SSO integration with PingFederate using OAuth
When PingFederate is the identity provider for Snowflake query authentication, the same parameter values flow across three systems. Use this reference to align them.
Looking for PingFederate SAML setup instead?
This reference covers PingFederate as an OAuth identity provider for querying Snowflake from Atlan Insights. For PingFederate as a SAML identity provider for logging into Atlan, see SSO integration with PingFederate using SAML.
OIDC endpoints
Atlan discovers PingFederate's endpoints automatically from the metadata URI you provide. You don't enter them separately.
| Endpoint | PingFederate path | Used by |
|---|---|---|
| Discovery | /.well-known/openid-configuration | Atlan |
| Authorization | /as/authorization.oauth2 | Atlan (browser redirect) |
| Token | /as/token.oauth2 | Atlan (server-to-server token exchange) |
| JWKS | /pf/JWKS | Snowflake (JWT signature verification) |
JWT claim mappings
PingFederate must issue a JWT whose claims satisfy these checks in Snowflake.
| JWT claim | Must equal |
|---|---|
iss | Snowflake EXTERNAL_OAUTH_ISSUER |
aud | An entry in Snowflake EXTERNAL_OAUTH_AUDIENCE_LIST |
Mapping claim (default sub) | A Snowflake user's LOGIN_NAME or EMAIL_ADDRESS, depending on EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE |
Field name mappings
| Concept | Atlan field | PingFederate field | Snowflake parameter |
|---|---|---|---|
| Issuer | Read from Metadata URI | Access Token Manager → Issuer Claim Value | EXTERNAL_OAUTH_ISSUER |
| Audience | Audience URI | Access Token Manager → Audience Claim Value | Entry in EXTERNAL_OAUTH_AUDIENCE_LIST |
| JWKS URL | Read from Metadata URI | Hosted at /pf/JWKS | EXTERNAL_OAUTH_JWS_KEYS_URL |
| Client ID | Client ID | OAuth Client → Client ID | n/a |
| Client Secret | Client Secret | OAuth Client → Client Secret | n/a |
| Scope | Scope | OAuth Client → Allowed Scopes | Paired with EXTERNAL_OAUTH_ANY_ROLE_MODE |
| Discovery URL | Metadata URI | /.well-known/openid-configuration | n/a |
| Redirect URI | Set by Atlan at runtime | OAuth Client → Redirect URIs | n/a |
| User mapping claim | n/a | Access Token Manager → Attribute Contract → sub | EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM |
Token defaults
| Setting | Default value |
|---|---|
| JWS algorithm | RS256 |
| Access token lifetime | 60 minutes |
| Scope | session:role-any |
| Snowflake any-role mode | ENABLE |
See also
- Enable Snowflake OAuth with PingFederate: Step-by-step setup across Snowflake, PingFederate, and Atlan.
- Troubleshooting PingFederate OAuth: Common failure modes and fixes.
- SSO integration with PingFederate using SAML: A different flow—PingFederate as a SAML identity provider for logging into Atlan.