SOL-C01 · Question #239
A Snowflake account is configured to use Okta as its Identity Provider (ldP) for Single Sign-On (SSO). A user, 'analytics_user', reports being unable to log in to Snowflake via Okta, receiving an 'Inv
The correct answer is C. The user 'analytics_user' exists in Snowflake, but the SAML identity associated with the user in. When Snowflake returns 'Invalid User' during Okta SSO, and the user exists in both Okta and Snowflake, the most likely cause is a SAML attribute mismatch. Snowflake matches the incoming SAML assertion (typically the NameID or a mapped attribute like email) to the user's LOGIN_NAM
Question
A Snowflake account is configured to use Okta as its Identity Provider (ldP) for Single Sign-On (SSO). A user, 'analytics_user', reports being unable to log in to Snowflake via Okta, receiving an 'Invalid User' error. After verifying the user exists in Okta and is assigned to the correct Snowflake application, what is the MOST likely cause and what is the BEST approach to troubleshoot the issue within Snowflake?
Options
- AThe user 'analytics_user' does not exist in Snowflake. Create the user in Snowflake with the same
- BThe Okta integration in Snowflake is not properly configured. Verify the SSO integration settings
- CThe user 'analytics_user' exists in Snowflake, but the SAML identity associated with the user in
- DThe Snowflake virtual warehouse is suspended, preventing authentication. Resume the
- EOkta is experiencing a service outage. Check Okta's status page to confirm if there are any known
How the community answered
(35 responses)- A11% (4)
- B3% (1)
- C74% (26)
- D3% (1)
- E9% (3)
Explanation
When Snowflake returns 'Invalid User' during Okta SSO, and the user exists in both Okta and Snowflake, the most likely cause is a SAML attribute mismatch. Snowflake matches the incoming SAML assertion (typically the NameID or a mapped attribute like email) to the user's LOGIN_NAME in Snowflake. If the LOGIN_NAME in Snowflake doesn't match what Okta is sending in the SAML assertion, authentication fails. The fix is to ensure the Snowflake user's LOGIN_NAME matches the SAML subject/attribute sent by Okta. Option A is wrong because the user exists. Option B is unlikely since other users presumably work. Option D is wrong because warehouse state doesn't affect authentication. Option E is wrong because the user can log in to Okta successfully.
Topics
Community Discussion
No community discussion yet for this question.