Configuring Snowflake to Use Federated Authentication

This topic describes the steps that you must perform in Snowflake after configuring your IdP. You must perform each step, unless otherwise noted, to enable federated authentication.

In this Topic:

Step 1: Create Users in Snowflake

  1. Log into Snowflake as a user with either the ACCOUNTADMIN or SECURITYADMIN role.
  2. Create users, if they do not already exist, that match the users that you created in your IdP.

Important

Make sure to use the email address for your IdP users as the login name for your Snowflake users. If you already have existing users in Snowflake, you can use the ALTER USER command to set their login name to match their email address. For example:

ALTER USER jsmith SET LOGIN_NAME='john.smith@abc123.com';

In addition, you should consider creating (or altering) users so that they have no password in Snowflake. This effectively disables Snowflake authentication for these users and requires them to log in using federated authentication. Note that this isn’t a strict requirement, but is highly recommended. For more details, see Managing Users with Federated Authentication Enabled.

Step 2: Specify IdP Information for Snowflake

To enable an IdP for federated authentication, Snowflake requires the following information from the IdP:

  • Authentication certificate.
  • URL endpoint for SAML requests.

In addition, you must specify the type of IdP used for authentication (OKTA, ADFS, or CUSTOM). You can also optionally specify the label for the IdP button displayed on the Snowflake login page.

This information is specified through the SAML_IDENTITY_PROVIDER account parameter. This parameter accepts a JSON object, enclosed in single quotes, with the following fields:

{
  "certificate": "",
  "ssoUrl": "",
  "type"  : "",
  "label" : ""
}

Where:

certificate
Specifies the certificate that verifies communication between the IdP and Snowflake. This certificate is generated by the IdP.
ssoUrl

Specifies the URL endpoint where Snowflake sends the SAML requests. This endpoint is IdP-specific and is determined by the IdP during configuration. For example:

Okta SSO:https://your_okta_account_name.okta.com/app/okta_snowflake_app_id/sso/saml.
ADFS SSO:Login URL for ADFS, which is usually the IP or FQDN of your ADFS server with /adfs/ls appended.
type

String literal that specifies the IdP used for federated authentication. Possible values are:

  • "OKTA"
  • "ADFS"
  • "Custom" (for all other IdPs)
label

Specifies the button text for the IdP in the Snowflake login page. The default label is Single Sign On. If you change the default label, the label you specify can only contain alphanumeric characters (i.e. special characters and blank spaces are not currently supported).

Note that, if the "type" field is "Okta", a value for the label field does not need to be specified because Snowflake automatically displays the Okta logo in the button.

To set the parameter, as a user with the ACCOUNTADMIN role, execute an ALTER ACCOUNT command:

  • The following example sets Okta as the IdP for your account (with abc123 as your Okta account name):

    USE ROLE ACCOUNTADMIN;
    
    ALTER ACCOUNT SET SAML_IDENTITY_PROVIDER = '{
      "certificate": "XXXXXXXXXXXXXXXXXXX",
      "ssoUrl": "https://abc123.okta.com/app/<okta_snowflake_app_id>/sso/saml",
      "type"  : "OKTA"
      }';
    
  • The following example sets ADFS as the IdP for your account (with abc123.testmachime.com as the IP/FQDN of your ADFS server):

    USE ROLE ACCOUNTADMIN;
    
    ALTER ACCOUNT SET SAML_IDENTITY_PROVIDER = '{
      "certificate": "XXXXXXXXXXXXXXXXXXX",
      "ssoUrl": "https://abc123.testmachine.com/adfs/ls",
      "type"  : "ADFS",
      "label" : "ADFSSingleSignOn"
      }';
    

Step 3: Test Snowflake-initiated SSO — Optional

Snowflake provides a preview login page in the web interface that can be used to test Snowflake-initiated login before rolling it out to all your users on the main login page. Once you have set the SAML_IDENTITY_PROVIDER account parameter to enable SSO, you can go to the following URL to access the preview page:

  • If your account is in US West: https://<account_name>.snowflakecomputing.com/console/login?fedpreview=true
  • If your account is in any other Snowflake Region: https://<account_name>.<region_id>.snowflakecomputing.com/console/login?fedpreview=true

The button for logging in via the IdP for your account (Okta, ADFS, or custom) is displayed on the preview page.

Note

This step is optional, but highly recommended to ensure the feature is working as expected before rolling it out to your users.

Step 4: Enable Snowflake-initiated SSO

Snowflake provides an account parameter, SSO_LOGIN_PAGE, for enabling Snowflake-initiated login on the main login page. You must set this parameter to TRUE (default value is FALSE) to complete the federated authentication configuration for your account. After setting this parameter, when users go to the main login page, the button for logging in via the IdP for your account (Okta, ADFS, or custom) is displayed.

To set the parameter, as a user with the ACCOUNTADMIN role, execute the following ALTER ACCOUNT command:

USE ROLE ACCOUNTADMIN;

ALTER ACCOUNT SET SSO_LOGIN_PAGE = TRUE;