search

snowflakedb / snowflake-connector-python

Snowflake Connector for Python
https://pypi.python.org/pypi/snowflake-connector-python/
Apache License 2.0
591 stars 471 forks source link

SNOW-303677: mismatch in authentication urls when using okta sso (authenticator and destination URL in the SAML assertion do not match: expected: https://<name>.snowflakecomputing.com:443, post back: /login/cert) #663

Closed andytwigg closed 1 year ago

andytwigg commented 3 years ago

Please answer these questions before submitting your issue. Thanks!

  1. What version of Python are you using (python --version)? 3.8.3

  2. What operating system and processor architecture are you using (python -c 'import platform; print(platform.platform())')? macOS-10.16-x86_64-i386-64bit

  3. What are the component versions in the environment (pip freeze)?

appdirs==1.4.4
astroid==2.4.2
async-generator==1.10
azure-common==1.1.26
azure-core==1.9.0
azure-storage-blob==12.6.0
backcall==0.2.0
boto3==1.16.49
botocore==1.19.49
certifi==2020.6.20
cffi==1.14.0
chardet==3.0.4
cloudpickle==1.6.0
conda==4.9.2
conda-package-handling==1.7.0+0.g7c4a471.dirty
cryptography==2.9.2
cycler==0.10.0
decorator==4.4.2
defusedxml==0.6.0
distlib==0.3.1
docopt==0.6.2
entrypoints==0.3
filelock==3.0.12
future==0.18.2
hyperopt==0.2.5
idna==2.9
importlib-metadata @ file:///tmp/build/80754af9/importlib-metadata_1602276842396/work
iniconfig==1.1.1
ipykernel @ file:///opt/concourse/worker/volumes/live/88f541d3-5a27-498f-7391-f2e50ca36560/volume/ipykernel_1596206680118/work/dist/ipykernel-5.3.4-py3-none-any.whl
ipython @ file:///opt/concourse/worker/volumes/live/26969e8f-c9f7-42dc-6ffb-b3effd424c49/volume/ipython_1604101242376/work
ipython-genutils==0.2.0
ipywidgets @ file:///tmp/build/80754af9/ipywidgets_1601490159889/work
isodate==0.6.0
isort==5.6.4
jedi @ file:///opt/concourse/worker/volumes/live/c63c70ef-654a-4d26-6b78-37aef096f225/volume/jedi_1596490811751/work
Jinja2==2.11.2
jmespath==0.10.0
joblib @ file:///tmp/build/80754af9/joblib_1601912903842/work
jsonschema @ file:///tmp/build/80754af9/jsonschema_1602607155483/work
jupyter==1.0.0
jupyter-client @ file:///tmp/build/80754af9/jupyter_client_1601311786391/work
jupyter-console @ file:///tmp/build/80754af9/jupyter_console_1598884538475/work
jupyter-core==4.6.3
jupyterlab-pygments @ file:///tmp/build/80754af9/jupyterlab_pygments_1601490720602/work
keyring==21.8.0
mccabe==0.6.1
mistune @ file:///opt/concourse/worker/volumes/live/95802d64-d39c-491b-74ce-b9326880ca54/volume/mistune_1594373201816/work
mkl-fft==1.2.0
mkl-random==1.1.1
mkl-service==2.3.0
msrest==0.6.19
nbclient @ file:///tmp/build/80754af9/nbclient_1602783176460/work
nbconvert @ file:///opt/concourse/worker/volumes/live/2b9c1d93-d0fd-432f-7d93-66c93d81b614/volume/nbconvert_1601914875037/work
nbformat @ file:///tmp/build/80754af9/nbformat_1602783287752/work
nest-asyncio @ file:///tmp/build/80754af9/nest-asyncio_1601499549014/work
networkx==2.5
notebook @ file:///opt/concourse/worker/volumes/live/be0f3504-189d-4bae-4e57-c5d6da73ffcd/volume/notebook_1601501605350/work
numpy @ file:///opt/concourse/worker/volumes/live/5572694e-967a-4c0c-52cf-b53d43e72de9/volume/numpy_and_numpy_base_1603491881791/work
oauthlib==3.1.0
olefile==0.46
oscrypto==1.2.1
packaging==20.4
pandas @ file:///opt/concourse/worker/volumes/live/f14cf8c4-c564-4eff-4b17-158e90dbf88a/volume/pandas_1602088128240/work
pandocfilters==1.4.2
parso==0.7.0
pexpect @ file:///opt/concourse/worker/volumes/live/8701bb20-ad87-46c7-5108-30c178cf97e5/volume/pexpect_1594383388344/work
pickleshare @ file:///opt/concourse/worker/volumes/live/93ec39d8-05bb-4f84-7efc-98735bc39b70/volume/pickleshare_1594384101884/work
Pillow @ file:///opt/concourse/worker/volumes/live/991b9a87-3372-4acd-45f9-eaa52701f03c/volume/pillow_1603822262543/work
pipreqs==0.4.10
pluggy==0.13.1
prometheus-client==0.8.0
prompt-toolkit @ file:///tmp/build/80754af9/prompt-toolkit_1602688806899/work
ptyprocess==0.6.0
py==1.9.0
pyarrow==0.17.1
pycosat==0.6.3
pycparser==2.20
pycryptodomex==3.9.9
Pygments @ file:///tmp/build/80754af9/pygments_1604103097372/work
pygraphviz==1.7
PyJWT==1.7.1
pylint==2.6.0
pyOpenSSL==19.1.0
pyparsing==2.4.7
pyrsistent @ file:///opt/concourse/worker/volumes/live/ff11f3f0-615b-4508-471d-4d9f19fa6657/volume/pyrsistent_1600141727281/work
PySocks==1.7.1
pytest==6.1.2
python-dateutil==2.8.1
pytz==2020.1
pyzmq==19.0.2
qtconsole @ file:///tmp/build/80754af9/qtconsole_1600870028330/work
QtPy==1.9.0
requests==2.23.0
requests-oauthlib==1.3.0
ruamel-yaml==0.15.87
s3transfer==0.3.3
scikit-learn @ file:///opt/concourse/worker/volumes/live/111833a2-339b-4578-413b-7337bb8fe64a/volume/scikit-learn_1598376920601/work
scipy @ file:///opt/concourse/worker/volumes/live/851446f6-a052-41c4-4243-67bb78999b49/volume/scipy_1604596178167/work
seaborn==0.11.0
Send2Trash==1.5.0
six==1.14.0
snowflake-connector-python==2.3.7
snowflake-sqlalchemy==1.2.4
SQLAlchemy==1.3.22
terminado==0.9.1
testpath==0.4.4
threadpoolctl @ file:///tmp/tmp9twdgx9k/threadpoolctl-2.1.0-py3-none-any.whl
toml==0.10.2
tornado==6.0.4
tqdm @ file:///tmp/build/80754af9/tqdm_1602185206534/work
traitlets @ file:///tmp/build/80754af9/traitlets_1602787416690/work
urllib3==1.25.8
virtualenv==20.3.0
wcwidth @ file:///tmp/build/80754af9/wcwidth_1593447189090/work
webencodings==0.5.1
widgetsnbextension==3.5.1
wrapt==1.12.1
xgboost==1.3.0.post0
yarg==0.1.9
  1. What did you do? If possible, provide a recipe for reproducing the error. A complete runnable program is good.
import snowflake.connector
import logging
logging.basicConfig(level=logging.DEBUG)

