Okta

How to Configure SAML 2.0 for Snowflake Computing

Contents


Supported Features

The Okta/Snowflake Computing SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.


Configuration Steps

  1. In Okta, select the General tab for the Snowflake SAML app, then click Edit.

  2. Enter your Subdomain.

    • If your Snowflake account URL is in the new URL Format: https://<organizationName>-<accountName>.snowflakecomputing.com

      Your Subdomain value is <organizationName>-<accountName>

    • If your Snowflake account URL is in the old format without Organization name and with the cloud region: https://<accountLocator>.<region>.snowflakecomputing.com

      Your Subdomain is your Snowflake account name with the region. For example <accountLocator>.<region>

    Note: See here for New Account Name details.

  3. OPTIONAL: In Okta, select the Sign On tab for the Snowflake SAML app, click Edit, then uncheck Disable Force Authentication to enable Force Authentication for your users.

  4. In Okta, select the Assignments tab to assign Okta users to the Snowflake app.

  5. The rest of the SAML configuration is done in Snowflake: See Configuring Snowflake to Use Federated Authentication.

  6. Snowflake requires the following information to enable federated authentication:

    • Entity ID: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

    • IDP SSO URL: Copy and paste the following:

      Sign in to the Okta Admin app to generate this variable.

    • Authentication Certificate: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

    This information is needed in the Security Integration for SAML in Snowflake: https://docs.snowflake.com/en/sql-reference/sql/create-security-integration.html#syntax

    To configure the integration, as a user with the ACCOUNTADMIN role, run the command CREATE SECURITY INTEGRATION

    The following example sets Okta as the IdP for your account:

    use role accountadmin;
    CREATE SECURITY INTEGRATION OKTAINTEGRATION
        TYPE = SAML2
        ENABLED = TRUE 
        SAML2_ISSUER = [the value from step 6]
        SAML2_SSO_URL = [the value from step 6]
        SAML2_PROVIDER = OKTA
        SAML2_X509_CERT = [the value from step 6]
        SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = OKTA SSO
        SAML2_ENABLE_SP_INITIATED = TRUE;
    
  7. Edit the integration to add Snowflake ACS URL and Snowflake SAML2 Issuer URL.

    Since the Snowflake Organizations feature is used to generate a new URL format and the account is renamed to use the new Snowflake URL format, you should edit your security integration to add Snowflake ACS URL and Snowflake SAML2 Issuer URL:

    use role accountadmin;
    alter security integration my_integration set saml2_snowflake_acs_url = 'https://<organization name>-<account name>.snowflakecomputing.com/fed/login';
    alter security integration my_integration set saml2_snowflake_issuer_url = 'https://<organization name>-<account name>.snowflakecomputing.com/fed/login'';
  8. Done!


Notes

The following SAML attributes are supported:


SP-initiated SSO

The button for logging in via Okta is displayed on the preview page.