Okta Integration Phase 2 (Troubleshooting): Troubleshoot CDTFA login errors after Okta Integration

Question

Okta Integration Phase 2 (Troubleshooting): Troubleshoot CDTFA login errors after Okta Integration

melanie-logan opened this issue 4 months ago · comments

Melanie Logan commented 4 months ago

Adding an issue here to document an error encountered after the initial production integration with Okta.

We experienced an issue where Arman was unable to login using SSO despite correct config and user name assignment.
Local login using the updated username worked as expected.

The issue encountered is below:

Solution:

After searching online, the following comminity post outlined potential solutions.

The issue was resolved by replacing the snowflake "shortened url" format with the "account locator" or "full url" format.

Original (shortened) url format:
https://<account_locator>.snowflakecomputing.com

Replaced with account locator (full) url format:
https://<account_locator>.<region>.snowflakecomputing.com

We suspect encountering this issue because the Okta application for this account was defined using the full url prefix specification (e.g.,
exb17208.us-east-1)

https://exb17208.us-east-1.snowflakecomputing.com

Updated values:
The original integration parameters were defined as:
SAML2_SNOWFLAKE_ACS_URL = 'https://vsb79059-aae-cdtfa-return.snowflakecomputing.com/fed/login' SAML2_SNOWFLAKE_ISSUER_URL = 'https://vsb79059-aae-cdtfa-return.snowflakecomputing.com';

Parameters updated to:
SAML2_SNOWFLAKE_ACS_URL = 'https://exb17208.us-east-1.snowflakecomputing.com/fed/login' SAML2_SNOWFLAKE_ISSUER_URL = 'https://exb17208.us-east-1.snowflakecomputing.com';

Ian Rose · Answer 1 · Wed Feb 28 2024 00:36:30 GMT+0800 (China Standard Time)

Yeah, I've found that with most tools you need the cloud+region in the locator (if it exists) in order to connect properly. Most of the connections are HTTPS/TLS based on the account URL, so it's really not doing anything tricky, just constructing the URL of the account that we all log into.

Melanie Logan · Answer 2 · Wed Feb 28 2024 01:38:44 GMT+0800 (China Standard Time)

Good to know!

Ian Rose · Answer 3 · Wed Feb 28 2024 01:42:20 GMT+0800 (China Standard Time)

I'd love to have a better understanding of when the account identifier is expected to work vs when the locator-with-cloud-and-region is needed. These docs indicate that the locator is effectively deprecated, but I've found it's still needed in a lot of places like this. Do you have any insight into that @melanie-logan?

Melanie Logan · Answer 4 · Wed Feb 28 2024 03:04:26 GMT+0800 (China Standard Time)

Defiantly want to do some research here. I'll let you know what I find!