ctx = snowflake.connector.connect(
  user='<okta_user>',
  account='<snowflake_account>',
  password='<okta_pwd>',
  authenticator='https://<okta_name>.okta.com'
)
cs = ctx.cursor()
  1. What did you expect to see?

success, the cursor object.

  1. What did you see instead?
DatabaseError: 250007 (08001): None: The specified authenticator and destination URL in the SAML assertion do not match: expected: https://<snowflake_account>.snowflakecomputing.com:443, post back: /login/cert
  1. Can you set logging to DEBUG and collect the logs?
2021-03-24 10:37:15,905 - MainThread ssl_wrap_socket.py:42 - inject_into_urllib3() - DEBUG - Injecting ssl_wrap_socket_with_ocsp
2021-03-24 10:37:16,199 - MainThread auth.py:64 - <module>() - DEBUG - cache directory: /Users/andytwigg/Library/Caches/Snowflake
2021-03-24 10:37:16,400 - MainThread connection.py:214 - __init__() - INFO - Snowflake Connector for Python Version: 2.3.7, Python Version: 3.8.3, Platform: macOS-10.16-x86_64-i386-64bit
2021-03-24 10:37:16,400 - MainThread connection.py:417 - connect() - DEBUG - connect
2021-03-24 10:37:16,400 - MainThread connection.py:651 - __config() - DEBUG - __config
2021-03-24 10:37:16,400 - MainThread connection.py:768 - __config() - INFO - This connection is in OCSP Fail Open Mode. TLS Certificates would be checked for validity and revocation status. Any other Certificate Revocation related exceptions or OCSP Responder failures would be disregarded in favor of connectivity.
2021-03-24 10:37:16,400 - MainThread connection.py:784 - __config() - INFO - Setting use_openssl_only mode to False
2021-03-24 10:37:16,401 - MainThread converter.py:134 - __init__() - DEBUG - use_numpy: False
2021-03-24 10:37:16,401 - MainThread connection.py:565 - __open_connection() - DEBUG - REST API object was created: lwdev.snowflakecomputing.com:443
2021-03-24 10:37:16,401 - MainThread auth_okta.py:99 - authenticate() - DEBUG - authenticating by SAML
2021-03-24 10:37:16,401 - MainThread auth_okta.py:108 - _step1() - DEBUG - step 1: query GS to obtain IDP token and SSO url
2021-03-24 10:37:16,401 - MainThread auth_okta.py:129 - _step1() - DEBUG - account=lwdev, authenticator=https://lacework.okta.com
2021-03-24 10:37:16,401 - MainThread network.py:919 - _use_requests_session() - DEBUG - Active requests sessions: 1, idle: 0
2021-03-24 10:37:16,401 - MainThread network.py:619 - _request_exec_wrapper() - DEBUG - remaining request timeout: 120, retry cnt: 1
2021-03-24 10:37:16,401 - MainThread network.py:763 - _request_exec() - DEBUG - socket timeout: 60
2021-03-24 10:37:16,584 - MainThread ocsp_snowflake.py:443 - reset_cache_dir() - DEBUG - cache directory: /Users/andytwigg/Library/Caches/Snowflake
2021-03-24 10:37:16,653 - MainThread ssl_wrap_socket.py:76 - ssl_wrap_socket_with_ocsp() - DEBUG - OCSP Mode: FAIL_OPEN, OCSP response cache file name: None
2021-03-24 10:37:16,653 - MainThread ocsp_snowflake.py:480 - reset_ocsp_response_cache_uri() - DEBUG - ocsp_response_cache_uri: file:///Users/andytwigg/Library/Caches/Snowflake/ocsp_response_cache.json
2021-03-24 10:37:16,653 - MainThread ocsp_snowflake.py:482 - reset_ocsp_response_cache_uri() - DEBUG - OCSP_VALIDATION_CACHE size: 0
2021-03-24 10:37:16,653 - MainThread ocsp_snowflake.py:280 - reset_ocsp_dynamic_cache_server_url() - DEBUG - OCSP response cache server is enabled: http://ocsp.snowflakecomputing.com/ocsp_response_cache.json
2021-03-24 10:37:16,653 - MainThread ocsp_snowflake.py:313 - reset_ocsp_dynamic_cache_server_url() - DEBUG - OCSP dynamic cache server RETRY URL: None
2021-03-24 10:37:16,656 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2025-05-12 23:58:59+00:00
2021-03-24 10:37:16,657 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2024-05-12 02:43:45+00:00
2021-03-24 10:37:16,658 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2024-05-12 02:47:38+00:00
2021-03-24 10:37:16,659 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2021-12-14 07:00:00+00:00
2021-03-24 10:37:16,678 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2025-05-12 23:58:59+00:00
2021-03-24 10:37:16,680 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2025-05-12 23:58:59+00:00
2021-03-24 10:37:16,682 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:16,683 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:16,684 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:16,685 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:16,686 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:16,687 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:16,688 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:16,689 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:16,689 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:16,690 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:16,691 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:16,692 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:16,693 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:16,694 - MainThread ocsp_snowflake.py:513 - read_ocsp_response_cache_file() - DEBUG - Read OCSP response cache file: /Users/andytwigg/Library/Caches/Snowflake/ocsp_response_cache.json, count=150
2021-03-24 10:37:16,694 - MainThread ocsp_snowflake.py:1011 - validate() - DEBUG - validating certificate: lwdev.snowflakecomputing.com
2021-03-24 10:37:16,694 - MainThread ocsp_asn1crypto.py:385 - extract_certificate_chain() - DEBUG - # of certificates: 4
2021-03-24 10:37:16,695 - MainThread ocsp_asn1crypto.py:392 - extract_certificate_chain() - DEBUG - subject: OrderedDict([('common_name', '*.us-west-2.snowflakecomputing.com')]), issuer: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('organizational_unit_name', 'Server CA 1B'), ('common_name', 'Amazon')])
