Configuring Snowflake to Use Federated Authentication

This topic describes the steps that you must perform in Snowflake after configuring your IdP. You must perform each step, unless otherwise noted, to enable federated authentication.

In this Topic:

Step 1: Create Users in Snowflake

  1. Log into Snowflake as a user with either the ACCOUNTADMIN or SECURITYADMIN role.

  2. Create users, if they do not already exist, that match the users that you created in your IdP. For reference, see:

Important

If using federated authentication, the Snowflake login_name must match the corresponding SAML Subject NameID attribute value that is in the SAML response. This value could be equal to the user’s email address, username, or a different value altogether. If you already have existing users in Snowflake, you can use the ALTER USER command update their attribute value.

In addition, you should consider creating (or altering) users so that they have no password in Snowflake. This effectively disables Snowflake authentication for these users and requires them to log in using federated authentication. Note that this isn’t a strict requirement, but is highly recommended. For more details, see Managing Users with Federated Authentication Enabled.

Step 2: Specify IdP Information for Snowflake

Important

The following is specific for configuring SAML SSO only.

If you wish to include advanced SAML SSO capabilities (i.e. encrypted assertions, signed requests, SAML NameID), see Advanced SAML SSO Features.

To enable an IdP for federated authentication, Snowflake requires the following information from the IdP:

  • Authentication certificate.

  • URL endpoint for SAML requests.

In addition, you must specify the type of IdP used for authentication (OKTA, ADFS, or CUSTOM). You can also optionally specify the label for the IdP button displayed on the Snowflake login page.

This information is specified through the SAML_IDENTITY_PROVIDER account parameter. This parameter accepts a JSON object, enclosed in single quotes, with the following fields:

{
  "certificate": "",
  "issuer": "",
  "ssoUrl": "",
  "type"  : "",
  "label" : ""
}

Where:

certificate

Specifies the certificate that verifies communication between the IdP and Snowflake. This certificate (signed using the RSA 256 algorithm) is generated by the IdP. Include the certificate body only (omit the header/footer) on a single line.

issuer

Indicates the Issuer/EntityID of the IdP.

Optional.

To obtain this value:

Okta SSO

To retrieve the Issuer/EntityID of your Okta Account:

  1. Navigate to the Okta Admin Console.

  2. Select the Snowflake Application created earlier.

  3. Click on the Sign On tab.

  4. Click on the Identity Provider metadata link and download the XML document.

  5. Open the downloaded XML document, locate the entityID XML Attribute in the EntityDescriptor XML Root Element.

  6. Copy the entityID value and insert the value between the double quotes for "issuer": "".

ADFS SSO

To determine the Issuer/Entity ID of your ADFS instance:

  1. Navigate to the ADFS 2.0 Management Console.

  2. Navigate to Action.

  3. Select Edit Federation Service Properties.

  4. Copy the value in the Federation Service identifier field.

  5. Insert the value between the double quotes for "issuer": "".

ssoUrl

Specifies the URL endpoint where Snowflake sends the SAML requests. This endpoint is IdP-specific and is determined by the IdP during configuration. For example:

Okta SSO

https://your_okta_account_name.okta.com/app/okta_snowflake_app_id/sso/saml.

ADFS SSO

Login URL for ADFS, which is usually the IP or FQDN of your ADFS server with /adfs/ls appended.

type

String literal that specifies the IdP used for federated authentication. Possible values are:

  • "OKTA"

  • "ADFS"

  • "Custom" (for all other IdPs)

label

Specifies the button text for the IdP in the Snowflake login page. The default label is Single Sign On. If you change the default label, the label you specify can only contain alphanumeric characters (i.e. special characters and blank spaces are not currently supported).

Note that, if the "type" field is "Okta", a value for the label field does not need to be specified because Snowflake automatically displays the Okta logo in the button.

To set the parameter, as a user with the ACCOUNTADMIN role, execute the ALTER ACCOUNT command:

  • The following example sets Okta as the IdP for your account (with abccorp as your Okta account name):

    USE ROLE ACCOUNTADMIN;
    
    ALTER ACCOUNT SET SAML_IDENTITY_PROVIDER = '{
      "certificate": "XXXXXXXXXXXXXXXXXXX",
      "ssoUrl": "https://abccorp.okta.com/app/<okta_snowflake_app_id>/sso/saml",
      "type"  : "OKTA"
      "label" : "OKTASingleSignOn"
      }';
    
  • The following example sets ADFS as the IdP for your account (with abccorp.testmachine.com as the IP/FQDN of your ADFS server):

    USE ROLE ACCOUNTADMIN;
    
    ALTER ACCOUNT SET SAML_IDENTITY_PROVIDER = '{
      "certificate": "XXXXXXXXXXXXXXXXXXX",
      "ssoUrl": "https://abccorp.testmachine.com/adfs/ls",
      "type"  : "ADFS",
      "label" : "ADFSSingleSignOn"
      }';
    

Step 3: Test Snowflake-initiated SSO — Optional

Snowflake provides a preview login page in the web interface that can be used to test Snowflake-initiated login before rolling it out to all your users on the main login page. Once you have set the SAML_IDENTITY_PROVIDER account parameter to enable SSO, you can go to the following URL to access the preview page:

  • If your account is in US West: https://<account_name>.snowflakecomputing.com/console/login?fedpreview=true

  • If your account is in any other region: https://<account_name>.<region_id>.snowflakecomputing.com/console/login?fedpreview=true

The button for logging in via the IdP for your account (Okta, ADFS, or custom) is displayed on the preview page.

Note

This step is optional, but highly recommended to ensure the feature is working as expected before rolling it out to your users.

Step 4: Enable Snowflake-initiated SSO

Snowflake provides an account parameter, SSO_LOGIN_PAGE, for enabling Snowflake-initiated login on the main login page. You must set this parameter to TRUE (default value is FALSE) to complete the federated authentication configuration for your account. After setting this parameter, when users go to the main login page, the button for logging in via the IdP for your account (Okta, ADFS, or custom) is displayed.

To set the parameter, as a user with the ACCOUNTADMIN role, execute the following ALTER ACCOUNT command:

USE ROLE ACCOUNTADMIN;

ALTER ACCOUNT SET SSO_LOGIN_PAGE = TRUE;