Configuring an Identity Provider (IdP) for Snowflake

The tasks for configuring an IdP are different depending on whether you choose Okta, ADFS, or another (i.e. custom) SAML 2.0-compliant service/application to provide federated authentication for your Snowflake users.

In this Topic:

Note

Once you complete these IdP-specific tasks, you must configure Snowflake to use federated authentication to complete the setup.

Okta Setup

To use Okta as your IdP for federated authentication, you must perform the following tasks in Okta:

  1. Create an Okta account for your company or organization.

  2. Log into your Okta account as a user with administrator privileges and create a user for each person who will need access to Snowflake. When creating users, make sure to include an email address for each user. Email addresses are required to connect the users in Okta with their corresponding users in Snowflake.

  3. Create a Snowflake application in Okta:

    • In the Label field for the application, you can specify any name.
    • In the SubDomain field for the application, enter the name of your Snowlake account (provided by Snowflake).
  4. Assign the Okta users you created to the Snowflake application in Okta.

  5. Configure SAML 2.0 as the sign on method for the Snowflake application you created:

    1. In the Sign On tab, click View Setup Instructions.

    2. Gather the required information from the setup instructions:

      • Certificate
      • IDP SSO URL

      This information will be used in the next task: Configuring Snowflake to Use Federated Authentication.

ADFS Setup

To use ADFS as your IdP for federated authentication, you must perform the following tasks in ADFS.

Prerequisites

  • Verify that ADFS 3.0 is installed and working on Windows Server 2012 R2.
  • Ensure that a user exists in ADFS for each person who will need access to Snowflake. When creating users, make sure to include an email address for each user. Email addresses are required to connect the users in ADFS with their corresponding users in Snowflake.

Note

Other versions of ADFS and Windows Server can be used; however, the configuration instructions may be different.

Step 1: Add a Relying Party Trust for Snowflake

In the AD FS Management console, use the Add Relying Party Trust Wizard to add a new relying party trust to the AD FS configuration database:

  1. When prompted, select the Enter data about the relying party manually radio button.

  2. In the next screen, enter a display name (e.g. “Snowflake”) for the relying party.

  3. In the next screen, select the AD FS profile radio button.

  4. Skip the next screen (for specifying an optional token encryption certificate).

  5. In the next screen:

    • Select the Enable support for the SAML 2.0 WebSSO protocol checkbox.

    • In the Relying party SAML 2.0 SSO service URL field, enter:

      • If your account is in US West: https://<account_name>.snowflakecomputing.com/fed/login

      • If your account is in any other Snowflake Region: https://<account_name>.<region_id>.snowflakecomputing.com/fed/login

        Where <account_name> is the name of your Snowflake account and <region_id> is the Snowflake Region where your account is located (other than US West). The valid values for <region_id> are:

        Cloud Platform Region ID Snowflake Region
        AWS us-east-1 US East
        AWS eu-west-1 EU (Dublin)
        AWS eu-central-1 EU (Frankfurt)
        AWS ap-southeast-2 Asia Pacific (Sydney)
        Microsoft Azure east-us-2.azure East US 2
  6. In the next screen, in the Relying part trust identifier field, enter:

    • If your account is in US West: https://<account_name>.snowflakecomputing.com
    • If your account is in any other Snowflake Region: https://<account_name>.<region_id>.snowflakecomputing.com
  7. In the next screen, select the I do not want to configure multi-factor authentication settings for this relying party trust at this time radio button.

  8. In the next screen, select the Permit all users to access this relying party radio button.

  9. In the next screen, review your configuration for the relying party trust. Also ensure that in the Advanced tab, SHA-256 is selected as the secure hash algorithm.

