Skip to main content

SAML Integration

You can provide configuration to Snowflake Object Lifecycle Engine for the following operation with SAML integration:

  • Manage the Lifecycle of new and existing SAML Integrations
  • Manage Grants of SAML Integrations

Usage

saml_integrations:
<saml_integrations-name>:
<configuration-key>: <value>
grants:
<privilege>:
- <role-name>
- <role-name>

Supported parameters

The engine supports the parameters listed below.

Configuration KeyRequired/OptionalData Type and ValuesDescription
saml2_issuerRequiredStringContains the IdP EntityID / Issuer.
Caution: The saml2_issuer URLs must be distinct across SAML2 integrations.
saml2_providerRequiredString: ADFS, Custom, OKTADescribes the IdP
saml2_sso_urlRequiredStringContains the IdP SSO URL, where you should be redirected by Snowflake (the service provider) with a SAML AuthnRequest message
saml2_x509_certRequiredStringThe Base64 encoded IdP signing certificate on a single line without the leading -----BEGIN CERTIFICATE----- and ending -----END CERTIFICATE----- markers
Caution: Expired certificates will return an error.
See the Snowflake doc
deletedOptionalBoolean: True enables deletion prevention, False does nothingSpecifies what objects are allowed to be deleted
enabledOptionalBooleanSpecifies whether this security integration is enabled or disabled.
Caution: There can only be one enabled SAML2 integration.
environmentOptionalStringSpecifies the environment in which the SAML Integration is managed. Regex can be provided as well.
manage_modeOptionalString: all (default), noneConfigures what properties to manage for the SAML Integration.
See Changing Manage Mode before changing the value.
namespacingOptionalString: both (default), none, prefix, suffixSpecifies whether a prefix or a suffix or both are to be added to SAML integration name
saml2_enable_sp_initiatedOptionalBooleanIndicates whether the Log in With button is displayed on the login page. TRUE displays the button while FALSE does not.
saml2_force_authnOptionalBooleanIndicates whether you, during the initial authentication flow, are forced to authenticate again to access Snowflake. You must set the initial value to FALSE then you can update this as needed.
Info: TRUE forces a reauthentication to access Snowflake, even if a valid session with the identity provider exists, while FALSE doesn't. When set to TRUE, Snowflake sets the ForceAuthn SAML parameter to TRUE in the outgoing request to the identity provider.
saml2_post_logout_redirect_urlOptionalStringSpecifies the endpoint to which Snowflake redirects you after clicking the Log Out button in the classic Snowflake web interface.
Info: Snowflake terminates the session upon redirecting to the specified endpoint.
saml2_requested_nameid_formatOptionalString: See Possible ValuesAllows Snowflake to set from the IdP an expectation of your identifying attribute (i.e. SAML Subject) in the SAML assertion to ensure a valid authentication to Snowflake
saml2_sign_requestOptionalBooleanIndicates whether SAML requests are signed. TRUE allows SAML requests to be signed while FALSE doesn't. You must set the initial value to FALSE then you can update this as needed.
saml2_snowflake_acs_urlOptionalStringContains the Snowflake Assertion Consumer Service URL to which the IdP will send back its SAML authentication response. This property will be set in the SAML authentication request generated by Snowflake when initiating a SAML SSO operation with the ID.
Caution: If this value is incorrect, Snowflake returns an error indicating the values to use https://<account_locator>.<region>.snowflakecomputing.com/fed/login (default).
saml2_snowflake_issuer_urlOptionalStringContains the EntityID / Issuer for the Snowflake service provider.
Caution: If this value is incorrect, Snowflake returns an error indicating the values to use https://<account_locator>.<region>.snowflakecomputing.com (default).
saml2_snowflake_x509_certOptionalStringContains the Base64 encoded self-signed certificate generated by Snowflake to use with encrypting SAML assertions and signed SAML requests.
Info: You must have at least one of the features encrypted SAML assertions or signed SAML responses enabled in your Snowflake account to access the certificate value.
saml2_sp_initiated_login_page_labelOptionalStringContains the label to display after the Log In With button on the login page

Possible values for saml2_requested_nameid_format

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (default)
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Supported SAML integration grants to roles

Following are the access privileges you can grant to roles in the SAML integration definition:

  • ALL PRIVILEGES
  • USAGE
  • USE_ANY_ROLE
  • OWNERSHIP
ALL PRIVILEGES handling

When you define ALL PRIVILEGES in the SOLE configuration file, you grant all the privileges listed above to roles on this object except OWNERSHIP. However, the management of ALL PRIVILEGES in SOLE differs from its handling in Snowflake. See Handling ALL PRIVILEGES in SOLE for more information.

