When clicking Push now in the Push Groups tab for a Snowflake app instance to manually re-push an individual group, the push always gives errors, despite successfully pushing automatically. This is expected behavior with the current implementation of the Snowflake app and the architecture of Snowflake's service.
- Okta Integration Network (OIN)
- Group Push
As provided in Snowflake's documentation, Okta’s Enhanced Group Push and Push Now features are not supported. Keep in mind that the Snowflake service reflects Okta's provisioned Push Groups as roles.
When Okta pushes a group for any app that supports Group Push, it first makes a GET call to the SCIM groups endpoint for the service. If no group is found, a create request is sent. Once the group is created in the downstream service, the group's unique ID (created by the target Service Provider) is obtained and stored in Okta as the external ID for future provisioning requests. This is the behavior for most types of SCIM provisioning flows.
In this scenario, where Okta first sends a GET request to query a group that's expected to be present, such as when clicking Push now, this request will always fail to find the group associated with the external ID previously saved when querying Snowflake's service and throw an error. When automated group push membership updates occur based on app assignment and Okta User changes in group membership, the group membership push is sent using this previously obtained external ID.
Due to this service restriction, do not click Push now in Okta from the app's Push Groups tab under the Push Status column. Only use automatic Push Group updates to send membership updates to Snowflake.
For this same reason, existing Snowflake roles cannot be brought under Okta’s management through transfer of ownership. Only new roles can be created through Okta.
Related References