2021-03-24 10:37:16,695 - MainThread ocsp_asn1crypto.py:392 - extract_certificate_chain() - DEBUG - subject: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('organizational_unit_name', 'Server CA 1B'), ('common_name', 'Amazon')]), issuer: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('common_name', 'Amazon Root CA 1')])
2021-03-24 10:37:16,696 - MainThread ocsp_asn1crypto.py:392 - extract_certificate_chain() - DEBUG - subject: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('common_name', 'Amazon Root CA 1')]), issuer: OrderedDict([('country_name', 'US'), ('state_or_province_name', 'Arizona'), ('locality_name', 'Scottsdale'), ('organization_name', 'Starfield Technologies, Inc.'), ('common_name', 'Starfield Services Root Certificate Authority - G2')])
2021-03-24 10:37:16,696 - MainThread ocsp_asn1crypto.py:392 - extract_certificate_chain() - DEBUG - subject: OrderedDict([('country_name', 'US'), ('state_or_province_name', 'Arizona'), ('locality_name', 'Scottsdale'), ('organization_name', 'Starfield Technologies, Inc.'), ('common_name', 'Starfield Services Root Certificate Authority - G2')]), issuer: OrderedDict([('country_name', 'US'), ('organization_name', 'Starfield Technologies, Inc.'), ('organizational_unit_name', 'Starfield Class 2 Certification Authority')])
2021-03-24 10:37:16,697 - MainThread ocsp_asn1crypto.py:106 - read_cert_bundle() - DEBUG - reading certificate bundle: /Users/andytwigg/miniconda3/lib/python3.8/site-packages/certifi/cacert.pem
2021-03-24 10:37:16,707 - MainThread ocsp_asn1crypto.py:414 - create_pair_issuer_subject() - DEBUG - not found issuer_der: OrderedDict([('country_name', 'US'), ('organization_name', 'Starfield Technologies, Inc.'), ('organizational_unit_name', 'Starfield Class 2 Certification Authority')])
2021-03-24 10:37:16,708 - MainThread ocsp_snowflake.py:637 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('common_name', '*.us-west-2.snowflakecomputing.com')])
2021-03-24 10:37:16,709 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2024-05-12 02:43:45+00:00
2021-03-24 10:37:16,710 - MainThread ocsp_snowflake.py:637 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('organizational_unit_name', 'Server CA 1B'), ('common_name', 'Amazon')])
2021-03-24 10:37:16,711 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2024-05-12 02:47:38+00:00
2021-03-24 10:37:16,711 - MainThread ocsp_snowflake.py:637 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('common_name', 'Amazon Root CA 1')])
2021-03-24 10:37:16,712 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2021-12-14 07:00:00+00:00
2021-03-24 10:37:16,713 - MainThread ocsp_snowflake.py:637 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('state_or_province_name', 'Arizona'), ('locality_name', 'Scottsdale'), ('organization_name', 'Starfield Technologies, Inc.'), ('common_name', 'Starfield Services Root Certificate Authority - G2')])
2021-03-24 10:37:16,713 - MainThread ocsp_snowflake.py:637 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('common_name', '*.us-west-2.snowflakecomputing.com')])
2021-03-24 10:37:16,714 - MainThread ocsp_snowflake.py:1168 - validate_by_direct_connection() - DEBUG - using OCSP response cache
2021-03-24 10:37:16,714 - MainThread ocsp_asn1crypto.py:289 - process_ocsp_response() - DEBUG - Certificate is NOT attached in Basic OCSP Response. Using issuer's certificate
2021-03-24 10:37:16,714 - MainThread ocsp_asn1crypto.py:295 - process_ocsp_response() - DEBUG - Verifying the OCSP response is signed by the issuer.
2021-03-24 10:37:16,740 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2024-05-12 02:43:45+00:00
2021-03-24 10:37:16,740 - MainThread ocsp_snowflake.py:637 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('organizational_unit_name', 'Server CA 1B'), ('common_name', 'Amazon')])
2021-03-24 10:37:16,741 - MainThread ocsp_snowflake.py:1168 - validate_by_direct_connection() - DEBUG - using OCSP response cache
2021-03-24 10:37:16,741 - MainThread ocsp_asn1crypto.py:258 - process_ocsp_response() - DEBUG - Certificate is attached in Basic OCSP Response
2021-03-24 10:37:16,741 - MainThread ocsp_asn1crypto.py:260 - process_ocsp_response() - DEBUG - Verifying the attached certificate is signed by the issuer
2021-03-24 10:37:16,742 - MainThread ocsp_asn1crypto.py:262 - process_ocsp_response() - DEBUG - Valid Not After: 2024-05-12 02:43:45+00:00
2021-03-24 10:37:16,743 - MainThread ocsp_asn1crypto.py:295 - process_ocsp_response() - DEBUG - Verifying the OCSP response is signed by the issuer.
2021-03-24 10:37:16,746 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2024-05-12 02:47:38+00:00
2021-03-24 10:37:16,746 - MainThread ocsp_snowflake.py:637 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('common_name', 'Amazon Root CA 1')])
2021-03-24 10:37:16,747 - MainThread ocsp_snowflake.py:1168 - validate_by_direct_connection() - DEBUG - using OCSP response cache
2021-03-24 10:37:16,748 - MainThread ocsp_asn1crypto.py:258 - process_ocsp_response() - DEBUG - Certificate is attached in Basic OCSP Response
2021-03-24 10:37:16,748 - MainThread ocsp_asn1crypto.py:260 - process_ocsp_response() - DEBUG - Verifying the attached certificate is signed by the issuer
2021-03-24 10:37:16,748 - MainThread ocsp_asn1crypto.py:262 - process_ocsp_response() - DEBUG - Valid Not After: 2024-05-12 02:47:38+00:00
2021-03-24 10:37:16,749 - MainThread ocsp_asn1crypto.py:295 - process_ocsp_response() - DEBUG - Verifying the OCSP response is signed by the issuer.
2021-03-24 10:37:16,752 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2021-12-14 07:00:00+00:00
2021-03-24 10:37:16,752 - MainThread ocsp_snowflake.py:637 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('state_or_province_name', 'Arizona'), ('locality_name', 'Scottsdale'), ('organization_name', 'Starfield Technologies, Inc.'), ('common_name', 'Starfield Services Root Certificate Authority - G2')])
