Snowflake group push fails with the following error visible in the Okta admin dashboard:
Errors reported by remote server: Invalid JSON: Unexpected character ('<' (code 60)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: (String)"<!DOCTYPE html> <html lang="en-US"> <head> <title>Bad Request</title> <style media="screen" type="text/css"> .ErrorContainer { width: 650px; margin: 100px auto; background: #f5f5f5; padding: 44px; border-radius: 7px; -moz-box-shadow: 0 1px 15px rgba(0, 0, 0, 0.25); box-shadow: 0 1px 15px rgba(0, 0, 0, 0.25); } body{ color: #565656; background:#00BBE6; margin: 0; font: 100%/1.8 "Helvetica Neue", Arial, Helvetica, Geneva, sans-serif; } div.BodyLogo{background:url("data:image/png;base"[truncated 14120 chars]; line: 1, column: 2]
- Snowflake
- Provisioning
- Group push
- Error
Currently, Okta’s Enhanced Group Push and Push Now features are not supported for Okta SCIM Provisioning with Snowflake, as outlined in the Snowflake Okta SCIM Provisioning documentation. If attempting to use the Push Now feature, Okta will error.
According to this Snowflake article, the following is Not Supported:
- Okta’s Enhanced Group Push and Push Now features.
- NOTE: The defaultRole, defaultSecondaryRoles, and defaultWarehouse attributes are unmapped as they are optional. To map these attributes in Okta, use profiles, expressions, or set a default value for all users. For more information, see Manage profiles (in Okta).
- If a private connectivity to the Snowflake service is used to access Snowflake, ensure that these URLs are not entered in the integration settings. Enter the public endpoint (i.e., without .privatelink), and ensure that the network policy allows access from the Okta IP address listed here. Otherwise, this integration cannot be used.
- Okta does not currently support importing Active Directory nested groups. Therefore, if the Okta integration uses nested groups in AD, the Snowflake Okta SCIM integration cannot be used to provision or manage nested groups in Snowflake. Please contact Okta and Microsoft to request the support of nested groups.
To correct this error, click the Retry All Groups button to remove the error and put the Push Group experiencing the issue back into the Active state.
For more clarity:
- Enhanced pushed group refers to group linking. For Okta to push the group, the group must not exist on the SP side.
- The error appears whenever the Okta admin clicks on the Push Now option. To fix this, the admin should click on the Retry All Groups button instead.
- If the error still appears, there may be an issue with the user or the group created on the app side. The next steps would be to remove everyone from the Okta group and redo the push. If the push is successful, it means that one or more users are causing this issue. By adding the users in small batches and redoing the group push, we should be able to pinpoint the users or users that are affecting the group push.
- If these steps were performed and the push fails, please open a case with Snowflake support for further assistance.
