The Okta/Snowflake Computing SAML integration currently supports the following features:
For more information on the listed features, visit the Okta Glossary.
In Okta, select the General tab for the Snowflake SAML app, then click Edit.
Enter your Subdomain.
If your Snowflake account URL is in the new URL Format: https://<organizationName>-<accountName>.snowflakecomputing.com
Your Subdomain value is <organizationName>-<accountName>
If your Snowflake account URL is in the old format without Organization name and with the cloud region: https://<accountLocator>.<region>.snowflakecomputing.com
Your Subdomain is your Snowflake account name with the region. For example <accountLocator>.<region>
Note: See here for New Account Name details.
OPTIONAL: In Okta, select the Sign On tab for the Snowflake SAML app, click Edit, then uncheck Disable Force Authentication to enable Force Authentication for your users.
In Okta, select the Assignments tab to assign Okta users to the Snowflake app.
The rest of the SAML configuration is done in Snowflake: See Configuring Snowflake to Use Federated Authentication.
For new Snowflake URLs, you need to use Advanced SAML configuration: https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-advanced.html#using-the-organization-account-url-in-the-security-integration-optional
Note: This topic describes the steps that you must perform in Snowflake after configuring Okta. You must perform each step, unless otherwise noted, to enable federated authentication.
If you already have SSO setup with SAML_IDENTITY_PROVIDER parameter, you need to migrate over to Advanced SAML in Snowflake as described here: https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-advanced.html#migrating-to-a-saml2-security-integration
Note: If you are migrating, you can skip step 6 in this document.
Snowflake requires the following information to enable federated authentication:
Entity ID: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
IDP SSO URL: Copy and paste the following:
Sign in to the Okta Admin app to generate this variable.
Authentication Certificate: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
This information is needed in the Security Integration for SAML in Snowflake: https://docs.snowflake.com/en/sql-reference/sql/create-security-integration.html#syntax
To configure the integration, as a user with the ACCOUNTADMIN role, run the command CREATE SECURITY INTEGRATION
The following example sets Okta as the IdP for your account:
use role accountadmin;
CREATE SECURITY INTEGRATION OKTAINTEGRATION
TYPE = SAML2
ENABLED = TRUE
SAML2_ISSUER = [the value from step 6]
SAML2_SSO_URL = [the value from step 6]
SAML2_PROVIDER = OKTA
SAML2_X509_CERT = [the value from step 6]
SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = OKTA SSO
SAML2_ENABLE_SP_INITIATED = TRUE;
Edit the integration to add Snowflake ACS URL and Snowflake SAML2 Issuer URL.
Since the Snowflake Organizations feature is used to generate a new URL format and the account is renamed to use the new Snowflake URL format, you should edit your security integration to add Snowflake ACS URL and Snowflake SAML2 Issuer URL:
use role accountadmin; alter security integration my_integration set saml2_snowflake_acs_url = 'https://<organization name>-<account name>.snowflakecomputing.com/fed/login'; alter security integration my_integration set saml2_snowflake_issuer_url = 'https://<organization name>-<account name>.snowflakecomputing.com/fed/login'';
Done!
The following SAML attributes are supported:
| Name | Value |
|---|---|
| Account | org.subDomain |
If you are using the New URL Format: https://<organizationName>-<accountName>.snowflakecomputing.com/console/login?fedpreview=true
If you are using the Old URL Format with cloud region and account locator: https://<accountLocator>.<region>.snowflakecomputing.com/console/login?fedpreview=true
The button for logging in via Okta is displayed on the preview page.