2021-03-24 10:37:16,753 - MainThread ocsp_snowflake.py:1168 - validate_by_direct_connection() - DEBUG - using OCSP response cache
2021-03-24 10:37:16,754 - MainThread ocsp_asn1crypto.py:258 - process_ocsp_response() - DEBUG - Certificate is attached in Basic OCSP Response
2021-03-24 10:37:16,754 - MainThread ocsp_asn1crypto.py:260 - process_ocsp_response() - DEBUG - Verifying the attached certificate is signed by the issuer
2021-03-24 10:37:16,754 - MainThread ocsp_asn1crypto.py:262 - process_ocsp_response() - DEBUG - Valid Not After: 2021-12-14 07:00:00+00:00
2021-03-24 10:37:16,755 - MainThread ocsp_asn1crypto.py:295 - process_ocsp_response() - DEBUG - Verifying the OCSP response is signed by the issuer.
2021-03-24 10:37:16,757 - MainThread ocsp_snowflake.py:570 - write_ocsp_response_cache_file() - DEBUG - writing OCSP response cache file to /Users/andytwigg/Library/Caches/Snowflake/ocsp_response_cache.json
2021-03-24 10:37:16,757 - MainThread ocsp_snowflake.py:1556 - encode_ocsp_response_cache() - DEBUG - encoding OCSP response cache to JSON
2021-03-24 10:37:16,771 - MainThread ocsp_snowflake.py:1055 - _validate() - DEBUG - ok
2021-03-24 10:37:16,855 - MainThread network.py:793 - _request_exec() - DEBUG - SUCCESS
2021-03-24 10:37:16,855 - MainThread network.py:931 - _use_requests_session() - DEBUG - Active requests sessions: 0, idle: 1
2021-03-24 10:37:16,855 - MainThread network.py:519 - _post_request() - DEBUG - ret[code] = None, after post request
2021-03-24 10:37:16,855 - MainThread auth_okta.py:147 - _step2() - DEBUG - step 2: validate Token and SSO URL has the same prefix as authenticator
2021-03-24 10:37:16,855 - MainThread auth_okta.py:167 - _step3() - DEBUG - step 3: query IDP token url to authenticate and retrieve access token
2021-03-24 10:37:16,856 - MainThread network.py:919 - _use_requests_session() - DEBUG - Active requests sessions: 1, idle: 0
2021-03-24 10:37:16,856 - MainThread network.py:619 - _request_exec_wrapper() - DEBUG - remaining request timeout: 120, retry cnt: 1
2021-03-24 10:37:16,856 - MainThread network.py:763 - _request_exec() - DEBUG - socket timeout: 60
2021-03-24 10:37:17,134 - MainThread ssl_wrap_socket.py:76 - ssl_wrap_socket_with_ocsp() - DEBUG - OCSP Mode: FAIL_OPEN, OCSP response cache file name: None
2021-03-24 10:37:17,134 - MainThread ocsp_snowflake.py:480 - reset_ocsp_response_cache_uri() - DEBUG - ocsp_response_cache_uri: file:///Users/andytwigg/Library/Caches/Snowflake/ocsp_response_cache.json
2021-03-24 10:37:17,135 - MainThread ocsp_snowflake.py:482 - reset_ocsp_response_cache_uri() - DEBUG - OCSP_VALIDATION_CACHE size: 150
2021-03-24 10:37:17,135 - MainThread ocsp_snowflake.py:280 - reset_ocsp_dynamic_cache_server_url() - DEBUG - OCSP response cache server is enabled: http://ocsp.snowflakecomputing.com/ocsp_response_cache.json
2021-03-24 10:37:17,135 - MainThread ocsp_snowflake.py:313 - reset_ocsp_dynamic_cache_server_url() - DEBUG - OCSP dynamic cache server RETRY URL: None
2021-03-24 10:37:17,140 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2025-05-12 23:58:59+00:00
2021-03-24 10:37:17,142 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2025-05-12 23:58:59+00:00
2021-03-24 10:37:17,143 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2024-05-12 02:43:45+00:00
2021-03-24 10:37:17,144 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2024-05-12 02:43:45+00:00
2021-03-24 10:37:17,146 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2024-05-12 02:47:38+00:00
2021-03-24 10:37:17,147 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2024-05-12 02:47:38+00:00
2021-03-24 10:37:17,148 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2021-12-14 07:00:00+00:00
2021-03-24 10:37:17,150 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2021-12-14 07:00:00+00:00
2021-03-24 10:37:17,190 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2025-05-12 23:58:59+00:00
2021-03-24 10:37:17,191 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2025-05-12 23:58:59+00:00
2021-03-24 10:37:17,192 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2025-05-12 23:58:59+00:00
2021-03-24 10:37:17,193 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2025-05-12 23:58:59+00:00
2021-03-24 10:37:17,197 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:17,198 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:17,200 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,200 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,201 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:17,202 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:17,203 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,204 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,205 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,206 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,207 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,207 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,208 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,209 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,210 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,211 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,212 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:17,213 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:17,214 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:17,214 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:17,215 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,216 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 19:58:13+00:00
