Enable Snowflake OAuth with PingFederate

Atlan supports Snowflake External OAuth with PingFederate as the identity provider. Once configured, queries you run in Insights authenticate with each user's PingFederate-issued JWT, and Snowflake runs the query as the mapped Snowflake user with that user's roles and audit identity.

For Okta as the identity provider instead, see Enable Snowflake OAuth.

Prerequisites

Before you begin, make sure you have:

• A Snowflake connection in Atlan
• Connection admin role in Atlan
• ACCOUNTADMIN role in Snowflake (or a role with global CREATE INTEGRATION privilege)
• Administrator access to your PingFederate instance
• Egress IP for your Atlan tenant (provided by your Atlan support contact) for allowlisting in PingFederate

What you configure

You complete three setups. All three must be in place before queries succeed.

Step	System	Owner	Outcome
1	Snowflake	Snowflake account administrator	A security integration that trusts JWTs from your PingFederate instance
2	PingFederate	PingFederate administrator	An OAuth client and JWT access token manager that issue tokens Snowflake accepts
3	Atlan	Atlan connection admin	Snowflake connection's SSO settings populated with values from Steps 1 and 2

Step 1: Create security integration in Snowflake

Who can do this?

You need the ACCOUNTADMIN role in Snowflake, or a role with global CREATE INTEGRATION privilege.

In a Snowflake SQL worksheet, run the following. Replace <YOUR_PF_ISSUER>, <YOUR_PF_JWKS_URL>, and <YOUR_AUDIENCE> with the values from Step 2.

USE ROLE ACCOUNTADMIN;

CREATE OR REPLACE SECURITY INTEGRATION ATLAN_PINGFEDERATE_SSO
  TYPE                                            = EXTERNAL_OAUTH
  ENABLED                                         = TRUE
  EXTERNAL_OAUTH_TYPE                             = PING_FEDERATE
  EXTERNAL_OAUTH_ISSUER                           = '<YOUR_PF_ISSUER>'
  EXTERNAL_OAUTH_JWS_KEYS_URL                     = '<YOUR_PF_JWKS_URL>'
  EXTERNAL_OAUTH_AUDIENCE_LIST                    = ('<YOUR_AUDIENCE>')
  EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM         = ('sub')
  EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'LOGIN_NAME'
  EXTERNAL_OAUTH_ANY_ROLE_MODE                    = 'ENABLE'
  COMMENT = 'PingFederate-issued JWTs for Atlan Insights.';

What each parameter does:

Parameter	Description
EXTERNAL_OAUTH_ISSUER	The iss claim PingFederate puts in the JWT. Matches the issuer field from PingFederate's OIDC discovery document.
EXTERNAL_OAUTH_JWS_KEYS_URL	JWKS endpoint Snowflake uses to fetch PingFederate's signing keys.
EXTERNAL_OAUTH_AUDIENCE_LIST	The aud claim PingFederate puts in the JWT.
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM	Which JWT claim contains the user identity. sub is the default.
EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE	Which Snowflake user attribute to match. Use LOGIN_NAME by default, or EMAIL_ADDRESS if your Snowflake login names aren't email addresses.
EXTERNAL_OAUTH_ANY_ROLE_MODE	ENABLE lets the user choose any granted role at session start.

Reusing an existing integration

If you already have an EXTERNAL_OAUTH security integration for another PingFederate-backed application, extend it instead of creating a new one. Add the Atlan audience to the existing list:

ALTER SECURITY INTEGRATION <existing_integration_name>
  SET EXTERNAL_OAUTH_AUDIENCE_LIST = ('<existing_audience>', '<new_atlan_audience>');

Create matching Snowflake users

Each Atlan user that queries through Insights needs a Snowflake user whose LOGIN_NAME (or EMAIL_ADDRESS) equals the value PingFederate puts in the JWT mapping claim:

USE ROLE ACCOUNTADMIN;

CREATE USER "JANE_DOE"
  LOGIN_NAME    = '[email protected]'
  EMAIL         = '[email protected]'
  DISPLAY_NAME  = 'Jane Doe'
  DEFAULT_ROLE  = '<YOUR_ANALYST_ROLE>'
  DEFAULT_WAREHOUSE = '<YOUR_WAREHOUSE>'
  COMMENT       = 'Atlan Insights user via PingFederate SSO';

GRANT ROLE <YOUR_ANALYST_ROLE> TO USER "JANE_DOE";

Step 2: Configure PingFederate

Who can do this?