Examples

saml_integrations:
SAML_INTEGRATION:
grants:
USAGE:
- ROLE_1
saml2_provider: "CUSTOM"
saml2_enable_sp_initiated: true
saml2_issuer: "test_issuer"
saml2_post_logout_redirect_url: "https://webtest.com/logout/"
saml2_sign_request: false
saml2_sso_url: "https://testsamlissuer.com"
saml2_x509_cert: "MIIGBTCCA+2gAwIBAgIUduabE5e6e9KCogqex8yQS/WYXXgwDQYJKoZIhvcNAQELBQAwgZExCzAJBgNVBAYTAklOMRYwFAYDVQQIDA1VdHRhciBQcmFkZXNoMQ4wDAYDVQQHDAVOb2lkYTEQMA4GA1UECgwHRGF0b3BpYzEQMA4GA1UECwwHRGF0YU9wczESMBAGA1UEAwwJamF5a2lzaGFuMSIwIAYJKoZIhvcNAQkBFhNqa2lzaGFuQGRhdG9waWMuY29tMB4XDTI0MDExNTA4NTU1MFoXDTM0MDExMjA4NTU1MFowgZExCzAJBgNVBAYTAklOMRYwFAYDVQQIDA1VdHRhciBQcmFkZXNoMQ4wDAYDVQQHDAVOb2lkYTEQMA4GA1UECgwHRGF0b3BpYzEQMA4GA1UECwwHRGF0YU9wczESMBAGA1UEAwwJamF5a2lzaGFuMSIwIAYJKoZIhvcNAQkBFhNqa2lzaGFuQGRhdG9waWMuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA39Uq/4aRofqwH7gxMIQDY2q+9C4lBgjb5LgtppKiyDsBjL5csh+0Vb21PYswDvVONbXdhUNTx8h68tsd+WsNxdsfvvECahur0yp24gMnp23eC7uzii+g5bjrBFaDIwah6zECjratG85c0wX4+k9dPlFUgpBq2SDVxAxFi6VMxGZjg+Qp8368KIfAjHFRg9OSRd+2dLPb8s+18K6V2H4TgyhXsL3q3lnh8yc7kPFbFZ4sIZfQNpHHmqYnTjR8A25/NhnJ6yC5JNFlo72QDeBA0CylXIaepCY88DZSM7tjGbuiQWwHLyyP3es7e+YgZfM0Ynn3LqpNuHSgzFvB8blAXNIFMHPmafyc/mDn5u6lhHZF6xZduAoCeZgKE6hrRRnNDEmhWBcfOLao+bcM5HV5+ZLTI/wb+i2Vb1CBnWiKKfeWdPi4mqC74EgS9iHhf+DtoTerSwRrTVB9Vki0O7Tuj96EBmG+Q4wzEVpwlJSzCZmJ3s3twRJ2/DMLCD5Cb0zh7aWJJWHTLESfzve6UIqvJfSnK67mktEzUEjR0xML2+YtpQb5aino0rr0+cTcvLYfdbvbOgQTeGttdljNX0AnykEpD93aIqHe8GPkwcrZlCGP9HFOTq/iISCrNDB//5NvhavDwyPbpq3AqIdVwNePR+bRRXaXzy+nOtOD08+j31UCAwEAAaNTMFEwHQYDVR0OBBYEFBApDEo9FVRWVI/lCEh84X7ZCxOQMB8GA1UdIwQYMBaAFBApDEo9FVRWVI/lCEh84X7ZCxOQMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAHhRHXKvJt788tzJAq2TeLlwbzsD/DJm9eD8ShvgPetNnapxzXeQXfSWyvjtP/Z39UfTXLD5QHT4frA1DFS3FYsSfdmTRkOsjPNmaxoAwW6D36SRaaPEsQi80d9R729U43tWVyZKHisAszYDb+qNb3hwvdJNL5SO4Mza+WS8GqGRcLGsalsw+BXgDWC4UiSol+FnLclD6mQhNypVfJFtSRFSjNp0zLE5eJsLrxspAPYN1AEQaO1jYbuTzXddvxKx/+AtpyyVWjl8JsnsR78Q/gVzNkB6ad0iWg5UmgF5XeMkMZPdnxkwbw17wc4B4a2eDNrXjZ2zuaEXVvPH8mQc75JbMFpEz/7GxQc3MFl46oECv7zVGDPatvFlN1Wxga79hm/0bBECbmztIj8MreZKECxl/kuBQnvjirG7Ot3vhlmdFPwEgZOsksdyKlZaQMKErMghUiAMhBudL0uNVhJnBwRL1n950Q5njJ6ZqyX+RTaekXE32L1Sn3T7mFwndvBSWr3T5lIPKLKN7SY4eQiMv0Sodu2rENehH86urLPyiLe9Hcw3Czhz7Jdu4GAnp6bKPKhzsSpnrEBn2zJd8fdoVQJGe6AVWghbZI0Qh+zzUVMQBwI0AjHsgbglxhFTvt7m89IGhBF2vQM+IRlOJDHeKM17WJ0cSFjX02RQjfR13R48"
enabled: true