2021-03-24 10:37:17,217 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:17,218 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:17,219 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:17,220 - MainThread ocsp_asn1crypto.py:201 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2022-02-02 20:12:03+00:00
2021-03-24 10:37:17,221 - MainThread ocsp_snowflake.py:513 - read_ocsp_response_cache_file() - DEBUG - Read OCSP response cache file: /Users/andytwigg/Library/Caches/Snowflake/ocsp_response_cache.json, count=150
2021-03-24 10:37:17,221 - MainThread ocsp_snowflake.py:1011 - validate() - DEBUG - validating certificate: lacework.okta.com
2021-03-24 10:37:17,221 - MainThread ocsp_asn1crypto.py:385 - extract_certificate_chain() - DEBUG - # of certificates: 2
2021-03-24 10:37:17,222 - MainThread ocsp_asn1crypto.py:392 - extract_certificate_chain() - DEBUG - subject: OrderedDict([('country_name', 'US'), ('state_or_province_name', 'California'), ('locality_name', 'San Francisco'), ('organization_name', 'Okta, Inc.'), ('common_name', '*.okta.com')]), issuer: OrderedDict([('country_name', 'US'), ('organization_name', 'DigiCert Inc'), ('organizational_unit_name', 'www.digicert.com'), ('common_name', 'DigiCert SHA2 High Assurance Server CA')])
2021-03-24 10:37:17,222 - MainThread ocsp_asn1crypto.py:392 - extract_certificate_chain() - DEBUG - subject: OrderedDict([('country_name', 'US'), ('organization_name', 'DigiCert Inc'), ('organizational_unit_name', 'www.digicert.com'), ('common_name', 'DigiCert SHA2 High Assurance Server CA')]), issuer: OrderedDict([('country_name', 'US'), ('organization_name', 'DigiCert Inc'), ('organizational_unit_name', 'www.digicert.com'), ('common_name', 'DigiCert High Assurance EV Root CA')])
2021-03-24 10:37:17,223 - MainThread ocsp_asn1crypto.py:414 - create_pair_issuer_subject() - DEBUG - not found issuer_der: OrderedDict([('country_name', 'US'), ('organization_name', 'DigiCert Inc'), ('organizational_unit_name', 'www.digicert.com'), ('common_name', 'DigiCert High Assurance EV Root CA')])
2021-03-24 10:37:17,223 - MainThread ocsp_snowflake.py:637 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('state_or_province_name', 'California'), ('locality_name', 'San Francisco'), ('organization_name', 'Okta, Inc.'), ('common_name', '*.okta.com')])
2021-03-24 10:37:17,224 - MainThread ocsp_snowflake.py:637 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('organization_name', 'DigiCert Inc'), ('organizational_unit_name', 'www.digicert.com'), ('common_name', 'DigiCert SHA2 High Assurance Server CA')])
2021-03-24 10:37:17,225 - MainThread ocsp_snowflake.py:637 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('state_or_province_name', 'California'), ('locality_name', 'San Francisco'), ('organization_name', 'Okta, Inc.'), ('common_name', '*.okta.com')])
2021-03-24 10:37:17,225 - MainThread ocsp_snowflake.py:1168 - validate_by_direct_connection() - DEBUG - using OCSP response cache
2021-03-24 10:37:17,226 - MainThread ocsp_asn1crypto.py:289 - process_ocsp_response() - DEBUG - Certificate is NOT attached in Basic OCSP Response. Using issuer's certificate
2021-03-24 10:37:17,226 - MainThread ocsp_asn1crypto.py:295 - process_ocsp_response() - DEBUG - Verifying the OCSP response is signed by the issuer.
2021-03-24 10:37:17,228 - MainThread ocsp_snowflake.py:637 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('organization_name', 'DigiCert Inc'), ('organizational_unit_name', 'www.digicert.com'), ('common_name', 'DigiCert SHA2 High Assurance Server CA')])
2021-03-24 10:37:17,228 - MainThread ocsp_snowflake.py:1168 - validate_by_direct_connection() - DEBUG - using OCSP response cache
2021-03-24 10:37:17,228 - MainThread ocsp_asn1crypto.py:289 - process_ocsp_response() - DEBUG - Certificate is NOT attached in Basic OCSP Response. Using issuer's certificate
2021-03-24 10:37:17,228 - MainThread ocsp_asn1crypto.py:295 - process_ocsp_response() - DEBUG - Verifying the OCSP response is signed by the issuer.
2021-03-24 10:37:17,230 - MainThread ocsp_snowflake.py:570 - write_ocsp_response_cache_file() - DEBUG - writing OCSP response cache file to /Users/andytwigg/Library/Caches/Snowflake/ocsp_response_cache.json
2021-03-24 10:37:17,230 - MainThread ocsp_snowflake.py:1556 - encode_ocsp_response_cache() - DEBUG - encoding OCSP response cache to JSON
2021-03-24 10:37:17,244 - MainThread ocsp_snowflake.py:1055 - _validate() - DEBUG - ok
2021-03-24 10:37:17,652 - MainThread network.py:793 - _request_exec() - DEBUG - SUCCESS
2021-03-24 10:37:17,652 - MainThread network.py:931 - _use_requests_session() - DEBUG - Active requests sessions: 0, idle: 1
2021-03-24 10:37:17,652 - MainThread auth_okta.py:196 - _step4() - DEBUG - step 4: query IDP URL snowflake app to get SAML response
2021-03-24 10:37:17,653 - MainThread network.py:919 - _use_requests_session() - DEBUG - Active requests sessions: 1, idle: 0
2021-03-24 10:37:17,653 - MainThread network.py:619 - _request_exec_wrapper() - DEBUG - remaining request timeout: 120, retry cnt: 1
2021-03-24 10:37:17,653 - MainThread network.py:763 - _request_exec() - DEBUG - socket timeout: 60
2021-03-24 10:37:18,077 - MainThread network.py:793 - _request_exec() - DEBUG - SUCCESS
2021-03-24 10:37:18,077 - MainThread network.py:931 - _use_requests_session() - DEBUG - Active requests sessions: 0, idle: 1
2021-03-24 10:37:18,077 - MainThread auth_okta.py:214 - _step5() - DEBUG - step 5: validate post_back_url matches Snowflake URL
2021-03-24 10:37:18,077 - MainThread auth_okta.py:50 - _get_post_back_url_from_html() - DEBUG - <!DOCTYPE html>
<!--[if IE 7]><html lang="en" class="lt-ie10 lt-ie9 lt-ie8"><![endif]-->
<!--[if IE 8]><html lang="en" class="lt-ie10 lt-ie9"> <![endif]-->
<!--[if IE 9]><html lang="en" class="lt-ie10"><![endif]-->
<!--[if gt IE 9]><html lang="en"><![endif]-->
<!--[if !IE]><!--><html lang="en"><!--<![endif]-->
<head>
    <meta charset="UTF-8">

