This article addresses the following error, which can occur when configuring System for Cross-domain Identity Management (SCIM) provisioning for Snowflake or when attempting to provision users from Okta:

Error authenticating: Forbidden. Errors reported by the remote server.

• Provisioning
• Okta Integration Network (OIN)
• Snowflake

This error is generated if the API token used in the Snowflake Application API integration is invalid or if communication between Okta and Snowflake is prevented.

There are two common causes for this issue:

• Incorrect 'subdomain' setting in Okta.
  The Forbidden error message can result from an incorrect subdomain configured in the Snowflake application, General tab, and App Settings, as shown below:

• Network policy blocking the connection from Okta to the Snowflake account.
  Use the following commands to review the network policies in the Snowflake account:
  

  USE ROLE ACCOUNTADMIN;
  
  SHOW PARAMETERS LIKE 'NETWORK_POLICY' IN ACCOUNT; 
  //shows the activated network policy at the account level
  
  DESC NETWORK POLICY <network_policy_name>; 
  //displays configuration of the network policy (allowed/blocked IP addresses)
  
  SHOW NETWORK POLICIES IN ACCOUNT; 
  //lists all network policies in the account

To resolve this error, address the potential causes related to the subdomain configuration or network policies.

Incorrect Subdomain

The Subdomain field in the Okta Snowflake application configuration must contain the correct string that appears before snowflakecomputing.com/ in the Snowflake account URL.

To find the correct “Subdomain” value, identify the Snowflake account URL.
For example, if the Snowflake URL is https://examplex3.us-east-2.aws.snowflakecomputing.com/, then the subdomain is examplex3.us-east-2.aws, which is the string value before snowflakecomputing.com.

In this scenario, the value examplex3.us-east-2.aws is the account identifier. Please note that it is a combination of the account locator name and region-id.
If the Snowflake account is in the US West (Oregon) region (us-west-2), there is no need to include the region-id.

To resolve the error due to an incorrect subdomain:

1. Navigate to the General tab of the Snowflake integration in Okta.
2. Modify the Subdomain field according to the recommendation above.

3. After updating the Subdomain field, navigate to the Provisioning tab and click Test API Credentials.
   

NOTE: The Subdomain field in the Okta Configuration must include the region ID if using the account locator URL. If using the new URL, only <orgname>-<accountname> is required in the Subdomain field.

Network Policy Blocking the Connection

To resolve issues related to network policies:

1. Ensure that the Snowflake network policy allows access from the Okta IP addresses.

   • A list of Okta IP addresses is available in the Okta IP Address Allow Listing documentation.

2. Modify the network policy to include the necessary IP addresses using a command similar to the following:

   alter network policy <scim_network_policy> set allowed_ip_list=(<'Comma separated Okta IP address range'>)
   

   For instance:

   alter network policy testpolicy set allowed_ip_list=('<ip address>/32','<ip address>','<ip address>/32','<ip address>/32')
   

NOTE: The entire IP address range specific to the Okta instance might need to be allowed. The Okta IP address range is not controlled by Snowflake. Refer to Okta documentation or contact the Okta team for questions specific to the Okta IP address range.

Related References

• Okta SCIM integration with Snowflake
• Controlling network traffic with network policies
• Managing SCIM network policies