Information
Federated authentication enables users to connect to Snowflake using secure SSO (single sign-on). With SSO enabled, users authenticate through an external (SAML 2.0-compliant or OAuth 2.0) identity provider (IdP). Once authenticated by an IdP, users can access their Snowflake account for the duration of their IdP session without having to authenticate to Snowflake again. Users can choose to initiate their sessions from within the interface provided by the IdP or directly in Snowflake.
Snowflake offers native support for federated authentication and SSO through Okta and Microsoft ADFS.
Snowflake also supports most SAML 2.0-compliant vendors as an IdP, including Google G Suite, Microsoft Azure Active Directory, OneLogin, and Ping Identity PingOne. To use an IdP other than Okta or ADFS, you must define a custom application for Snowflake in the IdP.
There are two ways to configure SAML:
- By creating the security integration (recommended)
- By setting the SAML_IDENTITY_PROVIDER account parameter (deprecated)
Configuring your Snowflake authentication so that users can log in using SSO reduces the attack surface for your organization because users only log in once across multiple applications and do not have to manage a separate set of credentials for their Snowflake account.
Solution
The steps for configuring an IdP differ depending on whether you choose SAML2 or OAuth. They further differ depending on what identity provider you choose: Okta, AD FS, Ping Identity, Azure AD, or custom. For specific instructions, see Snowflake documentation on
SAML
and
External OAuth
.
Note: If your SAML integration is configured using the deprecated account parameter SAML_IDENTITY_PROVIDER you should migrate to creating a security integration using the system$migrate_saml_idp_registration function. For more information, see the
Migrating to a SAML2 Security Integration
documentation.
Impact:
There may be costs associated with provisioning and using an IdP service.