Skip to main content

Troubleshooting connector-specific SSO authentication

Atlan currently supports the following connectors for SSO authentication to query data and preview sample data:

General

How will SSO authentication interact with any data policies in Atlan?

Atlan supports data policies mandated at source if using SSO authentication. Explicit restrictions take precedence, unless otherwise configured.

Let's examine two scenarios using the example of a masking policy:

  • If you have a data policy in Atlan to mask sensitive data and are also using SSO authentication with no masking policy at source, the data is masked in Atlan. However, if you have toggled on Enable data policies created at source to apply for querying in Atlan while configuring SSO authentication in Atlan, only source policies take effect and the data isn't masked in Atlan as per the source policy.
  • If you don't have any data policy in Atlan but are using SSO authentication with a masking policy at source for sensitive data, the data is masked in Atlan.

Snowflake

Why am I getting an incorrect username or password error message?

If you receive the following error message:Cannot create PoolableConnectionFactory (Incorrect username or password was specified.)

The security integration in Snowflake maps Atlan email addresses to Snowflake login names. First, check if a user with an Atlan email address exists in Snowflake.

If a user exists and the Snowflake login name isn't an email address, your Snowflake administrator has to manually update the user-mapping in the security integration to use email addresses instead. To do so, add the following command to the security integration in Snowflake:

EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'EMAIL_ADDRESS'

Refer to Snowflake documentation.

Why am I getting a role error message?

If you receive the following error message:Cannot create PoolableConnectionFactory (Role <'ACCOUNTADMIN'/'ORGADMIN'/'SECURITYADMIN'> specified in the connect string isn't granted to this user. Contact your local system administrator, or attempt to login with another role, e.g. PUBLIC

By default, Snowflake blocks the ACCOUNTADMIN, ORGADMIN, and SECURITYADMIN roles from being assumed in the security integration. Therefore, a user with any of these Snowflake roles can't run queries with Snowflake OAuth-based authentication.

To permit users with the ACCOUNTADMIN, ORGADMIN, or SECURITYADMIN role to query with Snowflake OAuth-based authentication, you need to add the following command to set account-level permissions for the security integration in Snowflake:

ALTER ACCOUNT SET EXTERNAL_OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST = FALSE;

Refer to Snowflake documentation.