AWS SSO and Azure AD SSO Integration With Snowflake

Author: Ankit Chauhan

What is Single Sign-On (SSO)?

SSO (single sign-on) is an authentication mechanism that allows users to safely log in to various applications and websites with just one set of credentials.

How does SSO work?

SSO is built on the establishment of a trust relationship between a service provider (Snowflake in our case) and an identity provider (Azure Active Directory/AWS). The exchange of a certificate between the identity provider and the service provider is typically used to establish this trust relationship. This certificate can be used to authenticate identity information provided by the identity provider to the service provider, guaranteeing that it comes from a trustworthy source. SSO stores this information in the form of tokens, containing identifying information about the user, such as an email address or a username.

The login flow usually looks like this:

  1. A user navigates to the Service Provider, which is the application or website to which they want access.
  2. As part of a request to authenticate the user, the Service Provider sends a token to the SSO system, aka the Identity Provider, that contains some information about the user, such as their email address.
  3. The Identity Provider checks to determine if the user has been authenticated previously, in which case it will grant the user access to the Service Provider application and skip to step 5.
  4. If the user hasn’t already logged in, they’ll be asked to do so by inputting the Identity Provider’s credentials. This could be as simple as a username and password, or it could incorporate a different type of authentication, such as a One-Time Password (OTP).
  5. Only when the Identity Provider verifies the credentials provided, it returns a token to the Service Provider, indicating that the authentication was successful.
  6. This token is sent to the Service Provider via the user’s browser.
  7. The token that the Service Provider receives is validated using the trust relationship that the Service Provider and the Identity Provider established during the initial configuration.
  8. The user is given access to the Service Provider.

Benefits of using single sign-on include:

  • Improved user productivity. Various logins are no longer required, and users are no longer compelled to remember multiple passwords in order to access network resources. 
  • Simpler administration. SSO-related duties are carried out in a transparent manner as part of routine maintenance, with the same tools as other administrative tasks.
  • Better administrative control. All network management data is housed in a single location. This means that each user’s rights and privileges are listed in a single, official location. This allows the administrator to adjust a user’s privileges while knowing that the changes will be reflected throughout the whole network.
  • Better network security. Users who write down their passwords are a common cause of security breaches, so eliminating numerous passwords decreases this risk. Finally, because network management information has been consolidated, the administrator may be confident that when she disables a user’s account, it is fully disabled.

SSO combines strategies to ensure that users do not have to actively enter their credentials more than once by sharing centralized authentication servers that all other applications and systems utilize for authentication.

AWS SSO with Snowflake:
  1. Create an account on AWS – Free Cloud Computing Services – AWS Free Tier (amazon.com)
  2. After logging in, Search for AWS SSO.
  1. Select AWS Single Sign-On.
  2. Click on Enable AWS SSO.
  1. The process takes around 30-50 seconds to complete.
  1. To add and configure a custom SAML application (Snowflake in our Case)
  1. Choose applications in the left navigation pane of the AWS SSO interface. Then choose to add a new application.
  2. In the Select an application dialog box, Type Snowflake and select Snowflake from the drop-down. Then select Add application.
  1. Fill in the Display Name and Description(optional) of the application in the Details section of the AWS SSO Console’s Configure page.
  1. Login to your Snowflake account (example: https://ACCOUNTNAME.snowflakecomputing.com) as an administrator (with the ACCOUNTADMIN or SECURITYADMIN role).
  2. Click on Worksheet.
  3. Paste the following query in the worksheet window, but do not run the query.

alter account set saml_identity_provider = ‘{ “certificate”: “CERTIFICATE”, “ssoUrl”: “SSOURL”, “type”: “Custom” }’; 

alter account set sso_login_page = true;

  1. Download AWS SSO certificate from AWS SSO configure page and copy its content and paste into the certificate attribute by replacing CERTIFICATE.
  2. Insert the AWS SSO sign-in URL from AWS Configure page into ssoURL by replacing SSOURL.
  3. Execute the Commands.
  1. Return to the AWS SSO console page where the Application is being configured.
  2. Under Application metadata, choose If you don’t have a metadata file, you can manually type your metadata values to display the application metadata settings.
  3. Insert these values:
FieldValue
Application ACS URLhttps://ACCOUNTNAME.snowflakecomputing.com/fed/login
Application SAML audiencehttps://ACCOUNTNAME.snowflakecomputing.com
  1. Choose Save Changes.
  2. Next, click on the Attribute mappings tab.
  3. For the attribute Account, replace ACCOUNTNAME with your Account name.
  1. Choose Save Changes.
  2. In AWS SSO, assign a user to the application.
    • In the AWS SSO console, choose Users in the left navigation pane. Then choose to Add a New User.
    • Fill in the user details carefully, as this is an important step. 
    • Go to the Snowflake worksheet, alter the login_name to your email id using the below command:

alter user user_name set login_name = ‘<email id>’;

Eg:- alter user SNOWFLAKESSO set login_name = ‘abc@gmail.com‘;

Note: use command desc user user_name to get your login_name;

  • In the Aws SSO Add a user Page, the Email address should be the same as that set in the login_name above (If not the same, it will show an error).
  • After successfully adding a user, go back to the Applications page and select the Assigned Users tab.
  • In that, click on Assign Users and add the recently created user to the Application.
  1. Verifying SSO from AWS SSO
    • The user will receive a mail asking to accept the invitation to access the AWS Single Sign-On (SSO) user portal.
    • Click on Accept Invitation; it will redirect you to a page and will ask you to reset your password. Do it!
  • Access the AWS SSO end-user portal (Given in the mail) using the credentials of a user assigned to the Snowflake application.
  • In the list of applications, choose Snowflake to initiate login to Snowflake.
  • If the login is successful, you will be signed in to the Snowflake application.
  1.  Verifying Service Provider Initiated SSO from Snowflake.
    • Access Snowflake using the following URL: https://ACCOUNTNAME.snowflakecomputing.com.
    • Click on Single Sign-On.
  • On the Snowflake home page, verify that both Snowflake and AWS SSO are logged in with the same user.
  • If the login is successful, you will be signed in to the Snowflake application.

