Set up external OAuth enteprise
This feature is currently only available for the Okta and Entra ID identity providers and Snowflake connections.
dbt Cloud Enterprise supports external OAuth authentication with external providers. When External OAuth is enabled, users can authorize their Development credentials using single sign-on (SSO) via the identity provider (IdP). This grants users authorization to access multiple applications, including dbt Cloud, without their credentials being shared with the service. Not only does this make the process of authenticating for development environments easier on the user, it provides an additional layer of security to your dbt Cloud account.
Getting started
The process of setting up external OAuth will require a little bit of back-and-forth between your dbt Cloud, IdP, and Snowflake accounts, and having them open in multiple browser tabs will help speed up the configuration process:
- dbt Cloud: You’ll primarily be working in the Account Settings —> Integrations page. You will need proper permission to set up the integration and create the connections.
- Snowflake: Open a worksheet in an account that has permissions to create a security integration.
- Okta: You’ll be working in multiple areas of the Okta account, but you can start in the Applications section. You will need permissions to create an application and an authorization server.
- Entra ID An admin with access to create Entra ID apps who is also a user in Snowflake is required.
If the admins that handle these products are all different people, it’s better to have them coordinating simultaneously to reduce friction.
Ensure that the username entered by the IdP admin matches the username in the Snowflake credentials. If the email address used in the dbt Cloud setup is different from the Snowflake username, the connection will fail or you may run into issues.
Snowflake commands
The following is a template for creating the OAuth configurations in the Snowflake environment:
create security integration your_integration_name
type = external_oauth
enabled = true
external_oauth_type = okta
external_oauth_issuer = ''
external_oauth_jws_keys_url = ''
external_oauth_audience_list = ('')
external_oauth_token_user_mapping_claim = 'sub'
external_oauth_snowflake_user_mapping_attribute = 'email_address'
external_oauth_any_role_mode = 'ENABLE'
The external_oauth_token_user_mapping_claim
and external_oauth_snowflake_user_mapping_attribute
can be modified based on the your organizations needs. These values point to the claim in the users’ token. In the example, Snowflake will look up the Snowflake user whose email
matches the value in the sub
claim.
Notes:
- The Snowflake default roles ACCOUNTADMIN, ORGADMIN, or SECURITYADMIN, are blocked from external OAuth by default and they will likely fail to authenticate. See the Snowflake documentation for more information.
- The value for
external_oauth_snowflake_user_mapping_attribute
must map correctly to the Snowflake username. For example, ifemail_address
is used, the email in the token from the IdP must match the Snowflake username exactly.
Identity provider configuration
Select a supported identity provider (IdP) for instructions on configuring external OAuth in their environment and completing the integration in dbt Cloud:
Okta
1. Initialize the dbt Cloud settings
- In your dbt Cloud account, navigate to Account settings —> Integrations.
- Scroll down to Custom integrations and click Add integrations
- Leave this window open. You can set the Integration type to Okta and note the Redirect URI at the bottom of the page. Copy this to your clipboard for use in the next steps.
2. Create the Okta app
- Expand the Applications section from the Okta dashboard and click Applications. Click the Create app integration button.
- Select OIDC as the sign-in method and Web applications as the application type. Click Next.
- Give the application an appropriate name, something like “External OAuth app for dbt Cloud,” that will make it easily identifiable.
- In the Grant type section, enable the Refresh token option.
- Scroll down to the Sign-in redirect URIs option. You’ll need to paste the redirect URI you gathered from dbt Cloud in step 1.3.
- Save the app configuration. You’ll come back to it, but move on to the next steps for now.
3. Create the Okta API
- Expand the Security section and click API from the Okta sidebar menu.
- On the API screen, click Add authorization server. Give the authorization server a name (a nickname for your Snowflake account would be appropriate). For the Audience field, copy and paste your Snowflake login URL (for example, https://abdc-ef1234.snowflakecomputing.com). Give the server an appropriate description and click Save.
