Hello,

We are in the early stages of migrating from SAS 9.4 to SAS Viya on GCP, using Azure AD as our Identity Provider. To enable Snowflake authentication for individual users via OAuth2, we have configured two apps in Azure Enta:

1. Snowflake Resource App

2. SAS Viya Client App with the following configuration:

   • Client ID and Secret.

   • Redirect URI pointing to our SAS Viya environment.

   • UPN included in the Token configuration.

   • API permissions for the Snowflake Resource app, including offline access to enable refresh tokens.

Our Current Understanding: When a user executes a Snowflake libname statement, they will be prompted with a URL to authenticate. Upon successful login, an access token is issued, the user is redirected back to SAS Viya, and the connection to Snowflake is established.

I plan to use the SAS Viya Credentials Service to create an OAuth 2.0 domain (e.g., snowflake_custom_app ) containing the Client ID, Secret, and Scope, then reference it in the libanme statement:

libname snw_user snow dsn="snowflake" authdomain="snowflake_custom_app";

I have two specific questions on this:

1. Redirect URI: Is the standard SAS Logon callback the correct URI to use for this specific Azure client setup?

   • Example: https://your-viya-server.com/SASLogon/oauth2/callback

2. Refresh Tokens: We want to ensure users don't have to re-authenticate for every connection within a single session. How is the refresh token handled in Viya? Will the snowflake_custom_app domain automatically manage the refresh token after the initial login? Additionally, should the redirect URI be specific to the domain name as shown below?

   • Example: https://your-viya-server.com/SASLogon/oauth2/code/snowflake_custom_app

I appreciate any insights or best practices you can share! Thank you for your help.