Using multiple identity providers for federated authentication¶
You can configure Snowflake to allow users to authenticate with multiple identity providers (IdPs).
Implementing a federated environment that uses multiple IdPs consists of the following steps:
Enable the identifier-first login flow (in this topic).
Create multiple SAML security integrations, one for each IdP.
Associate users with IdPs (in this topic).
Note
Keep the following in mind as you implement an environment using multiple IdPs:
Each IdP must have a corresponding SAML security integration. If you have an existing single-IdP environment that uses the deprecated SAML_IDENTITY_PROVIDER parameter, you must use the SYSTEM$MIGRATE_SAML_IDP_REGISTRATION function to migrate it to a SAML security integration.
Currently, only a subset of Snowflake drivers support the use of multiple identity providers. These drivers include JDBC, ODBC, and Python.
Enable identifier-first login¶
When the federated environment for an account uses multiple IdPs, Snowflake must be able to determine which IdPs are associated with a user before presenting the user with authentication options. In this flow, Snowflake prompts the user for only their email address or username, then displays authentication methods after identifying the user. Only IdPs associated with the user appear as authentication options.
The identifier-first login flow must be enabled if you are using multiple IdPs. To enable identifier-first login, set the
ENABLE_IDENTIFIER_FIRST_LOGIN parameter to TRUE
.
For more information about the identifier-first login flow, see Identifier-first login.
Associate users with IdPs¶
In an environment with multiple IdPs, you can choose how you want to associate a user with an IdP. You can use the security integration associated with an IdP, an authentication policy, or combine the two methods.
- Security Integration:
Use the
ALLOWED_USER_DOMAINS
andALLOWED_EMAIL_PATTERNS
properties of the SAML2 security integration associated with each IdP. In this configuration, a user only sees an IdP as an authentication option if theirEMAIL
matches an email address domain or pattern in the security integration.- Authentication Policy:
Use the
SECURITY_INTEGRATIONS
property of an authentication policy to specify which security integrations are available to the user. In this configuration, the authentication policy is assigned to an entire account or an individual user. A user can only authenticate with IdPs associated with security integrations that are specified in the authentication policy.If you want a user to only see the identity providers that they are allowed to use, create multiple authentication policies and then assign the appropriate policy to a user.
For an example of using an authentication policy to implement multiple IdPs, see Allow authentication from multiple identity providers on an account.
- Combined:
You can combine the security integration and authentication policy methods to further refine how users authenticate in an environment that has multiple IdPs.
If you use both methods, Snowflake first evaluates which security integrations are associated with the authentication policy governing the user’s login. Once Snowflake has identified the security integrations, the user’s
EMAIL
is matched to one of the integrations based on theALLOWED_USER_DOMAINS
andALLOWED_EMAIL_PATTERNS
properties. Snowflake only displays the IdP option for the security integration that matches the user’sEMAIL
.