Product: TIBCO Spotfire®
Connection to Snowflake using TIBCO Spotfire connector fails with error "The specified authenticator and destination URL in Saml Assertion did not match, expected=XXXX, post back=/login/cert"
When using TIBCO Spotfire Connector for Snowflake and Okta as authentication method, it may fail with the following error which can be seen in the snowflake_odbc_connection.log(log generated in Snowflake ODBC installation directory based on the Tracing level set in the DSN configuration.)
Sep 25 19:31:20 INFO 49080 ConnectionSettings::UpdateSettings: ----- exit ----- Sep 25 19:31:22 ERROR 49080 Connection::SQLDriverConnectW: [Snowflake][Snowflake] (35) The specified authenticator and destination URL in Saml Assertion did not match, expected=XXXX, post back=/login/cert
The cause of this issue is either because of wrong snowflake destination url setup in application settings of okta or if multi factor authentication is enabled on okta. Above error is the example if SAML is choosen as sign on method. But same reasons apply if Sign on method is one of Secure web authentication or OpenID. If multi factor authentication is enabled for the users on Okta, snowflake requires using browser-based SSO i.e 'externalbrowser' as the authenticator. But TIBCO Spotfire connector for Snowflake only supports Native SSO for Okta which doesn't support MFA. After first authentication, as it redirects to the next authentication step instead of destination Snowflake URL, we see above error.
To resolve this issue,
- Disable MFA on Okta for the Spotfire users.
- Make a rule to not trigger another authentication step when trying to access from that specific network i.e make internal network and Spotfire application as exception.
Doc: Accessing Data from Snowflake:
Doc: Configuring DSN:
External: Snowflake Document on using Okta