    <script>if (typeof module === 'object') {window.module = module; module = undefined;}</script>

    <title>Lacework, Inc. - Sign In</title>
        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="robots" content="none" />
    <script src="https://ok11static.oktacdn.com/assets/js/sdk/okta-signin-widget/5.4.3/js/okta-sign-in.min.js" type="text/javascript"></script>
    <link href="https://ok11static.oktacdn.com/assets/js/sdk/okta-signin-widget/5.4.3/css/okta-sign-in.min.css" type="text/css" rel="stylesheet"/>
    <link href="https://ok11static.oktacdn.com/assets/loginpage/css/loginpage-theme.7138a0eb969c6a25c2d39004ad54df8a.css" type="text/css" rel="stylesheet"/><script>
        var okta = {
            locale: 'en',
            deployEnv: 'PROD'
        };
    </script>
    <script>window.okta || (window.okta = {}); okta.cdnUrlHostname = "//ok11static.oktacdn.com"; okta.cdnPerformCheck = false;</script><script>if (window.module) module = window.module;</script>

</head>
<body class="auth okta-container">

<!--[if gte IE 8]>
  <![if lte IE 10]>

    <style>
    .unsupported-browser-banner-wrap {
      padding: 20px;
      border: 1px solid #ddd;
      background-color: #f3fbff;
    }
    .unsupported-browser-banner-inner {
      position: relative;
      width: 735px;
      margin: 0 auto;
      text-align: left;
    }
    .unsupported-browser-banner-inner .icon {
      vertical-align: top;
      margin-right: 20px;
      display: inline-block;
      position: static !important;
    }
    .unsupported-browser-banner-inner a {
      text-decoration: underline;
    }
    </style>

    <div class="unsupported-browser-banner-wrap">
      <div class="unsupported-browser-banner-inner">
        <span class="icon icon-16 icon-only warning-16-yellow"></span>You are using an unsupported browser. For the best experience, update to <a href="https://support.okta.com/help/s/article/Okta-Browser-and-OS-Support-Policy">a supported browser</a>.</div>
    </div>

  <![endif]>
<![endif]-->
<!--[if IE 8]> <div id="login-bg-image-ie8" class="login-bg-image" data-se="login-bg-image"></div> <![endif]-->
<!--[if (gt IE 8)|!(IE)]><!--> <div id="login-bg-image" class="login-bg-image" data-se="login-bg-image"></div> <!--<![endif]-->

<!-- hidden form for reposting fromURI for X509 auth -->
<form action="/login/cert" method="post" id="x509_login" name="x509_login" style="display:none;">
    <input type="hidden" class="hide" name="_xsrfToken" value="null"/><input type="hidden" id="fromURI" name="fromURI" class="hidden" value="&#x2f;login&#x2f;second-factor&#x3f;fromURI&#x3d;&#x25;2Fapp&#x25;2Fsnowflake&#x25;2FexkpiycqwzpQkK3VN4x6&#x25;2Fsso&#x25;2Fsaml&#x25;3FRelayState&#x25;3D&#x25;252Fsome&#x25;252Fdeep&#x25;252Flink&#x25;26onetimetoken&#x25;3D20111lIHP4awkY7w_YVZFfw7p3t5zwJwVOP4oWWLZrcnXrWdoMg0kZd"/>
</form>

<div class="content">
  <style type="text/css">
    .noscript-msg {
        background-color: #fff;
        border-color: #ddd #ddd #d8d8d8;
        box-shadow:0 2px 0 rgba(175, 175, 175, 0.12);
        text-align: center;
        width: 398px;
        min-width: 300px;
        margin: 200px auto;
        border-radius: 3px;
        border-width: 1px;
        border-style: solid;
    }

    .noscript-content {
        padding: 42px;
    }

    .noscript-content h2 {
        padding-bottom: 20px;
    }

    .noscript-content h1 {
        padding-bottom: 25px;
    }

    .noscript-content a {
        background: transparent;
        box-shadow: none;
        display: table-cell;
        vertical-align: middle;
        width: 314px;
        height: 50px;
        line-height: 36px;
        color: #fff;
        background: linear-gradient(#007dc1, #0073b2), #007dc1;
        border: 1px solid;
        border-color: #004b75;
        border-bottom-color: #00456a;
        box-shadow: rgba(0, 0, 0, 0.15) 0 1px 0, rgba(255, 255, 255, 0.1) 0 1px 0 0 inset;
        -webkit-border-radius: 3px;
        border-radius: 3px;
    }

    .noscript-content a:hover {
        background: #007dc1;
        cursor: hand;
        text-decoration: none;
    }
</style>
<noscript>
    <div id="noscript-msg" class="noscript-msg">
        <div class="noscript-content">
            <h2>Javascript is required</h2>
            <h1>Javascript is disabled on your browser.&nbspPlease enable Javascript and refresh this page.</h1>
            <a href=".">Refresh</a>
        </div>
    </div>
</noscript>
<div id="signin-container"></div>
  <div id="okta-sign-in" class="auth-container main-container" style="display:none">
      <div id="unsupported-onedrive" class="unsupported-message" style="display:none">
        <h2 class="o-form-head">Your OneDrive version is not supported</h2>
        <p>Upgrade now by installing the OneDrive for Business Next Generation Sync Client to login to Okta</p>
        <a class="button button-primary" target="_blank" href="https://support.okta.com/help/articles/Knowledge_Article/Upgrading-to-OneDrive-for-Business-Next-Generation-Sync-Client">
          Learn how to upgrade</a>
      </div>
      <div id="unsupported-cookie" class="unsupported-message" style="display:none">
          <h2 class="o-form-head">Cookies are required</h2>
          <p>Cookies are disabled on your browser. Please enable Cookies and refresh this page.</p>
          <a class="button button-primary" target="_blank" href=".">
              Refresh</a>
      </div>
  </div>
</div>

<div class="footer">
  <div class="footer-container clearfix">
    <p class="copyright">Powered by <a href="http://www.okta.com/" class="inline-block notranslate">Okta</a></p>
        <p class="privacy-policy"><a href="/privacy" target="_blank" class="inline-block margin-l-10">Privacy Policy</a></p>
    </div>
</div>

<script type="text/javascript">function runLoginPage (fn) {var mainScript = document.createElement('script');mainScript.src = 'https://ok11static.oktacdn.com/assets/js/mvc/loginpage/initLoginPage.pack.498e0f659d5de22f4dc83c8cd77ce5a8.js';mainScript.crossOrigin = 'anonymous';mainScript.integrity = 'sha384-RWIRXh2+JYGZGiYfKhdsB/tDmvgPHkLXNoA/+1cvfFKhkLPwambG2U059kJUy3Lm';document.getElementsByTagName('head')[0].appendChild(mainScript);fn && mainScript.addEventListener('load', function () { setTimeout(fn, 1) });}</script><script type="text/javascript">
(function(){