You need administrator access to your PingFederate instance.

Create access token manager

Navigate to Applications → OAuth → Access Token Management → Create.

Field	Value
Instance Name	Atlan Snowflake JWT
Type	JSON Web Token
Issuer Claim Value	The value used for EXTERNAL_OAUTH_ISSUER in Step 1
Audience Claim Value	The value used for EXTERNAL_OAUTH_AUDIENCE_LIST in Step 1
JWS Algorithm	RS256
Active Signing Certificate	A certificate published at /pf/JWKS
Token Lifetime (minutes)	60

For Attribute Contract, add sub and populate it dynamically per user from your identity store, typically the user's email or username. Don't hardcode the value—every user must receive a JWT with their own identity.

Define OAuth scope

Navigate to Applications → OAuth → Authorization Server Settings → Exclusive Scopes and add session:role-any.

session:role-any is a Snowflake convention. PingFederate must accept and pass it through.

Create OAuth client

Navigate to Applications → OAuth → Clients → Create New Client.

Field	Value
Client ID	atlan-snowflake
Name	Atlan Snowflake
Client Authentication	CLIENT SECRET
Client Secret	Generate automatically. Save securely—you share this with Atlan in Step 3.
Restrict to Default Access Token Manager	Checked. Select Atlan Snowflake JWT from the access token manager you created in the previous section.
Allowed Grant Types	Authorization Code, Refresh Token
Redirect URIs	<your-atlan-tenant>/api/service/oauth (for example, https://example.atlan.com/api/service/oauth). Must include the path /api/service/oauth. Wildcards aren't honored.
Allowed Scopes	session:role-any

Allow Atlan to reach PingFederate

Atlan's backend makes server-to-server calls to PingFederate's token endpoint. If PingFederate is behind a firewall, WAF, or IP allowlist, add your Atlan tenant egress IP to the allowlist for these paths:

• /.well-known/openid-configuration
• /as/authorization.oauth2
• /as/token.oauth2
• /pf/JWKS

Your Atlan support contact provides the tenant egress IP.

Step 3: Configure Snowflake connection in Atlan

Who can do this?

You need connection admin role on the Snowflake connection.

1. From the left menu of any screen, click Assets.

2. From the Assets page, click the Connector filter, and from the dropdown, click Snowflake.

3. From the pills below the search bar, click Connection.

4. From the list of results, select the Snowflake connection you want to configure.

5. From the sidebar on the right, next to Connection settings, click Edit.

6. In the Connection settings dialog, open the SSO tab and enter the following values from Step 2:

   Field	Value
   Client ID	The Client ID of the PingFederate OAuth client
   Client Secret	The Client Secret of the PingFederate OAuth client
   Metadata URI	https://<your-pf-host>/.well-known/openid-configuration
   Scope	session:role-any
   Audience URI	Audience Claim Value from PingFederate access token manager

7. At the bottom right of the dialog, click Update.

Verify integration

After all three setups are in place, validate end-to-end:

1. Open an Insights worksheet on the configured Snowflake connection.
2. Run any query. Atlan opens a Login with Snowflake (PingFederate) modal.
3. Click the login button. A new browser tab opens to your PingFederate authorization endpoint.
4. Sign in with your usual SSO credentials. The tab closes and the modal flips to Login successful.
5. Once login is successful, run your queries inside Atlan. Queries authenticate as the PingFederate-authenticated user, not as a shared service account.

Troubleshooting

For specific errors and fixes, see Troubleshooting PingFederate OAuth.

See also

• SSO integration with PingFederate using OAuth: Field mappings between Atlan, PingFederate, and Snowflake.
• Authenticate SSO credentials to query data: End-user experience for querying with SSO credentials.