  10. In the next screen, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close to finish the wizard configuration.

Step 2: Define Claim Rules for the Snowflake Relying Party Trust

The Edit Claim Rules for snowflake_trust_name window opens automatically after closing the wizard. You can also open this window from the AD FS Management console by clicking on:

AD FS » Trust Relationships » Relying Party Trusts » snowflake_trust_name » Edit Claim Rules…

In the window:

  1. Create a rule for sending LDAP attributes as claims:

    1. Click Add Rules and select Send LDAP Attributes as Claim.

    2. In the Edit Rule dialog:

      • Enter a name (e.g. “Get Attributes”) for the rule.

      • Set Attribute store to: Active Directory.

      • Add two LDAP attributes for the rule:

        • E-Mail Addresses with E-Mail Address as the Outgoing Claim Type.
        • Display-Name with Name as the Outgoing Claim Type.
    3. Click the OK button to create the rule.

  2. Create a rule for transforming incoming claims:

    1. Click Add Rules and select Transform an Incoming Claim.

    2. In the Add Transform Claim Rule Wizard dialog:

      • Enter a name (e.g. “Name ID Transform”) for the claim rule.
      • Set Incoming claim type to: E-Mail Address.
      • Set Outgoing claim type to: Name ID.
      • Set Outgoing name ID format to: Email.
      • Select the Pass through all claim values radio button.
    3. Click the Finish button to create the rule.

  3. Click the OK button to finish adding claim rules for the Snowflake relying party trust.

Important

  • Ensure that you enter the values for the rules exactly as described above.
  • Ensure that the rules you created are listed in the following order: 1) LDAP Attributes and 2) Incoming Claim Transform.

The rules will not work correctly if there are any typos in the rules or the rules are not listed in the correct order.

Step 3: Enable Global Logout (Optional)

To enable global logout for Snowflake in ADFS, in the AD FS Management console, click on:

AD FS » Trust Relationships » Relying Party Trusts » <snowflake_trust_name> » Properties

In the Properties dialog:

  1. Go to the Endpoints tab and click the Add SAML… button.

  2. In the Edit Endpoint dialog:

    • Set Endpoint type to: SAML Logout.
    • Set Binding to: POST or REDIRECT.
    • Set Trusted URL to:
      • If your account is in US West: <account_name>.snowflakecomputing.com/fed/logout
      • If your account is in any other Snowflake Region: <account_name>.<region_id>.snowflakecomputing.com/fed/logout
    • Leave Response URL blank.
    • Click the OK button to save your changes.

Step 4: Obtain the SSO URL and Certificate

To complete the ADFS setup, the following information must be provided to Snowflake:

  • SSO URL

    The ADFS URL endpoint to which Snowflake will send SAML requests. This is typically the Login URL for ADFS, which is usually the IP or FQDN of your ADFS server with /adfs/ls appended to the end.

  • Certificate

    Used to verify communication between ADFS and Snowflake. You download it from the AD FS Management console:

    1. In the console, click on:

      AD FS » Service » Certificates

    2. In the Certificates page, right-click the Token-signing entry and click View Certificate….

    3. In the Certificate dialog, select the Details tab.

    4. Click Copy to File… to open the Certificate Export Wizard.

    5. For the export file format, select Base-64 encoded X.509 (.CER) and click Next.

    6. Save the file to a directory on your local environment.

    7. Open the file and copy the certificate, which consists of a single line located between the following lines:

      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----

The SSO URL and certificate that you obtain will be used in the next task: Configuring Snowflake to Use Federated Authentication.

Custom IdP Setup

To use a SAML 2.0-compliant service or application as your IdP for federated authentication, you must perform the following tasks:

  1. In the service/application interface, define a custom SHA-256 application for Snowflake. The instructions for defining a custom application are specific to the service/application that is serving as the IdP.

  2. In the interface, create a user for each person who will need access to Snowflake. When creating users, make sure to include an email address for each user. Email addresses are required to connect the users in the IdP with their corresponding users in Snowflake.

  3. Obtain the following information required by Snowflake:

    • SSO URL (IdP URL endpoint to which Snowflake will send SAML requests)
    • Certificate (used to verify communication between the IdP and Snowflake)

    This information will be used in the next task: Configuring Snowflake to Use Federated Authentication.