  var baseUrl = 'https\x3A\x2F\x2Flacework.okta.com';
  var suppliedRedirectUri = '';
  var repost = false;
  var stateToken = '';
  var fromUri = '\x2Flogin\x2Fsecond\x2Dfactor\x3FfromURI\x3D\x252Fapp\x252Fsnowflake\x252FexkpiycqwzpQkK3VN4x6\x252Fsso\x252Fsaml\x253FRelayState\x253D\x25252Fsome\x25252Fdeep\x25252Flink\x2526onetimetoken\x253D20111lIHP4awkY7w_YVZFfw7p3t5zwJwVOP4oWWLZrcnXrWdoMg0kZd';
  var username = '';
  var rememberMe = true;
  var smsRecovery = true;
  var callRecovery = false;
  var emailRecovery = true;
  var usernameLabel = 'Username';
  var usernameInlineLabel = '';
  var passwordLabel = 'Password';
  var passwordInlineLabel = '';
  var signinLabel = 'Sign\x20In';
  var forgotpasswordLabel = 'Forgot\x20password\x3F';
  var unlockaccountLabel = 'Unlock\x20account\x3F';
  var helpLabel = 'Help';
  var orgSupportPhoneNumber = '';
  var hideSignOutForMFA = false;
  var hideBackToSignInForReset = false;
  var footerHelpTitle = 'Need\x20help\x20signing\x20in\x3F';
  var recoveryFlowPlaceholder = 'Email\x20or\x20Username';
  var signOutUrl = '';
  var authScheme = 'OAUTH2';
  var hasPasswordlessPolicy = '';
  var INVALID_TOKEN_ERROR_CODE = 'errors.E0000011';

  var securityImage = true;

  var selfServiceUnlock = false;

  var redirectByFormSubmit = false;

  var showPasswordRequirementsAsHtmlList = false;

    showPasswordRequirementsAsHtmlList = true;

  var autoPush = false;

    autoPush = true;

  var accountChooserDiscoveryUrl = 'https://login.okta.com/discovery/iframe.html';

  // In case of custom app login, the uri is already absolute, so we must not attach baseUrl
  var redirectUri;
  if (isAbsoluteUri(fromUri)) {
      redirectUri = fromUri;
  } else {
      redirectUri = baseUrl + fromUri;
  }

  var customButtons;
  var pivProperties = {};

  var customLinks = [];

  var factorPageCustomLink = {};

  var linkParams;

  var proxyIdxResponse;

  var stateTokenAllFlows;

  var idpDiscovery;
  var idpDiscoveryRequestContext;

  var showPasswordToggleOnSignInPage = false;

  var hasOAuth2ConsentFeature = false;
  var consentFunc;

  var hasMfaAttestationFeature = false;

    hasMfaAttestationFeature = true;

  var registration = false;

  var webauthn = true;

  var loginPageConfig = {
    fromUri: fromUri,
    repost: repost,
    redirectUri: redirectUri,
    isMobileClientLogin: false,
    isMobileSSO: false,
    disableiPadCheck: false,
    enableiPadLoginReload: false,
    linkParams: linkParams,
    hasChromeOSFeature: false,
    showLinkToAppStore: false,
    accountChooserDiscoveryUrl: accountChooserDiscoveryUrl,
    preventBrowserFromSavingOktaPassword: true,
    mfaAttestation: hasMfaAttestationFeature,
    enrollingFactor: '',
    stateTokenExpiresAt: '',
    stateTokenRefreshWindowMs: '',
    overrideExistingToken: false,
    signIn: {
      el: '#signin-container',
      baseUrl: baseUrl,
      brandName: 'Okta',
      logo: 'https://ok11static.oktacdn.com/fs/bco/1/fs04t8knzveDxyCCp4x6',
      logoText: 'Lacework,\x20Inc. logo',
      helpSupportNumber: orgSupportPhoneNumber,
      stateToken: stateToken,
      username: username,
      signOutLink: signOutUrl,
      consent: consentFunc,
      authScheme: authScheme,
      relayState: fromUri,
      proxyIdxResponse: proxyIdxResponse,
      idpDiscovery: {
        requestContext: idpDiscoveryRequestContext
      },
      features: {
        router: true,
        securityImage: securityImage,
        rememberMe: rememberMe,
        autoPush: autoPush,
        webauthn: webauthn,
        smsRecovery: smsRecovery,
        callRecovery: callRecovery,
        emailRecovery: emailRecovery,
        selfServiceUnlock: selfServiceUnlock,
        multiOptionalFactorEnroll: true,
        deviceFingerprinting: true,
        useDeviceFingerprintForSecurityImage: true,
        trackTypingPattern: false,
        hideSignOutLinkInMFA: hideSignOutForMFA,
        hideBackToSignInForReset: hideBackToSignInForReset,
        customExpiredPassword: true,
        idpDiscovery: idpDiscovery,
        passwordlessAuth: hasPasswordlessPolicy,
        consent: hasOAuth2ConsentFeature,
        showPasswordToggleOnSignInPage: showPasswordToggleOnSignInPage,
        registration: registration,
        redirectByFormSubmit: redirectByFormSubmit,
        restrictRedirectToForeground: true,
        showPasswordRequirementsAsHtmlList: showPasswordRequirementsAsHtmlList
      },

      assets: {
        baseUrl: "https\x3A\x2F\x2Fok11static.oktacdn.com\x2Fassets\x2Fjs\x2Fsdk\x2Fokta\x2Dsignin\x2Dwidget\x2F5.4.3"
      },

      language: okta.locale,
      i18n: {},

      customButtons: customButtons,

      piv: pivProperties,

      helpLinks: {
        help: '',
        forgotPassword: '',
        unlock: '',
        custom: customLinks,
        factorPage: factorPageCustomLink
      }
    }
  };

  loginPageConfig.signIn.i18n[okta.locale] = {

    'primaryauth.username.placeholder': usernameLabel,
    'primaryauth.username.tooltip': usernameInlineLabel,
    'primaryauth.password.placeholder': passwordLabel,
    'primaryauth.password.tooltip': passwordInlineLabel,
    'mfa.challenge.password.placeholder': passwordLabel,
    'primaryauth.title': signinLabel,
    'forgotpassword': forgotpasswordLabel,
    'unlockaccount': unlockaccountLabel,
    'help': helpLabel,
    'needhelp': footerHelpTitle,
    'password.forgot.email.or.username.placeholder': recoveryFlowPlaceholder,
    'password.forgot.email.or.username.tooltip': recoveryFlowPlaceholder,
    'account.unlock.email.or.username.placeholder': recoveryFlowPlaceholder,
    'account.unlock.email.or.username.tooltip': recoveryFlowPlaceholder
  };

  // When STAF is enabled and the token is not valid, the Widget must be reloaded to obtain a new stateToken. We're updating
  // the error message here as it isn't applicable for non-STAF orgs. The override is behind a new eng flag
  // See : OKTA-376620, Feature flag : ENG_CHANGE_INVALID_TOKEN_MESSAGE

  function isOldWebBrowserControl() {
    // We no longer support IE7. If we see the MSIE 7.0 browser mode, it's a good signal
    // that we're in a windows embedded browser.
    if (navigator.userAgent.indexOf('MSIE 7.0') === -1) {
      return false;
    }

