This article will cover how to troubleshoot and fix the Snowflake group push error: 

OR,

Changes to the Group push mapping for the group <group name> could not take effect due to error: Error while creating user group <group name>: Bad Request. Errors reported by remote server: Invalid JSON: Unexpected character ('<' (code 60)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: (String)"<!DOCTYPE html> <html lang="en-US"> <head> <title>Bad Request</title> <style media="screen" type="text/css"> .ErrorContainer { \u0009width: 650px; \u0009margin: 100px auto; \u0009background: #f5f5f5; \u0009padding: 44px; \u0009border-radius: 7px; \u0009-moz-box-shadow: 0 1px 15px rgba(0, 0, 0, 0.25); \u0009box-shadow: 0 1px 15px rgba(0, 0, 0, 0.25); } body{ \u0009color: #565656; \u0009background:#00BBE6; \u0009margin: 0; \u0009font: 100%/1.8 "Helvetica Neue", Arial, Helvetica, Geneva, sans-serif; } div.BodyLogo{background:url("data:image/png;base"[truncated 14120 chars]; line: 1, column: 2]

 

• Snowflake Provisioning
• Okta Integration Network (OIN)
• Failed Group push 

This is normally caused by one or more app group membership update/insert/removal failures by the Snowflake SCIM server, and the most common reason is some manual changes before applying to the problematic target Snowflake user account in the external Snowflake application without Okta's knowledge, causing an app user external ID mismatch/out-of-sync.

A common issue symptom is, in addition to group push mapping failure, there will be some Snowflake push users' profile update provisioning events that failed with the following error:  

When checking the Snowflake audit log history, there would be a record of the Snowflake admin manually deleting the target Snowflake user account and possibly recreating the same user in Snowflake with the same username info, but now with a different Snowflake user ID (which is being picked up as Okta Snowflake app user external ID). 

Troubleshooting steps

• Please open an Okta support ticket and provide the problematic Snowflake group push mapping's group name, failure push event timestamp (date/time/timezone) to Okta Support engineer and ask for assistance to check the internal Okta log to identify the problematic failed group push membership update. Note there could be more than one problematic group membership update but it will always shown one at a time. 
• Please navigate to Okta Admin Console > Dashboard > Tasks page, filter search by application name and double-check whether there are any failed push user profile update task error failed due to >>> Push user's profile to external application FAILURE: No user returned for user <app user external id>.
  • If no failed task with this error is found, please make a copy of the affected user name/email for the next troubleshooting step and verify whether these Okta user(s) with a failed Snowflake provisioning task error are also members of the problematic group push source group with group push failure. 
• Please reach out to Snowflake Admin and/or open a Snowflake Support Ticket to verify whether the problematic target Snowflake user with those problematic app user external IDs exists in the Snowflake external application or was manually deleted/recreated with a new Snowflake user ID that no longer matches the Okta Snowflake app user external ID. 

To get past the error

Once confirmed the Snowflake user has been deleted/removed manually in external Snowflake, causing the out-of-sync app user external ID, please perform the following: 

1. Navigate to Okta Admin Console > Applications > Snowflake app > Assignments > Search for each of the failed target users one at a time. If this is a group-based app assignment, perform the KB article steps:
   • How to Convert an Existing User's App Assignment from Group-Owned to Individually-Owned Type without Removing User's Group Membership
2. Once the app assignment is converted to an individual app assignment type successfully, click X to remove the problematic app assignment.

• • NOTE: The app de-provisioning will be seen as failed due to the same error. Ignore this, as it is normal, since it is again caused by the target app user's external ID no longer being found in Snowflake.

3. Reassign the app assignment back to the user individually, make sure the new app assignment is completed successfully , and has a new app user external ID associated with it this time.

• • NOTE: If there is a different error, please have the Snowflake Admin to apply the suggested solution provided by Snowflake Support Engineer to fix this Snowflake error and as documented in another KB article: Snowflake Provisioning "Error while creating user: Conflict. Errors reported by remote server: User exists with given userName and/or enterprise:user.snowflakeUserName"

4. (Optional) If the original app assignment is a group-based app assignment, then manually convert the individual app assignment back to a group app assignment as necessary. Please check out this link for reference. 
5. Finally, when all problematic app assignments with outdated app user external ID values are fixed, retry all the failed group push mapping jobs from the Push Group tab (or from Tasks > Group Push page).

As a permanent solution to avoid the same group push/push profile update sync issue in the future, please try to perform some internal investigation from the Snowflake product end on why the manual user account changes were made in first place and determine whether the Snowflake user account changes procedure internally is to avoid the app user external ID out-of-sync issue in future.

Please be reminded, any manual changes made by Snowflake admin in the external Snowflake application will not sync back to Okta's Snowflake app assignment manually, so that could cause Okta/Snowflake SCIM provisioning for user profile update sync/group push mapping sync to break in the future.