- On the authorization server config screen, open the Metadata URI in a new tab. You’ll need information from this screen in later steps.
- Click on the Scopes tab and Add scope. In the Name field, add
session:role-any
. (Optional) Configure Display phrase and Description and click Create.
- Open the Access policies tab and click Add policy. Give the policy a Name and Description and set Assign to as The following clients. Start typing the name of the app you created in step 2.3, and you’ll see it autofill. Select the app and click Create Policy.
- On the access policy screen, click Add rule.
- Give the rule a descriptive name and scroll down to token lifetimes. Configure the Access token lifetime is, Refresh token lifetime is, and but will expire if not used every settings according to your organizational policies. We recommend the defaults of 1 hour and 90 days. Stricter rules increase the odds of your users having to re-authenticate.
- Navigate back to the Settings tab and leave it open in your browser. You’ll need some of the information in later steps.
4. Create the OAuth settings in Snowflake
- Open up a Snowflake worksheet and copy/paste the following:
create security integration your_integration_name
type = external_oauth
enabled = true
external_oauth_type = okta
external_oauth_issuer = ''
external_oauth_jws_keys_url = ''
external_oauth_audience_list = ('')
external_oauth_token_user_mapping_claim = 'sub'
external_oauth_snowflake_user_mapping_attribute = 'email_address'
external_oauth_any_role_mode = 'ENABLE'
- Change
your_integration_name
to something appropriately descriptive. For example,dev_OktaAccountNumber_okta
. Copy theexternal_oauth_issuer
andexternal_oauth_jws_keys_url
from the metadata URI in step 3.3. Use the same Snowflake URL you entered in step 3.2 as theexternal_oauth_audience_list
.
Adjust the other settings as needed to meet your organization's configurations in Okta and Snowflake.
- Run the steps to create the integration in Snowflake.
Ensure that the username (for example, email address) entered in the IdP matches the Snowflake credentials for all users. Mismatched usernames will result in authentication failures.
5. Configuring the integration in dbt Cloud
-
Navigate back to the dbt Cloud Account settings —> Integrations page you were on at the beginning. It’s time to start filling out all of the fields.
Integration name
: Give the integration a descriptive name that includes identifying information about the Okta environment so future users won’t have to guess where it belongs.Client ID
andClient secrets
: Retrieve these from the Okta application page.
- Authorize URL and Token URL: Found in the metadata URI.
-
Save the configuration
6. Create a new connection in dbt Cloud
- Navigate the Account settings and click Connections from the menu. Click Add connection.
- Configure the
Account
,Database
, andWarehouse
as you normally would, and for theOAuth method
, select the external OAuth you just created.
- Scroll down to the External OAuth configurations box and select the config from the list.
- Save the connection, and you have now configured External OAuth with Okta and Snowflake!
Entra ID
1. Initialize the dbt Cloud settings
- In your dbt Cloud account, navigate to Account settings —> Integrations.
- Scroll down to Custom integrations and click Add integrations.
- Leave this window open. You can set the Integration type to Entra ID and note the Redirect URI at the bottom of the page. Copy this to your clipboard for use in the next steps.
2. Create the Entra ID apps
- You’ll create two apps in the Azure portal: A resource server and a client app.
- In your Azure portal, open the Entra ID and click App registrations from the left menu.
- The admin who creates the apps in the Microsoft Entra ID account must also be a user in Snowflake.
- The
value
field gathered in these steps is only displayed once. When created, record it immediately. - Ensure that the username (for example, email address) entered in the IdP matches the Snowflake credentials for all users. Mismatched usernames will result in authentication failures.
3. Create a resource server
- From the app registrations screen, click New registration.
- Give the app a name.
- Ensure Supported account types are set to “Accounts in this organizational directory only (
Org name
- Single Tenant).” - Click Registerto see the application’s overview.
- From the app overview page, click Expose an API from the left menu.
- Click Add next to Application ID URI. The field will automatically populate. Click Save.
