Skip to main content

SAML Integration

Configuration can be provided to Snowflake Object Lifecycle Engine for the following operation with SAML Integration:

  • Manage Lifecycle of new and existing SAML Integrations

Supported Parameters

The engine supports the parameters listed below.

  • SAML2_ISSUER: The string containing the IdP EntityID / Issuer.
    • REQUIRED
    • Configuration key: saml2_issuer
    • Data Type: String
      caution

      The SAML2_ISSUER URLs must be distinct across SAML2 integrations.

  • SAML2_PROVIDER: The string describing the IdP. One of the following: OKTA, ADFS, Custom.
    • REQUIRED
    • Configuration key: saml2_provider
    • Data Type: String
    • Possible Values:
      • OKTA
      • ADFS
      • Custom
  • SAML2_SSO_URL: The string containing the IdP SSO URL, where the user should be redirected by Snowflake (the Service Provider) with a SAML AuthnRequest message.
    • REQUIRED
    • Configuration key: saml2_sso_url
    • Data Type: String
  • SAML2_X509_CERT: The Base64 encoded IdP signing certificate on a single line without the leading -----BEGIN CERTIFICATE----- and ending -----END CERTIFICATE----- markers.
    • REQUIRED
    • Configuration key: saml2_x509_cert
    • Data Type: String
  • ENABLED: Specifies whether this security integration is enabled or disabled.
    • Configuration key: enabled
    • Data Type: Boolean
      caution

      There can only be one enabled SAML2 integration.

  • SAML2_ENABLE_SP_INITIATED: The Boolean indicating if the Log In With button will be shown on the login page.
    • Configuration key: saml2_enable_sp_initiated
    • Data Type: Boolean
      tip

      TRUE displays the Log in WIth button on the login page.
      FALSE does not display the Log in With button on the login page.

  • SAML2_FORCE_AUTHN: The Boolean indicating whether users, during the initial authentication flow, are forced to authenticate again to access Snowflake.
    • Configuration key: saml2_force_authn
    • Data Type: Boolean
      note

      If specifying SAML2_FORCE_AUTHN then initial value should be set to FALSE, after creation user can update this to any boolean value.

      info

      When set to TRUE, Snowflake sets the ForceAuthn SAML parameter to TRUE in the outgoing request from Snowflake to the identity provider.

      tip

      TRUE forces users to authenticate again to access Snowflake, even if a valid session with the identity provider exists.
      FALSE does not force users to authenticate again to access Snowflake.

  • SAML2_POST_LOGOUT_REDIRECT_URL: The endpoint to which Snowflake redirects users after clicking the Log Out button in the classic Snowflake web interface.
    • Configuration key: saml2_post_logout_redirect_url
    • Data Type: String
      info

      Snowflake terminates the Snowflake session upon redirecting to the specified endpoint.

  • SAML2_REQUESTED_NAMEID_FORMAT: The SAML NameID format allows Snowflake to set an expectation of the identifying attribute of the user (i.e. SAML Subject) in the SAML assertion from the IdP to ensure a valid authentication to Snowflake.
    • Configuration key: saml2_requested_nameid_format
    • Data Type: String
    • Possible Values:
      • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
      • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
      • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
      • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
      • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
      • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
      • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (Default)
  • SAML2_SIGN_REQUEST: The Boolean indicating whether SAML requests are signed.
    • Configuration key: saml2_sign_request
    • Data Type: Boolean
      note

      If specifying SAML2_SIGN_REQUEST then initial value should be set to FALSE, after creation user can update this to any boolean value.

      tip

      TRUE allows SAML requests to be signed.
      FALSE does not allow SAML requests to be signed.

