topic Configuring OAuth2 for SAS Viya to Snowflake Connection via Azure AD in Administration and Deployment

Configuring OAuth2 for SAS Viya to Snowflake Connection via Azure AD

freshstarter — Fri, 20 Mar 2026 17:53:56 GMT

Hello,

We are in the early stages of migrating from SAS 9.4 to SAS Viya on GCP, using Azure AD as our Identity Provider. To enable Snowflake authentication for individual users via OAuth2, we have configured two apps in Azure Enta:

Snowflake Resource App
SAS Viya Client App with the following configuration:
- Client ID and Secret.
- Redirect URI pointing to our SAS Viya environment.
- UPN included in the Token configuration.
- API permissions for the Snowflake Resource app, including offline access to enable refresh tokens.

Our Current Understanding: When a user executes a Snowflake libname statement, they will be prompted with a URL to authenticate. Upon successful login, an access token is issued, the user is redirected back to SAS Viya, and the connection to Snowflake is established.

I plan to use the SAS Viya Credentials Service to create an OAuth 2.0 domain (e.g., snowflake_custom_app ) containing the Client ID, Secret, and Scope, then reference it in the libanme statement:

libname snw_user snow dsn="snowflake" authdomain="snowflake_custom_app";

I have two specific questions on this:

Redirect URI: Is the standard SAS Logon callback the correct URI to use for this specific Azure client setup?
- Example: https://your-viya-server.com/SASLogon/oauth2/callback
Refresh Tokens: We want to ensure users don't have to re-authenticate for every connection within a single session. How is the refresh token handled in Viya? Will the snowflake_custom_app domain automatically manage the refresh token after the initial login? Additionally, should the redirect URI be specific to the domain name as shown below?
- Example: https://your-viya-server.com/SASLogon/oauth2/code/snowflake_custom_app

I appreciate any insights or best practices you can share! Thank you for your help.

Re: Configuring OAuth2 for SAS Viya to Snowflake Connection via Azure AD

gwootton — Thu, 26 Mar 2026 14:50:14 GMT

When you configure Viya for OIDC authentication you can set "credentials.enabled" to "true" in the OIDC configuration. This will instruct SAS Logon Manager to store the token supplied for initial authentication to the credentials service under a domain named for the configuration (e.g. azure_oidc).

When you submit a libname statement with the AUTHSCOPE setting, this will trigger a call back to the OIDC provider for an access token for the requested scope using the initially captured access token. This is enabled by the API permissions in the SAS Viya Client App to the Snowflake Resource App.

So the user would not be redirected anywhere, this would all be handled by Viya, and this is how the tokens remain valid.

The redirect URI you have is correct for the OIDC configuration.

Re: Configuring OAuth2 for SAS Viya to Snowflake Connection via Azure AD

freshstarter — Thu, 09 Apr 2026 14:55:03 GMT

Thanks @gwootton for your response. After setting "credentials.enabled" , we are successfully able to connect to Snowflake.