    // Because the userAgent is the same across embedded browsers, we use feature
    // detection to see if we're running on older versions that do not support updating
    // the documentMode via x-ua-compatible.
    return document.all && !window.atob;
  }

  function isAbsoluteUri(uri) {
    var pat = /^https?:\/\//i;
    return pat.test(uri);
  }

  var unsupportedContainer = document.getElementById('okta-sign-in');

  var failIfCookiesDisabled = true;

  // Old versions of WebBrowser Controls (specifically, OneDrive) render in IE7 browser
  // mode, with no way to override the documentMode. In this case, inform the user they need
  // to upgrade.
  if (isOldWebBrowserControl()) {
    document.getElementById('unsupported-onedrive').removeAttribute('style');
    unsupportedContainer.removeAttribute('style');
  }
  else if (failIfCookiesDisabled && !navigator.cookieEnabled) {
    document.getElementById('unsupported-cookie').removeAttribute('style');
    unsupportedContainer.removeAttribute('style');
  }
  else {
    unsupportedContainer.parentNode.removeChild(unsupportedContainer);
    runLoginPage(function () {
      OktaLogin.initLoginPage(loginPageConfig);
    });
  }

}());
</script>

<script>
  window.addEventListener('load', function(event) {
    function applyStyle(id, style) {
      if (style) {
        var el = document.getElementById(id);
        if (el) {
          el.setAttribute('style', style);
        }
      }
    }
    applyStyle('login-bg-image', "background-image: none");
    applyStyle('login-bg-image-ie8', "");
  });
</script>

</body>
</html>

2021-03-24 10:37:18,078 - MainThread auth_okta.py:221 - _step5() - DEBUG - postback_url=/login/cert, full_url=https://lwdev.snowflakecomputing.com:443
Traceback (most recent call last):
  File "test.py", line 15, in <module>
    ctx = snowflake.connector.connect(
  File "/Users/andytwigg/miniconda3/lib/python3.8/site-packages/snowflake/connector/__init__.py", line 52, in Connect
    return SnowflakeConnection(**kwargs)
  File "/Users/andytwigg/miniconda3/lib/python3.8/site-packages/snowflake/connector/connection.py", line 227, in __init__
    self.connect(**kwargs)
  File "/Users/andytwigg/miniconda3/lib/python3.8/site-packages/snowflake/connector/connection.py", line 423, in connect
    self.__open_connection()
  File "/Users/andytwigg/miniconda3/lib/python3.8/site-packages/snowflake/connector/connection.py", line 633, in __open_connection
    self._authenticate(auth_instance)
  File "/Users/andytwigg/miniconda3/lib/python3.8/site-packages/snowflake/connector/connection.py", line 866, in _authenticate
    self.__authenticate(self.__preprocess_auth_instance(auth_instance))
  File "/Users/andytwigg/miniconda3/lib/python3.8/site-packages/snowflake/connector/connection.py", line 873, in __authenticate
    auth_instance.authenticate(
  File "/Users/andytwigg/miniconda3/lib/python3.8/site-packages/snowflake/connector/auth_okta.py", line 105, in authenticate
    self._step5(response_html)
  File "/Users/andytwigg/miniconda3/lib/python3.8/site-packages/snowflake/connector/auth_okta.py", line 223, in _step5
    Error.errorhandler_wrapper(
  File "/Users/andytwigg/miniconda3/lib/python3.8/site-packages/snowflake/connector/errors.py", line 127, in errorhandler_wrapper
    connection.errorhandler(connection, cursor, error_class, error_value)
  File "/Users/andytwigg/miniconda3/lib/python3.8/site-packages/snowflake/connector/errors.py", line 84, in default_errorhandler
    raise error_class(
snowflake.connector.errors.DatabaseError: 250007 (08001): None: The specified authenticator and destination URL in the SAML assertion do not match: expected: https://lwdev.snowflakecomputing.com:443, post back: /login/cert
2021-03-24 10:37:18,137 - MainThread connection.py:438 - close() - INFO - closed
2021-03-24 10:37:18,137 - MainThread connection.py:452 - close() - DEBUG - Exception encountered in closing connection. ignoring...: 'SnowflakeConnection' object has no attribute '_telemetry'
andytwigg commented 3 years ago

It succeeds if I set authentication='externalbrowser' but fails with okta.

sfc-gh-rgupta commented 3 years ago

Do you have MFA enabled on Okta side?

andytwigg commented 3 years ago

Yes

sfc-gh-rgupta commented 3 years ago

@andytwigg Apologies for the delayed response. Native Okta authentication is not supported if Okta MFA is supported. We support browser based authentication in the scenario(authentication='externalbrowser')

You can also explore external oAuth with Okta if your use case involves headless login(with no browser access).

arkadiyt commented 3 years ago

We're also running into this issue - would be really great for the native okta authentication to support MFA

sjezewski commented 3 years ago

We have okta + MFA and want headless login to work as well. I'm seeing the same error message as reported. I'd love it if it Just Worked :)

rwilliams-mpg commented 1 year ago

I don't think this is specific to the snowflake python connector. This just started happening to us this weekend when we updated our Okta account from Okta Classic to Okta Identity Engine. After that all of our Python, C#, and ODBC connectors using an Authenticator url (https://accountname.okta.com) instead of "externalbrowser" started receiving the error message listed here. These integrations work working fine for us for over a year prior to the update.

Anyone find a fix?

jens-guenther commented 1 year ago

Hi all, headless + MFA can't work. MFA reads (as you know) MULTI factor auth. With the initial login, you can provide only one factor (above: user/pass). Then, Okta determines which other factor should be used and sends this [redirect] to the caller.

However, you can specify in OKTA (Identity, Classic not tested) that the snowflake integration must not use MFA.

sfc-gh-tkathpal commented 1 year ago

Can you try the below solution @rwilliams-mpg and see if this works.

https://community.snowflake.com/s/article/Destination-URL-mismatch-when-using-Native-OKTA-SSO

rwilliams-mpg commented 1 year ago

Our issue was related to Okta Identity Engine (OIE) support in the Python connector that we were using. If we had upgraded to the latest versions of the Python connector the issue would have fixed itself since it was patched in v2.7.12 with release notes showing "Added support for OKTA Identity Engine". We missed it at the time because there were so many scenarios that were broken and not all codesets had updated to add OIE support. (ex: C# didn't patch until Jan 2023, after I posted my message above)