Author: Shikhar Srivastava
This Blog will Provide information about how to use OKTA as a Federated Authentication to
connect with Snowflake.
Introduction
Federated authentication allows a user to connect to Snowflake using a secure single sign-on. With SSO enabled, you authenticate users through a SAML 2.0-compliant identity provider (Idp).
Okta is an identity management service that gives us access to any employer in any app on any device. It is hosted on a secure server. It uses cloud technologies to help companies manage and authenticate users in applications. It sells various services, including login, one of the most important programs because it has the unique feature of logging users into multiple applications through one centralized process. It is safe to use and protect our sensitive data even when others use our phones because the developed technology only takes a few minutes to steal our personal information.
Steps
1. Sign up on Okta and log in to Okta as a Developer Profile
To Sign up, click on the below link:
https://developer.okta.com/signup/
2. Go to Directory -> People -> Add people
3. Fill in the necessary fields and click on Save
Note:
Enter kipi id in Username
Create the same users in Snowflake instance with kipi id
You can choose to set a password as - Set by User or Set by Admin, and accordingly, user will be able to login to Okta
4. Navigate to Applications -> Applications -> Browse App Catalog
5. Choose Snowflake from the search panel and click on Add
6. Define the application name and subdomain of your Snowflake account
Eg : Qw02570.ap-south-1.aws
7. Click on Next and move to Sign-On Options
8. Choose Sign-On Option as SAML 2.0
9. Click on View Setup Instructions
10. Run the below code in Snowflake and enter the data mentioned in Step 6 of Setup Instructions
use role accountadmin;
CREATE SECURITY INTEGRATION OKTAINTEGRATION
TYPE = SAML2
ENABLED = TRUE
SAML2_ISSUER = {the value from step 6 of setup Instructions}
SAML2_SSO_URL = {the value from step 6 of setup Instructions}
SAML2_PROVIDER = OKTA
SAML2_X509_CERT = {the value from step 6 of setup Instructions}
SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = 'OKTA SSO'
SAML2_ENABLE_SP_INITIATED = TRUE;
11. Run the below code in Snowflake and enter your Snowflake account name in the highlighted field
use role accountadmin;
alter security integration OKTAINTEGRATION set saml2_snowflake_acs_url = 'https://<organization_name>-account_name>.snowflakecomputing.com/fed/login';
alter security integration OKTAINTEGRATION set saml2_snowflake_issuer_url = 'https://<organization_name>-account_name>.snowflakecomputing.com';
12. Run the below code in Snowflake
13. After setting up, click on Done
14. Your Snowflake application will be created.
15. Click on your Snowflake application
16. Assign people created above to your Snowflake application
17. Click on Assign to People
18. Assign People
19. All people assigned to the Snowflake application will be visible
20. A green indicator for enabling of SAML 2.0 will be visible
21. Navigate to My end user Dashboard
Note: Whenever user logins who is not an Okta Admin, have to log in via Okta end user URL
22. Navigate to My Apps and click on Snowflake
23. You should be able to log in successfully to Snowflake without entering your credentials
24. User will be able to see sign-in using OKTA while logging into Snowflake
Conclusion
This is how to integrate federation authentication and enable a single sign-on which would eliminate the need to manually log in to Snowflake. By enabling this user, authentication is decoupled from user access using one or more external entities (OKTA in our case) that provide independent verification of user credentials.
References
https://www.youtube.com/watch?v=jHYetezlfks