Connection to Snowflake using TIBCO Spotfire connector fails with error "The specified authenticator and destination URL in Saml Assertion did not match, expected=XXXX, post back=/login/cert"
Article ID: KB0077014
Updated On:
| Products | Versions |
|---|---|
| Spotfire Analyst | 10.3 and Higher |
Description
When using TIBCO Spotfire Connector for Snowflake and Okta as authentication method, it may fail with the following error which can be seen in the snowflake_odbc_connection.log(log generated in Snowflake ODBC installation directory based on the Tracing level set in the DSN configuration.)
The cause of this issue is either because of wrong snowflake destination url setup in application settings of okta or if multi factor authentication is enabled on okta. Above error is the example if SAML is choosen as sign on method. But same reasons apply if Sign on method is one of Secure web authentication or OpenID.
Sep 25 19:31:20 INFO 49080 ConnectionSettings::UpdateSettings: ----- exit ----- Sep 25 19:31:22 ERROR 49080 Connection::SQLDriverConnectW: [Snowflake][Snowflake] (35) The specified authenticator and destination URL in Saml Assertion did not match, expected=XXXX, post back=/login/cert
The cause of this issue is either because of wrong snowflake destination url setup in application settings of okta or if multi factor authentication is enabled on okta. Above error is the example if SAML is choosen as sign on method. But same reasons apply if Sign on method is one of Secure web authentication or OpenID.
Issue/Introduction
When using native SSO for Okta, multi factor authentication is not supported as Snowflake requires using browser-based SSO when MFA is enabled which is not supported by Spotfire
Resolution
If multi factor authentication is enabled for the users on Okta, snowflake requires using browser-based SSO i.e 'externalbrowser' as the authenticator. But TIBCO Spotfire connector for Snowflake only supports Native SSO for Okta which doesn't support MFA. After first authentication, as it redirects to the next authentication step instead of destination Snowflake URL, we see above error.
To resolve this issue,
To resolve this issue,
- Disable MFA on Okta for the Spotfire users.
- Make a rule to not trigger another authentication step when trying to access from that specific network i.e make internal network and Spotfire application as exception.
Additional Information
Doc: Accessing Data from Snowflake:
Doc: Configuring DSN:
External: Snowflake Document on using Okta
Feedback
Yes
No
Powered by
