Specifies the authentication scheme used to establish a connection to Snowflake. It determines the authentication mechanism required for validating the user's identity and allows integration with various SSO and OAuth providers.

Possible Values

Password, OKTA, PrivateKey, AzureMSI, OAuth, OAuthAzureAD, OAuthClientAzureAD, OAuthOKTA, OAuthClientOKTA, OAuthOther, OAuthClientOther, OAuthJWT, PingFederate, ExternalBrowser, ProgrammaticAccessToken, WorkloadIdentityFederation

Data Type

string

Default Value

"OAuth"

Remarks

The provider supports the following authentication mechanisms. See the Getting Started chapter for authentication guides.

• Password: Standard username/password authentication. Recommended for simple authentication setups.
• OKTA: Set this to use the OKTA SSO identity provider. Set SSOProperties in addition to the User and Password you use to authenticate to OKTA.
• AzureMSI: Uses Azure Managed Service Identity (MSI) for authentication. Set this along with AzureResource to use the Azure Managed Service Identity when running on an Azure Virtual Machine (VM).
• PingFederate: Uses PingFederate SSO identity provider for authentication. Set this along with User to use the PingFederate SSO identity provider. When connecting, your browser opens, allowing you to login to PingFederate to complete the authentication.
• PrivateKey: Key pair authentication using RSA key pairs for enhanced security. You must also set PrivateKey, PrivateKeyPassword and PrivateKeyType to authenticate with this method.
• OAuth: Standard OAuth 2.0 authentication using tokens. Set OAuthClientId, OAuthClientSecret to the Snowflake OAuth credentials. Additionally, set InitiateOAuth to GETANDREFRESH. Note that the CData driver always uses PKCE with OAuth for extra security. It works for Snowflake’s built-in OAuth service.
• OAuthAzureAD: Standard OAuth 2.0 authentication using tokens. Set OAuthClientId, OAuthClientSecret to the Snowflake OAuth credentials. Additionally, set InitiateOAuth to GETANDREFRESH. Note that the CData driver always uses PKCE with OAuth for extra security. The Identity Provider (IdP) is the external Entra ID.
• OAuthClientAzureAD: Client grant type OAuth authentication for service-to-service communication. Set OAuthClientId, OAuthClientSecret to the Snowflake OAuth credentials. Additionally, set InitiateOAuth to GETANDREFRESH. The Identity Provider (IdP) is the external Entra ID.
• OAuthOKTA: Standard OAuth 2.0 authentication using tokens. Set OAuthClientId, OAuthClientSecret to the Snowflake OAuth credentials. Additionally, set InitiateOAuth to GETANDREFRESH. Note that the CData driver always uses PKCE with OAuth for extra security. The Identity Provider (IdP) is the external OKTA.
• OAuthClientOKTA: Client grant type OAuth authentication for service-to-service communication. Set OAuthClientId, OAuthClientSecret to the Snowflake OAuth credentials. Additionally, set InitiateOAuth to GETANDREFRESH. The Identity Provider (IdP) is the external OKTA.
• OAuthOther: Standard OAuth 2.0 authentication using tokens. Set OAuthClientId, OAuthClientSecret to the Snowflake OAuth credentials. Additionally, set InitiateOAuth to GETANDREFRESH. Note that the CData driver always uses PKCE with OAuth for extra security. The Identity Provider (IdP) is other external customized application.
• OAuthClientOther: Client grant type OAuth authentication for service-to-service communication. Set OAuthClientId, OAuthClientSecret to the Snowflake OAuth credentials. Additionally, set InitiateOAuth to GETANDREFRESH. The Identity Provider (IdP) is other external customized application.
• OAuthJWT: Set this to perform External OAuth authentication with a JWT certificate. The Identity Provider (IdP) is the external Entra ID. Requires the following additional connection properties. [OAuthJWTCert,/OAuthJWTCertType]
• ExternalBrowser: Uses OneLogin SSO identity provider or other browser-based SSO providers. Set this along with User. When connecting, your browser opens and authentication is completed automatically.
• ProgrammaticAccessToken: Authenticates using a Snowflake Programmatic Access Token (PAT). Set User to the Snowflake username and Password to the PAT token value. PATs can be created in the Snowflake UI under Admin > Security > Programmatic Access Tokens.
• WorkloadIdentityFederation: Authenticates using the cloud platform's native workload identity. The provider automatically obtains attestation credentials from the cloud environment's metadata service (AWS IAM, Azure Managed Identity, or GCP service accounts). Set User to the Snowflake service user and set WorkloadIdentityProvider to specify the cloud provider (AWS, AZURE, GCP, or OIDC). For OIDC, you must also set WorkloadIdentityToken to provide the identity token.