How to configure Snowflake so users can connect with Okta both directly and through Cyral

A good way to start onboarding Snowflake users to Cyral is by creating a phase-in period during which users have a choice of ways to connect to Snowflake. During this period, they can connect using the existing login screen they're accustomed to, or they can connect using the Cyral-enabled Okta login page for Snowflake. In this article, we'll show you how to set this up in the form of two Okta SAML apps.

Contents

Create the Okta SAML app that lets users connect directly to Snowflake

Configure Snowflake to allow direct and sidecar-based access

Create the Okta SAML app that lets users connect through the Cyral sidecar

Configure Snowflake to allow Cyral sidecar-based access


Create the Okta SAML app that lets users connect directly to Snowflake

First, create the SAML app that will allow users to interact with Snowflake directly.

Note: If your Snowflake users are currently connecting using Okta, it's likely you have an Okta SAML app in place. To confirm, locate the Snowflake SAML Application in your Okta console and then click the Sign On tab. Under Sign on methods, make sure SAML 2.0 is selected. If it is, you can skip this section and proceed directly to the section below titled Create the Okta SAML app that lets users connect through the Cyral sidecar.

  1. Go to the Okta console and click on the Applications tab.

  1. Click Add Application, then Create New App. In the pop-up, select SAML 2.0 and click Create.

  2. Provide an App name that indicates this app will let the user connect to Snowflake via the Cyral sidecar. We’re using Snowflake (Direct) for this example. Click Next.

  1. Specify the Single sign on URL. This is the SAML Assertion Consumer Service (ACS) URL, which takes the form, https://<account_name>.<region>.snowflakecomputing.com/fed/login. Note that AWS-based Snowflake accounts running in us-west-* don’t require the region to be specified. 

  2. Specify the Audience URI (SP Entity ID). This is your Snowflake account URL without any URI. It takes the form, https://<account_name>.<region>.snowflakecomputing.com.

  1. Click on Show Advanced Settings. Here, you’ll need to specify a SAML Issuer ID. This Issuer ID must match that of the other Snowflake SAML application you'll create. The Issuer ID should be of the form http://www.okta.com/* to maintain consistency with the typical Okta Issuer IDs. In our example we’re using http://www.okta.com/cyral-example. Click Next.

  1. In the next page, we suggest selecting the options:

    • I’m an Okta customer adding an internal app

    • This is an internal app that we have created

  2. Click Finish.

  3. Assign this SAML app to the Okta users that need to use it.

Configure Snowflake to allow direct and sidecar-based access

Next you'll configure Snowflake to use Okta as an identity provider. 

Note: If your Snowflake users were already connecting using Okta, prior to this procedure, then this setup is already in place. Skip the steps below and proceed to Configure Snowflake to allow Cyral sidecar-based access.

You’ll need to get some information from the SAML applications you configured in Okta to properly configure the SAML_IDENTITY_PROVIDER property on your Snowflake account. 

  1. In Okta, navigate to the SAML app you created for the Direct SSO case and click the Sign On tab. Then, click View Setup Instructions.

  1. Take note of these values. You’ll use the values labelled in the UI as 1, 2, and 3 to configure your Snowflake account’s SAML_IDENTITY_PROVIDER.

  1. Log in to Snowflake with a user that has the ACCOUNTADMIN or SECURITYADMIN role. You’ll need to execute the following Snowflake query:

alter account set saml_identity_provider = '{

 "certificate": "<X.509 Certificate without -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- >", 

 "issuer": "<Identity Provider Issuer>",

 "ssoUrl": "<Identity Provider Single Sign-On URL>",

 "type" : "OKTA",

 "label" : "<Whatever Label you want>"

 }';

Once your query is set up, execute it.

  1. Once the SAML_IDENTITY_PROVIDER property is set on the account, you can enable the SSO login page with the following Snowflake query

alter account set sso_login_page = true;

  1. At this point, using Snowflake SSO via Okta will work when accessing Snowflake directly. However, note that you’ll need to create users in your Snowflake account for each Okta user that will be using the SSO to access the Snowflake account (see step 2 in Snowflake’s Okta Setup documentation).

Create the Okta SAML app that lets users connect through the Cyral sidecar

Create the SAML app that will allow data users to interact with Snowflake through the Cyral sidecar. After a user has authenticated using this SAML app, all queries traverse the Cyral sidecar.

  1. Go to the Okta console using the Classic UI and click on the Applications tab.

  2. Click Add Application, then Create New App. In the pop-up, select SAML 2.0 and click Create.

  3. Provide an App name that indicates this app will let the user connect to Snowflake via the Cyral sidecar. We’re using Snowflake (Sidecar) for this example. Click Next

  4. In the Configure SAML tab, set the Single sign on URL to a value in the form, https://<sidecar_domain>/fed/login, replacing <sidecar_domain> with the domain name that resolves to your Cyral sidecar load balancer address. In our example we'll use https://snow-flake.cyral-test.cyral.com/fed/login. See Add a CNAME or A record for the sidecar for more about the sidecar domain.

  5. Uncheck the Use this for Recipient URL and Destination URL button (just below the Single sign on URL field). 

  6. Two fields appear: Recipient URL and Destination URL. In both fields, specify your SAML Assertion Consumer Service (ACS) URL, which takes the form, https://<account_name>.<region>.snowflakecomputing.com/fed/login. Note that AWS-based Snowflake accounts running in us-west-* don’t require the region to be specified.

  7. Specify the Audience URI (SP Entity ID). This is your Snowflake account URL without any URI. It takes the form, https://<account_name>.<region>.snowflakecomputing.com.

  8. Click on Show Advanced Settings and specify the SAML Issuer ID, which is the same as the SAML Issuer ID of the direct-access SAML app you created earlier. Recall that our example uses http://www.okta.com/cyral-example. Click Next.

  9. In the next page, we suggest selecting the options:

    • I’m an Okta customer adding an internal app

    • This is an internal app that we have created

  10. Click Finish.

  11. Assign this SAML app to the Okta users that need to use it.

Configure Snowflake to allow Cyral sidecar-based access

  1. In Okta, navigate to the SAML app you created for the Sidecar SSO case and click the Sign On tab. Then, click View Setup Instructions.

  2. Take note of all these values. You’ll notice that the Identity Provider Issuer and X.509 Certificate are the same for two apps you created; however, the Identity Provider Single Sign-On URL is unique for each app.

  3. Deploy your sidecar, passing the Identity Provider Single Sign-On URL (unique to this application) as well as the X.509 Certificate (shared between the two applications) as deployment parameters. See Install a sidecar for deployment instructions appropriate to your environment.

The relevant sidecar deployment parameters are:

  • IdPSSOLoginURL - Provide the Identity Provider Single Sign-On URL from the Okta SAML app

  • IdPCertificate - Provide the X.509 Certificate from the Okta SAML app, formatted as a single line, as explained below.




Note: Take care to format the Okta X.509 certificate correctly as a deployment parameter. This requires that you:

  • Remove the header and footer of the certificate

  • Convert the multi-line format of the certificate into a single-line format, replacing each line break with an \n character. 

For example the certificate


-----BEGIN CERTIFICATE-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAA
-----END CERTIFICATE-----

should be converted to a single line (here we show only the start of the line for brevity):

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAA...

  1. Once your sidecar is updated with these two values, you’ll be able to use the IdP-initiated login flow as well as the SP-initiated login flow to access your Snowflake account through the Cyral sidecar with your Okta identity.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.