Single sign-on with an identity provider (OAuth2) for connectors

Some data connectors support using your own identity provider, such as Okta, Keycloak, or Google, for authentication.

With connectors that support using an identity provider, you can provide a convenient log-in experience when you use a data connection or external library, without the hassle of having to remember separate database credentials. If you use the same identity provider for authentication in your Spotfire environment, you can even enable a full single sign-on experience.

Connectors that support identity provider authentication

The following connectors support single sign-on with an identity provider:

Configurations for using an identity provider for authentication

To learn more, see Authentication with an identity provider (OAuth2) to access external systems.

Data source specific identity provider examples

Snowflake's built-in OAuth service (Snowflake OAuth)

The Snowflake connector supports using Snowflake's built-in OAuth service for authentication. To configure Snowflake OAuth, the identity provider by Snowflake, use the templates below for adding the details about your public and confidential clients to Spotfire.

Public client (for the installed client)

Add your public client details to the OAuth2IdentityProviders preference with the following format:

Note: The public client must include the secret.

{
type: "OAuth2",
displayName: "Name",
issuer: "Issuer URL setup on security integration creation",
metadata:
{
   authorizationEndpoint: "Auth end point provided by security integration", 
   tokenEndpoint: "Token end point provided by security integration"
},
publicClient:
{
   id: "Client id provided by security integration",
   secret: "Client secret provided by security integration",
   redirectUrl: "Redirect URL setup on security integration creation",
   redirectPorts: "Port setup on security integration creation" 
},
defaultScope: "Allowed scopes setup in Snowflake instance",
useResource: "true"
}

Confidential client (for the web client)

Note: You need to point to the metadata which is stored in a file.

Save a text or JSON file with the medatata on the computer running the Spotfire Server. The files contains the metadata values you received from Snowflake and should look like this:

{
	"issuer": "https://community.stage.spotfire.com/",
	"authorization_endpoint": "Authorization endpoint provided by Snowflake integration",
	"token_endpoint": "Token endpoint provided by Snowflake integration",
	"token_endpoint_auth_methods_supported": [
		"client_secret_basic"
	]
}

Register your confidential client with the config-oauth-client command in the server config CLI. Use the following format and make sure that --authz-server-metadata-file-path points to the file that you saved in the previous step.

config-oauth-client --set-authz-server --authz-server-name="Test metadata" 
--authz-server-enabled=true --authz-server-metadata-file-path="C:\temp\my-metadata.txt" 
--authz-server-client-id="ClientID" --authz-server-client-secret="ClientSecret"