  • SAML2_SNOWFLAKE_ACS_URL: The string containing the Snowflake Assertion Consumer Service URL to which the IdP will send its SAML authentication response back to Snowflake.
    • Configuration key: saml2_snowflake_acs_url
    • Data Type: String
      info

      This property will be set in the SAML authentication request generated by Snowflake when initiating a SAML SSO operation with the Id.

      caution

      If an incorrect value is specified, Snowflake returns an error message indicating the acceptable values to use.
      https://<account_locator>.<region>.snowflakecomputing.com/fed/login (Default)

  • SAML2_SNOWFLAKE_ISSUER_URL: The string containing the EntityID / Issuer for the Snowflake service provider.
    • Configuration key: saml2_snowflake_issuer_url
    • Data Type: String
      caution

      If an incorrect value is specified, Snowflake returns an error message indicating the acceptable values to use.
      https://<account_locator>.<region>.snowflakecomputing.com (Default)

  • SAML2_SNOWFLAKE_X509_CERT: The Base64 encoded self-signed certificate generated by Snowflake for use with Encrypting SAML Assertions and Signed SAML Requests.
    • Configuration key: saml2_snowflake_x509_cert
    • Data Type: String
      info

      You must have at least one of these features (encrypted SAML assertions or signed SAML responses) enabled in your Snowflake account to access the certificate value.

  • SAML2_SP_INITIATED_LOGIN_PAGE_LABEL: The string containing the label to display after the Log In With button on the login page.
    • Configuration key: saml2_sp_initiated_login_page_label
    • Data Type: String
  • NAMESPACING: Specify whether Prefix or Suffix or both are to be added to SAML Integration Name.
    • Configuration key: namespacing
    • Data Type: String
    • Possible Values:
      • none
      • prefix
      • suffix
      • both(Default)
  • ENVIRONMENT: Specify the environment in which the SAML Integration is managed. Regex can be provided as well.
    • Configuration key: environment
    • Data Type: String
  • MANAGE_MODE: Configures what properties to manage for the SAML Integration.
    • Configuration key: manage_mode
    • Data Type: String
    • Possible Values:
      • none
      • all(Default)

Basic syntax

saml_integrations:
<saml_integrations-name>:
<configuration-key>: <value>

Examples

saml_integrations:
SAML_INTEGRATION:
saml2_provider: "CUSTOM"
saml2_enable_sp_initiated: true
saml2_issuer: "test_issuer"
saml2_post_logout_redirect_url: "https://webtest.com/logout/"
saml2_sign_request: true
saml2_sso_url: "https://testsamlissuer.com"
saml2_x509_cert: "MIICYzCCAcygAwIBAgIBADANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMREwDwYDVQQLEwhMb2NhbCBDQTAeFw05OTEyMjIwNTAwMDBaFw0wMDEyMjMwNDU5NTlaMC4xCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNJQk0xETAPBgNVBAsTCExvY2FsIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2bZEo7xGaX2/0GHkrNFZvlxBou9v1Jmt/PDiTMPve8r9FeJAQ0QdvFST/0JPQYD20rH0bimdDLgNdNynmyRoS2S/IInfpmf69iyc2G0TPyRvmHIiOZbdCd+YBHQi1adkj17NDcWj6S14tVurFX73zx0sNoMS79q3tuXKrDsxeuwIDAQABo4GQMIGNMEsGCVUdDwGG+EIBDQQ+EzxHZW5lcmF0ZWQgYnkgdGhlIFNlY3VyZVdheSBTZWN1cml0eSBTZXJ2ZXIgZm9yIE9TLzM5MCAoUkFDRikwDgYDVR0PAQH/BAQDAgAGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJ3+ocRyCTJw067dLSwr/nalx6YMMA0GCSqGSIb3DQEBBQUAA4GBAMaQzt+zaj1GU77yzlr8iiMBXgdQrwsZZWJo5exnAucJAEYQZmOfyLiMD6oYq+ZnfvM0n8G/Y79q8nhwvuxpYOnRSAXFp6xSkrIOeZtJMY1h00LKp/JX3Ng1svZ2agE126JHsQ0bhzN5TKsYfbwfTwfjdWAGy6Vf1nYi/rO+ryMO"
enabled: true