Overview of federated authentication and SSO

413 viewsConnecting to Snowflakesnowflake security

Overview of federated authentication and SSO

Alejandro Penzini Answered question December 20, 2023

Federated Authentication and SSO in Snowflake: A Concise Overview

Centralized Authentication for Streamlined Access

Snowflake embraces federated authentication, enabling you to leverage external identity providers (IdPs) for user authentication and single sign-on (SSO) access. This approach streamlines user management and enhances security.

Key Concepts:

- Service Provider (SP): Snowflake acts as the SP, receiving authenticated user information from the IdP.
- Identity Provider (IdP): An external entity responsible for:
Creating and maintaining user credentials and profiles.
Authenticating users for SSO access to Snowflake.

- Supported IdPs:
- Native Support: Okta (hosted service), Microsoft AD FS (on-premises)
Most SAML 2.0-compliant vendors, including Google G Suite, Microsoft Azure Active Directory, OneLogin, Ping Identity PingOne (custom application setup required).

SSO Workflows:

Federated authentication supports these SSO workflows:

Login: Users authenticate through the IdP, seamlessly accessing Snowflake.
Logout: Users can initiate logout from either Snowflake or the IdP, terminating sessions across both platforms.
System Timeout: Inactive sessions automatically expire based on configured settings.


- Choose a compatible IdP.
- Establish a trust relationship between Snowflake and the IdP.
- Configure Snowflake to use federated authentication.

For detailed configuration steps, refer to the Snowflake documentation on configuring IdPs.

Federated Authentication Login and Logout Workflows: A Concise Guide

Login Workflows:

Snowflake-Initiated Login:

- User accesses the Snowflake web interface.
- User selects login using the configured IdP.
- User authenticates with the IdP.

Upon successful authentication, the IdP sends a SAML response to Snowflake, initiating a session and displaying the Snowflake web interface.

-IdP-Initiated Login:

-User authenticates with the IdP.
-User selects the Snowflake application within the IdP.
The IdP sends a SAML response to Snowflake, initiating a session and displaying the Snowflake web interface.

Logout Workflows:

- Standard Logout: Requires users to explicitly log out of both Snowflake and the IdP (supported by all IdPs).
- Global Logout: Logs the user out of the IdP and all Snowflake sessions (support varies by IdP).

Key Points:

Snowflake-Initiated Logout: Terminates only the current Snowflake session; other sessions and the IdP session remain active. Global logout is not supported from within Snowflake.

IdP-Initiated Logout: Behavior depends on IdP capabilities:
AD FS supports both standard and global logout.
Okta supports standard logout only.
Custom providers support standard logout, with global logout varying by provider.

Important Note: Closing a browser tab/window doesn't always end an IdP session. Users might still access Snowflake until the IdP session times out.

Alejandro Penzini Answered question December 20, 2023

Maximize Your Data Potential With ITS

Feedback on Q&A