Overview of federated authentication and SSO

204 viewsConnecting to Snowflakesnowflake security

Overview of federated authentication and SSO

Alejandro Penzini Answered question December 20, 2023

Federated Authentication and SSO in Snowflake: A Concise Overview

Centralized Authentication for Streamlined Access

Snowflake embraces federated authentication, enabling you to leverage external identity providers (IdPs) for user authentication and single sign-on (SSO) access. This approach streamlines user management and enhances security.

Key Concepts:

– Service Provider (SP): Snowflake acts as the SP, receiving authenticated user information from the IdP.
– Identity Provider (IdP): An external entity responsible for:
Creating and maintaining user credentials and profiles.
Authenticating users for SSO access to Snowflake.

– Supported IdPs:
– Native Support: Okta (hosted service), Microsoft AD FS (on-premises)
Most SAML 2.0-compliant vendors, including Google G Suite, Microsoft Azure Active Directory, OneLogin, Ping Identity PingOne (custom application setup required).

SSO Workflows:

Federated authentication supports these SSO workflows:

Login: Users authenticate through the IdP, seamlessly accessing Snowflake.
Logout: Users can initiate logout from either Snowflake or the IdP, terminating sessions across both platforms.
System Timeout: Inactive sessions automatically expire based on configured settings.


– Choose a compatible IdP.
– Establish a trust relationship between Snowflake and the IdP.
– Configure Snowflake to use federated authentication.

For detailed configuration steps, refer to the Snowflake documentation on configuring IdPs.

Federated Authentication Login and Logout Workflows: A Concise Guide

Login Workflows:

Snowflake-Initiated Login:

– User accesses the Snowflake web interface.
– User selects login using the configured IdP.
– User authenticates with the IdP.

Upon successful authentication, the IdP sends a SAML response to Snowflake, initiating a session and displaying the Snowflake web interface.

-IdP-Initiated Login:

-User authenticates with the IdP.
-User selects the Snowflake application within the IdP.
The IdP sends a SAML response to Snowflake, initiating a session and displaying the Snowflake web interface.

Logout Workflows:

– Standard Logout: Requires users to explicitly log out of both Snowflake and the IdP (supported by all IdPs).
– Global Logout: Logs the user out of the IdP and all Snowflake sessions (support varies by IdP).

Key Points:

Snowflake-Initiated Logout: Terminates only the current Snowflake session; other sessions and the IdP session remain active. Global logout is not supported from within Snowflake.

IdP-Initiated Logout: Behavior depends on IdP capabilities:
AD FS supports both standard and global logout.
Okta supports standard logout only.
Custom providers support standard logout, with global logout varying by provider.

Important Note: Closing a browser tab/window doesn’t always end an IdP session. Users might still access Snowflake until the IdP session times out.

Alejandro Penzini Answered question December 20, 2023