nerdexam
Snowflake

SOL-C01 · Question #239

A Snowflake account is configured to use Okta as its Identity Provider (ldP) for Single Sign-On (SSO). A user, 'analytics_user', reports being unable to log in to Snowflake via Okta, receiving an 'Inv

The correct answer is C. The user 'analytics_user' exists in Snowflake, but the SAML identity associated with the user in. When Snowflake returns 'Invalid User' during Okta SSO, and the user exists in both Okta and Snowflake, the most likely cause is a SAML attribute mismatch. Snowflake matches the incoming SAML assertion (typically the NameID or a mapped attribute like email) to the user's LOGIN_NAM

Snowflake Account and Security

Question

A Snowflake account is configured to use Okta as its Identity Provider (ldP) for Single Sign-On (SSO). A user, 'analytics_user', reports being unable to log in to Snowflake via Okta, receiving an 'Invalid User' error. After verifying the user exists in Okta and is assigned to the correct Snowflake application, what is the MOST likely cause and what is the BEST approach to troubleshoot the issue within Snowflake?

Options

  • AThe user 'analytics_user' does not exist in Snowflake. Create the user in Snowflake with the same
  • BThe Okta integration in Snowflake is not properly configured. Verify the SSO integration settings
  • CThe user 'analytics_user' exists in Snowflake, but the SAML identity associated with the user in
  • DThe Snowflake virtual warehouse is suspended, preventing authentication. Resume the
  • EOkta is experiencing a service outage. Check Okta's status page to confirm if there are any known

How the community answered

(35 responses)
  • A
    11% (4)
  • B
    3% (1)
  • C
    74% (26)
  • D
    3% (1)
  • E
    9% (3)

Explanation

When Snowflake returns 'Invalid User' during Okta SSO, and the user exists in both Okta and Snowflake, the most likely cause is a SAML attribute mismatch. Snowflake matches the incoming SAML assertion (typically the NameID or a mapped attribute like email) to the user's LOGIN_NAME in Snowflake. If the LOGIN_NAME in Snowflake doesn't match what Okta is sending in the SAML assertion, authentication fails. The fix is to ensure the Snowflake user's LOGIN_NAME matches the SAML subject/attribute sent by Okta. Option A is wrong because the user exists. Option B is unlikely since other users presumably work. Option D is wrong because warehouse state doesn't affect authentication. Option E is wrong because the user can log in to Okta successfully.

Topics

#SSO#Okta#User Authentication#SAML Identity

Community Discussion

No community discussion yet for this question.

Full SOL-C01 Practice