE privilege on the WH which is being set from PBI.

Run the following to check this:

show grants on warehouse;

Answer 3

For PowerBI SSO- Snowflake validates the token, extracts the username from the token, maps it to the Snowflake user, and creates a Snowflake session for the Power BI service using the user's default role. Therefore, As suggested above, Please ensure the Power BI user used for SSO login must have default role set in Snowflake. See the below article for more details. https://community.snowflake.com/s/article/PowerBI-Service-displays-credentials-related-error-when-logging-in-or-publishing-report-from-PowerBI-Desktop