Note: If the login was not successful, please see the troubleshooting steps.

Azure ActiveDirectory SSO with Snowflake
  1. Create an account on Microsoft Azure – Azure – Sign up
  1. Sign in to the Azure portal using either a work or school account or a personal Microsoft account.
  2. On the left navigation pane, select the Azure Active Directory service.
  1. Navigate to Enterprise Applications.
  1. To add a new application, select New application.
  1. In the Add from the gallery section, type Snowflake in the search box.
  1. Select Snowflake from the results panel and then add the app. Give it a name (AAD_SSO_Snowflake in our case). And click on Create.
  2. The next page will look something like this.
  1. Next, click on the Set up single sign-on option.
  2. On the Select a single sign-on method page, select SAML.
  1. On the Set up single sign-on with SAML page, There are a few required fields that we need to fill up.
  1. Click the pencil icon for Basic SAML Configuration to edit the settings.
  1. In the Basic SAML Configuration section, perform the following steps if you wish to configure the application in IDP initiated mode:
  • In the Identifier text box, type a URL using the following pattern: https://<SNOWFLAKE-URL>.snowflakecomputing.com
  • In the Reply URL text box, type a URL using the following pattern: https://<SNOWFLAKE-URL>.snowflakecomputing.com/fed/login
  1. On the Setup Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base64) from the given options as per your requirement and save it on your computer.
  1.  If you are unable to open the downloaded certificate, Use this site to view your certificate – SECURITY File Extension 
  2. Create an Azure AD test user

In this section, you’ll create a test user in the Azure portal called B.Simon.

  1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
  2. Select New user at the top of the screen.
  3. In the User properties, follow these steps:
    1. In the Name field, enter B.Simon (for example, purpose).
    2. In the User name field, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
    3. Select the Show password checkbox, and then write down the value that’s displayed in the Password box.
    4. Click Create.
  4. Assign the Azure AD test user

In this section, you’ll enable B.Simon to use Azure single sign-on by granting access to Snowflake.

  1. In the Azure portal, select Enterprise Applications, and then select All applications.
  2. In the applications list, select Snowflake.
  3. On the app’s overview page, find the Manage section and select Users and groups.
  4. Select Add user, then select Users and groups in the Add Assignment dialog.
  5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the screen.
  6. In the Add Assignment dialog, click the Assign button.
  1. Configure Snowflake SSO
    1. In a different web browser window, log in to Snowflake as a Security Administrator.
    2. Switch Role to ACCOUNTADMIN, by clicking on profile on the top right side of the page.
    3. Open the downloaded Base 64 certificate. Copy the value between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” and paste this into the quotation marks next to the certificate below. In the ssoUrl, paste the Login URL value which you have copied from Setup <YourApplication name> from the Azure portal. Select the All Queries and click Run.
  1. use role accountadmin;

alter account set saml_identity_provider = ‘{

“certificate”: “<Paste the content of downloaded certificate from Azure portal>”,

“ssoUrl”:”<Login URL value which you have copied from the Azure portal>”,

“type”:”custom”,

“label”:”AzureAD”

}’;

alter account set sso_login_page = TRUE;

  1. One more important thing to remember here is to set your Snowflake’s account login name to the email id that you created on Azure Portal and assigned to access the Snowflake SSO.

You can do that by using the command:

desc user <SnowflakeAccountName>;

alter user <SnowflakeAccountName> set login_name = ‘<users_email_id>’;

  1. You can find the user’s email by clicking on Users and Groups on the left side and clicking on the user’s name on Azure Portal.

Execute the command. The selected red box will contain the user’s email id. Copy and Paste it in your snowflake worksheet, replacing <users_email_id> from the above command. 

  1. Test SSO
    1. Click on Test this application in the Azure portal. This will redirect to Snowflake Sign on the URL where you can initiate the login flow.
    2. Go to Snowflake Sign-on URL, directly and initiate the login flow from there.
Recommended videos:
  1. Azure ActiveDirectory SSO with Snowflake – Hashmap Megabytes – Ep 6 – YouTube
  2. Managing Users by Integrating Snowflake with Azure Active Directory | Snowflake Inc. – YouTube
References:
  1. AWS Single Sign-On (AWS SSO) Integration Guide for Snowflake (amazonaws.com)
  2. Custom SAML 2.0 applications – AWS Single Sign-On (amazon.com)
  3. Tutorial: Azure AD SSO integration with Snowflake | Microsoft Docs
Recent Posts
Categories
Facebook
Twitter
LinkedIn

Stay connected with Apisero

Company
About
Recognition
Locations
Our customers
Solutions
MuleSoft
Salesforce
Insights
Success stories
Webinars
News + Events
Blog
Careers
Open positions
Why Apisero?
Contact
Contact us
+1 (480) 527-0975
info@apisero.com
Privacy Policy
Terms of Service
Cookie Policy
Facebook Twitter Youtube Instagram Linkedin

We use cookies on this site to enhance your user experience. For a complete overview of how we use cookies, please see our privacy policy.

Accept