This article goes through the steps required to configure Snowflake SAML SSO authentication with Okta.

• Snowflake SAML
• Single Sign-On (SSO)

1. Log in to the Okta Admin Portal.
2. In the left pane, navigate to Applications > Applications, and in the middle of the screen, select Browse App Catalog.
3. In the search bar, search for Snowflake and choose this application.
4. Click on the Add Integration button.
5. In the General settings, enter the Snowflake account identifier. Refer to the Account Identifiers documentation for additional information.
   • Depending on the type of Snowflake URL, the account identifier can be either of the bold URL sections below: 
      

     URL type	URL format
     Regional	https://locator.region.snowflakecomputing.com
     Organization	https://organization-name.snowflakecomputing.com
     Connection	https://organization-connection.snowflakecomputing.com
     Regional Privatelink	https://locator.region.privatelink.snowflakecomputing.com
     Organization Privatelink	https://organization-name.privatelink.snowflakecomputing.com
     Connection Privatelink	https://organization-connection.privatelink.snowflakecomputing.com

6. In the Sign-On Options - Required section, choose SAML 2.0.
7. In the Credentials Details section, choose the desired Application username format (this is the NameID value passed to Snowflake from Okta, which must match the LOGIN_NAME value of the users in Snowflake), and click the Done button.
8. Click the View Setup Instructions button (this will open a new browser tab with the information necessary to configure the Snowflake side).

9. From the new tab, scroll down to retrieve the following values and save them for later:

   1. Entity ID - also referred to as Issuer URL.
   2. IDP SSO URL - also referred to as Login URL.
   3. Authentication Certificate.

Configure a SAML2 Security Integration in the Snowflake account

NOTE: The ACCOUNTADMIN role is required.

1. Log in to the Snowflake account.
2. Open a Worksheet (Click the + icon on the top right and choose SQL).
3. Copy and paste the below information into the Snowflake worksheet:
   • USE ROLE ACCOUNTADMIN; CREATE SECURITY INTEGRATION OKTAINTEGRATION TYPE = SAML2  ENABLED = TRUE  SAML2_ISSUER = '<ENTITY ID value from step 1.8>'  SAML2_SSO_URL = '<IDP SSO URL value from step 1.8>'  SAML2_PROVIDER = 'OKTA'  SAML2_X509_CERT='<Authentication Certificate value from step 1.8>'  SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = 'OKTA SSO' SAML2_ENABLE_SP_INITIATED = TRUE SAML2_SNOWFLAKE_ACS_URL = '<Snowflake url>/fed/login' SAML2_SNOWFLAKE_ISSUER_URL = '<Snowflake url>';
4. Replace the SAML2_ISSUER, SAML2_SSO_URL, and SAML2_X509_CERT values with the respective values retrieved in Step 9 (above).
5. Replace the values of SAML2_SNOWFLAKE_ACS_URL and SAML2_SNOWFLAKE_ISSUER_URL with the chosen URL used to access the Snowflake account. 
   NOTE: This must match the format configured in Okta's application subdomain in Step 5 (above). 
   1. Ex: SAML2_SNOWFLAKE_ACS_URL = https://myorg-account.snowflakecomputing.com/fed/login;SAML2_SNOWFLAKE_ISSUER_URL = 'https://myorg-account.snowflakecomputing.com.
   2. Make sure to keep the quotation on every replaced value.
6. Execute the SQL statement to create the SAML2 application (click the Play button on the top right).
7. Assign the app to users in Okta and test authentication.

Related References

• Account Identifiers