# Integrating Snowflake with Okta via OAuth

This guide will walk you through the steps to integrate Okta with Tellius for Snowflake.

### **1. Navigating to the Okta Admin Page**

Start by navigating to your Okta Admin page.

### **2. Creating a New Application**

* Navigate to **Applications** from the main menu.
* Select **Applications** from the dropdown and click on **Create App Integration.**

<figure><img src="/files/TqNvLWlkjUhfSxSO6VBq" alt="" width="563"><figcaption><p>Creating a new application</p></figcaption></figure>

### **3. Configuring Application Settings**

* From the available options, choose **OIDC - OpenID Connect -->** **Web Application**.
* In the **Grant type** options, click on all the available checkboxes and specify the necessary redirect URL(s). More than one URL can be specified.

<figure><img src="/files/RzoxgAp87dq2psCI45rK" alt="" width="563"><figcaption><p>Configuring application settings</p></figcaption></figure>

### **4. Assignments and Saving**

* Under **Assignments**, click on **Allow everyone in your organization to access** option.
* Click on **Save**.

<figure><img src="/files/BxdAnZpugv085pzhUNuS" alt="" width="563"><figcaption><p>Assignments</p></figcaption></figure>

### **5. Getting Client ID and Secret**

* After saving, open the application you just created.
* Note down the **Client ID** and **Client Secret** for future reference.

### **6. Setting Up Security API**

* Navigate to **Security** from the main menu.
* Select **API -> default**.

<figure><img src="/files/xHalNCB62ccLrByhqfai" alt="" width="563"><figcaption><p>Security API</p></figcaption></figure>

* Click on **Metadata URI**. A new window will pop up.

<figure><img src="/files/uPMXK9hC9hnBwABNTmn9" alt="" width="563"><figcaption><p>Metadata URI</p></figcaption></figure>

* Note down the following details from the output and close the window:
  * issuer
  * authorization\_endpoint
  * token\_endpoint
  * jwks\_uri

### **7. Configuring Scopes and Claims**

* Go to the **Scopes** tab and create a new scope named *session:role-any*.
* Click on **Implicit** for **User consent**.
* Under **Metadata**, click on the **Include in public metadata**

<figure><img src="/files/bWtrmmv6PtAZTEUxKP8A" alt="" width="563"><figcaption><p>Editing scope</p></figcaption></figure>

* Navigate to **Claims** and add a new claim called *tellius\_email*.

<figure><img src="/files/e3l06tKBcqAe0b9v4WBv" alt="" width="563"><figcaption><p>Editing claims</p></figcaption></figure>

### **8. Updating User Settings**

* Open a new browser tab and access the **User Settings.**
* Update the secondary email to *<snowflake.serviceaccount@tellius.com>*.
* Return to the previous browser tab and navigate to **Token Preview**. Validate the token to ensure it contains the *tellius\_email* value set as the secondary email.

<figure><img src="/files/sPiJ4viZ8nu7XxIJAkN7" alt="" width="563"><figcaption><p>Updating user settings</p></figcaption></figure>

### **9. Configuring Snowflake Console**

Switch to your Snowflake console and execute the following commands:

```sql
create security integration external_oauth_okta
    type = external_oauth
    enabled = true
    external_oauth_type = okta
    external_oauth_any_role_mode = 'ENABLE'
    external_oauth_issuer = '<OAUTH_ISSUER>'
    external_oauth_jws_keys_url = '<KEYS_URI>'
    external_oauth_audience_list = ('api://default')
    external_oauth_token_user_mapping_claim = 'tellius_email'
    external_oauth_snowflake_user_mapping_attribute = 'EMAIL_ADDRESS';
```

Replace *\<OAUTH\_ISSUER>* and *\<KEYS\_URI>* with the values you noted down earlier.

### **10. Connecting to Tellius**

1. With the above configurations completed, you're all set to connect to Tellius.
2. In Tellius, navigate to **Data --> Connect --> Create new --> Snowflake --> OAuth**.
3. Select **Okta** as the **Authorization type** from the dropdown.
4. For the remaining fields, enter the details as follows:

<figure><img src="/files/XqzHvYXl1gQkzGjcyyB2" alt="" width="563"><figcaption><p>Configuring Snowflake in Tellius</p></figcaption></figure>

* **Snowflake URL:** telliuspartner.snowflakecomputing.com
* **User:** TELLIUS\_PROD\_TESTING
* **Client ID:** (Use the Client ID from [this section](https://help.tellius.com/article/bf7ue9t02b-integrating-snowflake-with-okta-via-oauth#5_getting_client_id_and_secret))
* **Client Secret:** (Use the Client Secret from [this section](https://help.tellius.com/article/bf7ue9t02b-integrating-snowflake-with-okta-via-oauth#5_getting_client_id_and_secret))
* **Authorization URL:** (Use the authorization\_endpoint from [this section](https://help.tellius.com/article/bf7ue9t02b-integrating-snowflake-with-okta-via-oauth#6_setting_up_security_api))
* **Access Token URL:** (Use the token\_endpoint from [this section](https://help.tellius.com/article/bf7ue9t02b-integrating-snowflake-with-okta-via-oauth#6_setting_up_security_api))
* **Scope:** offline\_access session:role-any


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.tellius.com/tellius-6.3/data/create-new-datasource/connecting-to-snowflake/integrating-snowflake-with-okta-via-oauth.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.