- Record the
value
field for use in a future step. This is only displayed once. Be sure to record it immediately. Microsoft hides the field when you leave the page and come back. - From the same screen, click Add scope.
- Give the scope a name.
- Set “Who can consent?” to Admins and users.
- Set Admin consent display name session:role-any and give it a description.
- Ensure State is set to Enabled.
- Click Add scope.
4. Create a client app
- From the App registration page, click New registration.
- Give the app a name that uniquely identifies it as the client app.
- Ensure Supported account types are set to “Accounts in this organizational directory only (
Org name
- Single Tenant).” - Set the Redirect URI to Web and copy/paste the Redirect URI from dbt Cloud into the field.
- Click Register.
- From the app overview page, click API permissions from the left menu, and click Add permission.
- From the pop-out screen, click APIs my organization uses, search for the resource server name from the previous steps, and click it.
- Ensure the box for the Permissions
session:role-any
is enabled and click Add permissions. - Click Grant admin consent and from the popup modal click Yes.
- From the left menu, click Certificates and secrets and click New client secret. Name the secret, set an expiration, and click Add. Note: Microsoft does not allow “forever” as an expiration date. The maximum time is two years. Documenting the expiration date so you can refresh the secret before the expiration or user authorization fails is essential.
- Record the
value
for use in a future step and record it immediately. Note: Entra ID will not display this value again once you navigate away from this screen.
5. Snowflake configuration
You'll be switching between the Entra ID site and Snowflake. Keep your Entra ID account open for this process.
Copy and paste the following as a template in a Snowflake worksheet:
create or replace security integration <whatever you want to name it>
type = external_oauth
enabled = true
external_oauth_type = azure
external_oauth_issuer = '<AZURE_AD_ISSUER>'
external_oauth_jws_keys_url = '<AZURE_AD_JWS_KEY_ENDPOINT>'
external_oauth_audience_list = ('<SNOWFLAKE_APPLICATION_ID_URI>')
external_oauth_token_user_mapping_claim = 'upn'
external_oauth_any_role_mode = 'ENABLE'
external_oauth_snowflake_user_mapping_attribute = 'login_name';
On the Entra ID site:
- From the Client ID
app in Entra ID, click Endpoints and open the Federation metadata document in a new tab.
- The entity ID on this page maps to the
external_oauth_issuer
field in the Snowflake config.
- The entity ID on this page maps to the
- Back on the list of endpoints, open the OpenID Connect metadata document in a new tab.
- The jwks_uri field maps to the
external_oauth_jws_keys_url
field in Snowflake.
- The jwks_uri field maps to the
- Navigate to the resource server in previous steps.
- The Application ID URI maps to the
external_oauth_audience_list
field in Snowflake.
- The Application ID URI maps to the
- Run the configurations. Be sure the admin who created the Microsoft apps is also a user in Snowflake, or the configuration will fail.
6. Configuring the integration in dbt Cloud
- Navigate back to the dbt Cloud Account settings —> Integrations page you were on at the beginning. It’s time to start filling out all of the fields. There will be some back-and-forth between the Entra ID account and dbt Cloud.
Integration name
: Give the integration a descriptive name that includes identifying information about the Entra ID environment so future users won’t have to guess where it belongs.Client secrets
: Found in the Client ID from the Certificates and secrets page.Value
is theClient secret
. Note that it only appears when created; Microsoft hides the secret if you return later, and you must recreate it.Client ID
: Copy the’ Application (client) ID’ on the overview page for the client ID app.Authorization URL
andToken URL
: From the client ID app, open theEndpoints
tab. These URLs map to theOAuth 2.0 authorization endpoint (v2)
andOAuth 2.0 token endpoint (v2)
fields. You must use v2 of theOAuth 2.0 authorization endpoint
. Do not use V1. You can use either version of theOAuth 2.0 token endpoint
.Application ID URI
: Copy theApplication ID URI
field from the resource server’s Overview screen.