Configuring Snowflake to Use Federated Authentication

This topic describes the steps that you must perform in Snowflake after configuring your IdP. You must perform each step, unless otherwise noted, to enable federated authentication.

In this Topic:

Step 1: Create Users in Snowflake

  1. Log into Snowflake as a user with either the ACCOUNTADMIN or SECURITYADMIN role.

  2. Create users, if they do not already exist, that match the users that you created in your IdP. For reference, see:


If using federated authentication, the Snowflake login_name must match the corresponding SAML Subject NameID attribute value that is in the SAML response. This value could be equal to the user’s email address, username, or a different value altogether. If you already have existing users in Snowflake, you can use the ALTER USER command to update their attribute value.

In addition, you should consider creating (or altering) users so that they have no password in Snowflake. This effectively disables Snowflake authentication for these users and requires them to log in using federated authentication. Note that this is not a strict requirement, but is highly recommended. For more details, see Managing Users with Federated Authentication Enabled.

Step 2: Specify IdP Information for Snowflake


The following is specific for configuring SAML SSO only. If you wish to include advanced SAML SSO capabilities (e.g. encrypted assertions, signed requests, SAML NameID), see Advanced SAML SSO Features.

If you are an existing customer and have not updated your SSO configuration to use the SAML2 security integration, update your configuration as shown in Advanced SAML SSO Features.

New customers should use the SAML2 security integration to configure the IdP information for Snowflake.

Snowflake requires the SAML2 security integration if you plan to use SSO with the organizations and the Client Redirect features.

For more information, see:

To enable an IdP for federated authentication, Snowflake requires the following information from the IdP:

  • Authentication certificate.

  • URL endpoint for SAML requests.

In addition, you must specify the type of IdP used for authentication (OKTA, ADFS, or CUSTOM). You can also optionally specify the label for the IdP button displayed on the Snowflake login page.

This information is specified through the SAML_IDENTITY_PROVIDER account parameter. This parameter accepts a JSON object, enclosed in single quotes, with the following fields:

  "certificate": "",
  "issuer": "",
  "ssoUrl": "",
  "type"  : "",
  "label" : ""



Specifies the certificate that verifies communication between the IdP and Snowflake. This certificate (signed using the RSA 256 algorithm) is generated by the IdP. Include the certificate body only (omit the header/footer) on a single line.


Indicates the Issuer/EntityID of the IdP.


To obtain this value:

Okta SSO

To retrieve the Issuer/EntityID of your Okta Account:

  1. Navigate to the Okta Admin Console.

  2. Select the Snowflake Application created earlier.

  3. Click on the Sign On tab.

  4. Click on the Identity Provider metadata link and download the XML document.

  5. Open the downloaded XML document, locate the entityID XML Attribute in the EntityDescriptor XML Root Element.

  6. Copy the entityID value and insert the value between the double quotes for "issuer": "".


To determine the Issuer/Entity ID of your ADFS instance:

  1. Navigate to the ADFS 2.0 Management Console.

  2. Navigate to Action.

  3. Select Edit Federation Service Properties.

  4. Copy the value in the Federation Service identifier field.

  5. Insert the value between the double quotes for "issuer": "".


Specifies the URL endpoint where Snowflake sends the SAML requests. This endpoint is IdP-specific and is determined by the IdP during configuration. For example:

Okta SSO


Login URL for ADFS, which is usually the IP or FQDN of your ADFS server with /adfs/ls appended.


String literal that specifies the IdP used for federated authentication. Possible values are:

  • "OKTA"

  • "ADFS"

  • "Custom" (for all other IdPs)


Specifies the button text for the IdP in the Snowflake login page. The default label is Single Sign On. If you change the default label, the label you specify can only contain alphanumeric characters (i.e. special characters and blank spaces are not currently supported).

Note that, if the "type" field is "Okta", a value for the label field does not need to be specified because Snowflake automatically displays the Okta logo in the button.

To set the parameter, as a user with the ACCOUNTADMIN role, execute the ALTER ACCOUNT command:

  • The following example sets Okta as the IdP for your account (with abccorp as your Okta account name):

      "certificate": "XXXXXXXXXXXXXXXXXXX",
      "ssoUrl": "<okta_snowflake_app_id>/sso/saml",
      "type"  : "OKTA",
      "label" : "OKTASingleSignOn"
  • The following example sets ADFS as the IdP for your account (with as the IP/FQDN of your ADFS server):

      "certificate": "XXXXXXXXXXXXXXXXXXX",
      "ssoUrl": "",
      "type"  : "ADFS",
      "label" : "ADFSSingleSignOn"

Step 3: Test Snowflake-initiated SSO — Optional

Snowflake provides a preview login page in the web interface that can be used to test the Snowflake-initiated login before rolling it out to all your users on the main login page. Once you have set the SAML_IDENTITY_PROVIDER account parameter to enable SSO, you can go to the following URL with the account identifier to access the preview page:


The button for logging in via the IdP for your account (Okta, ADFS, or custom) is displayed on the preview page.


This step is optional, but highly recommended to ensure the feature is working as expected before rolling it out to your users.

Step 4: Enable Snowflake-initiated SSO

Snowflake provides an account parameter, SSO_LOGIN_PAGE, for enabling Snowflake-initiated login on the main login page. You must set this parameter to TRUE (default value is FALSE) to complete the federated authentication configuration for your account. After setting this parameter, when users go to the main login page, the button for logging in via the IdP for your account (Okta, ADFS, or custom) is displayed.

To set the parameter, as a user with the ACCOUNTADMIN role, execute the following ALTER ACCOUNT command:


Back to top