Federated Authentication and SSO in Snowflake: A Concise Overview
Centralized Authentication for Streamlined Access
Snowflake embraces federated authentication, enabling you to leverage external identity providers (IdPs) for user authentication and single sign-on (SSO) access. This approach streamlines user management and enhances security.
Key Concepts:
- Service Provider (SP): Snowflake acts as the SP, receiving authenticated user information from the IdP.
- Identity Provider (IdP): An external entity responsible for:
Creating and maintaining user credentials and profiles.
Authenticating users for SSO access to Snowflake.
- Supported IdPs:
- Native Support: Okta (hosted service), Microsoft AD FS (on-premises)
Most SAML 2.0-compliant vendors, including Google G Suite, Microsoft Azure Active Directory, OneLogin, Ping Identity PingOne (custom application setup required).
SSO Workflows:
Federated authentication supports these SSO workflows:
Login: Users authenticate through the IdP, seamlessly accessing Snowflake.
Logout: Users can initiate logout from either Snowflake or the IdP, terminating sessions across both platforms.
System Timeout: Inactive sessions automatically expire based on configured settings.
Configuration:
- Choose a compatible IdP.
- Establish a trust relationship between Snowflake and the IdP.
- Configure Snowflake to use federated authentication.
For detailed configuration steps, refer to the Snowflake documentation on configuring IdPs.
Federated Authentication Login and Logout Workflows: A Concise Guide
Login Workflows:
Snowflake-Initiated Login:
- User accesses the Snowflake web interface.
- User selects login using the configured IdP.
- User authenticates with the IdP.
Upon successful authentication, the IdP sends a SAML response to Snowflake, initiating a session and displaying the Snowflake web interface.
-IdP-Initiated Login:
-User authenticates with the IdP.
-User selects the Snowflake application within the IdP.
The IdP sends a SAML response to Snowflake, initiating a session and displaying the Snowflake web interface.
Logout Workflows:
- Standard Logout: Requires users to explicitly log out of both Snowflake and the IdP (supported by all IdPs).
- Global Logout: Logs the user out of the IdP and all Snowflake sessions (support varies by IdP).
Key Points:
Snowflake-Initiated Logout: Terminates only the current Snowflake session; other sessions and the IdP session remain active. Global logout is not supported from within Snowflake.
IdP-Initiated Logout: Behavior depends on IdP capabilities:
AD FS supports both standard and global logout.
Okta supports standard logout only.
Custom providers support standard logout, with global logout varying by provider.
Important Note: Closing a browser tab/window doesn't always end an IdP session. Users might still access Snowflake until the IdP session times out.