Troubleshooting connector-specific SSO authentication

Atlan currently supports the following connectors for SSO authentication to query data and preview sample data:

General

How will SSO authentication interact with any data policies in Atlan?

Atlan supports data policies mandated at source if using SSO authentication. Explicit restrictions will take precedence, unless otherwise configured.

Let's examine two scenarios using the example of a masking policy:

  • If you have a data policy in Atlan to mask sensitive data and are also using SSO authentication with no masking policy at source, the data will be masked in Atlan. However, if you have toggled on Enable data policies created at source to apply for querying in Atlan while configuring SSO authentication in Atlan, only source policies will take effect and the data will not be masked in Atlan as per the source policy.
  • If you do not have any data policy in Atlan but are using SSO authentication with a masking policy at source for sensitive data, the data will be masked in Atlan.

Snowflake

Why am I getting an incorrect username or password error message?

If you receive the following error message:Cannot create PoolableConnectionFactory (Incorrect username or password was specified.)

The security integration in Snowflake maps Atlan email addresses to Snowflake login names. First, check if a user with an Atlan email address exists in Snowflake.

If a user exists and the Snowflake login name is not an email address, your Snowflake administrator will have to manually update the user-mapping in the security integration to use email addresses instead. To do so, add the following command to the security integration in Snowflake:

EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'EMAIL_ADDRESS'

Refer to Snowflake documentation.

Why am I getting a role error message?

If you receive the following error message:Cannot create PoolableConnectionFactory (Role <'ACCOUNTADMIN'/'ORGADMIN'/'SECURITYADMIN'> specified in the connect string is not granted to this user. Contact your local system administrator, or attempt to login with another role, e.g. PUBLIC

By default, Snowflake blocks the ACCOUNTADMIN, ORGADMIN, and SECURITYADMIN roles from being assumed in the security integration. Therefore, a user with any of these Snowflake roles will not be able to run queries with Snowflake OAuth-based authentication.

To allow users with the ACCOUNTADMIN, ORGADMIN, or SECURITYADMIN role to query with Snowflake OAuth-based authentication, you will need to add the following command to set account-level permissions for the security integration in Snowflake:

ALTER ACCOUNT SET EXTERNAL_OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST = FALSE;

Refer to Snowflake documentation.

Related articles

Was this article helpful?
0 out of 0 found this helpful