Skip to main content

Workbench: DB connections requiring MFA browser redirects will not work

Lachlan Simpson
  • Updated

Increasingly customers are asking for advice on multi-factor authentication configuration of the Snowflake Database Pro-Drivers and Workbench.

Unfortunately, this is not supported because of the server/client nature of Workbench. The Snowflake drivers attempt to open a browser window locally on the Workbench server itself, which fails. Our pro-driver for Snowflake is the driver that Snowflake provides - we're limited by the capabilities provided by the Snowflake team. The only way to perform multifactor authentication with Snowflake on Workbench is to use Duo native MFA with automatic push confirmation, as documented here:
 
https://docs.snowflake.com/en/user-guide/security-mfa#using-mfa-with-odbc
 
Here is an example odbc.ini entry that enables Okta Username/Password authentication but using Snowflake native Duo MFA with push enabled, though this model will also work with native Snowflake accounts. There isn't an additional licensing cost or enterprise burden for Duo MFA, other than expecting users to install and register the Duo app on their phones. Additionally, Okta MFA would need to be disabled for the user in the example below, and they would need to rely on the Snowflake MFA capability. Generally, this is not acceptable to many customers. A workaround that we've used with some customers is the creation of Snowflake service accounts that are local to Snowflake and assigned to your data scientist team for use with Snowflake and then enabling Snowflake Duo MFA with those accounts.

 

[Snowflake]
SERVER=wda27.us-east-1.snowflakecomputing.com
DATABASE=SAMPLEDATA
AUTHENTICATOR=https://dev-514.oktapreview.com/ 
WAREHOUSE=COMPUTEWH
UID=SNOWFLAKETEST
SCHEMA=PUBLIC
ROLE=PUBLIC
PWD=Password
Driver=Snowflake

 

In answer to the more general question, browser-style redirects are not currently supported inside of a workbench session, because modern browsers prevent sites from opening arbitrary additional URLs for security reasons without user interaction. Typically running a chunk of code that calls an ODBC driver is not considered a valid user action to enable opening a new browser tab. Lastly, this type of authentication flow also doesn't work when content is published to a more scheduled/programmatic environment like Posit Connect, so many customers end up needing to create service accounts, regardless, to solve problems related to published content.

Related articles

Comments

0 comments

Article is closed for comments.