Using multiple identity providers for federated authentication

You can configure Snowflake to allow users to authenticate with multiple identity providers (IdPs).

Implementing a federated environment that uses multiple IdPs consists of the following steps:

  1. Enable the identifier-first login flow (in this topic).

  2. Configure each identity provider.

  3. Create multiple SAML security integrations, one for each IdP.

  4. Associate users with IdPs (in this topic).

Note

Keep the following in mind as you implement an environment using multiple IdPs:

  • Each IdP must have a corresponding SAML security integration. If you have an existing single-IdP environment that uses the deprecated SAML_IDENTITY_PROVIDER parameter, you must use the SYSTEM$MIGRATE_SAML_IDP_REGISTRATION function to migrate it to a SAML security integration.

  • Currently, only a subset of Snowflake drivers support the use of multiple identity providers. These drivers include JDBC, ODBC, and Python.

Enable identifier-first login

When the federated environment for an account uses multiple IdPs, Snowflake must be able to determine which IdPs are associated with a user before presenting the user with authentication options. In this flow, Snowflake prompts the user for only their email address or username, then displays authentication methods after identifying the user. Only IdPs associated with the user appear as authentication options.

The identifier-first login flow must be enabled if you are using multiple IdPs. To enable identifier-first login, set the ENABLE_IDENTIFIER_FIRST_LOGIN parameter to TRUE.

For more information about the identifier-first login flow, see Identifier-first login.

Associate users with IdPs

In an environment with multiple IdPs, you can choose how you want to associate a user with an IdP. You can use the security integration associated with an IdP, an authentication policy, or combine the two methods.

Security Integration:

Use the ALLOWED_USER_DOMAINS and ALLOWED_EMAIL_PATTERNS properties of the SAML2 security integration associated with each IdP. In this configuration, a user only sees an IdP as an authentication option if their EMAIL matches an email address domain or pattern in the security integration.

Authentication Policy:

Use the SECURITY_INTEGRATIONS property of an authentication policy to specify which security integrations are available to the user. In this configuration, the authentication policy is assigned to an entire account or an individual user. A user can only authenticate with IdPs associated with security integrations that are specified in the authentication policy.

If you want a user to only see the identity providers that they are allowed to use, create multiple authentication policies and then assign the appropriate policy to a user.

For an example of using an authentication policy to implement multiple IdPs, see Allow authentication from multiple identity providers on an account.

Combined:

You can combine the security integration and authentication policy methods to further refine how users authenticate in an environment that has multiple IdPs.

If you use both methods, Snowflake first evaluates which security integrations are associated with the authentication policy governing the user’s login. Once Snowflake has identified the security integrations, the user’s EMAIL is matched to one of the integrations based on the ALLOWED_USER_DOMAINS and ALLOWED_EMAIL_PATTERNS properties. Snowflake only displays the IdP option for the security integration that matches the user’s EMAIL.

Language: English