Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support Browser-based SSO in Snowflake connector

See original GitHub issue

It would be great to support Browser-based SSO to connect to Snowflake.

When federated authentication is enabled for an account, Snowflake does not recommend maintaining user passwords in Snowflake so using SSO is the only way to connect and authenticate with a Snowflake client.

Currently, if I try to connect with an external authenticator, I get the following error:

data-diff \
    "snowflake://<user>@<account>/<database>/<schema>?warehouse=<warehouse>&role=<role>&authenticator='externalbrowser'" \
    <table> \
    "snowflake://<user>@<account>/<database>/<schema>?warehouse=<warehouse>&role=<role>&authenticator='externalbrowser'" \
    <table>

snowflake.connector.errors.ProgrammingError: 251006: Password is empty

In other tools like dbt, this feature is supported by providing the authenticator option: https://docs.getdbt.com/reference/warehouse-profiles/snowflake-profile#sso-authentication

Issue Analytics

State:
Created a year ago
Comments:7 (3 by maintainers)

Top GitHub Comments

2reactions

franlozacommented, Jun 29, 2022

@sirupsen I don’t think it’s necessary to open a PR, the current implementation supports the use of an external browser to authenticate. The problem was that my connection string was wrong 🤦

I was using the following URI:

"snowflake://<user>@<account>/<database>/<schema>?warehouse=<warehouse>&role=<role>&authenticator='externalbrowser'"

I used quotes to pass externalbrowser parameter because I followed the Snowflake documentation for the Python client:

Client	Instructions
Python	Pass authenticator=‘externalbrowser’ to the snowflake.connector.connect() function.

However, the correct instructions are the one for JDBC client:

Client	Instructions
JDBC	Set authenticator=externalbrowser in the connection string for the driver.

With the following URI, the connection works:

"snowflake://<user>@<account>/<database>/<schema>?warehouse=<warehouse>&role=<role>&authenticator=externalbrowser"

Is there any place where do you think this should be documented or should I close the issue?

1reaction

sirupsencommented, Jun 29, 2022

@franloza yayy! On your PR, can you provide instructions on how (on an existing Snowflake cluster) to enable SSO so we can test it? ❤️

Top Results From Across the Web

Managing/Using Federated Authentication

With browser-based SSO, the Snowflake-provided client (for example, the Snowflake JDBC driver) needs to be able to open the user's web browser. For...

Federated Authentication & SSO - Snowflake Documentation

Federated authentication enables your users to connect to Snowflake using secure SSO (single sign-on). With SSO enabled, your users authenticate through an ...

External browser SSO from connector fails on redirect back to ...

Snowflake drivers using "externalbrowser" authentication must be able to redirect the browser back to "localhost:". Sometimes HSTS settings can ...

Configuring Snowflake to Use Federated Authentication

Overview of Federated Authentication and SSO ... Step 4: Enable Snowflake-initiated SSO ... Copy the value in the Federation Service identifier field.

Headless SSO authentication through Python (snowflake ...

We would like to use SSO as primary authentication method, however in a lot of cases there is no browser (or display) available...