Creating an Okta SSO application for a Satori-protected Snowflake account

Snowflake supports the SAML 2.0 protocol for federated authentication, allowing organizations to use their existing identity provider (IdP), such as Okta, to authenticate users. We’ve seen many organizations use the Snowflake and Okta combo to simplify user management and authentication to their Snowflake account. In this guide, we’ll show you how to create an Okta application for your Satori-protected Snowflake account.

 

When protecting a Snowflake data store with Satori, clients should use the Satori-generated hostname instead of the *.snowflakecomputing.com hostname. However, the default Okta application for Snowflake does not allow the hostname it redirects to after authentication to be changed. We recommend creating a custom SAML 2.0 Okta application to overcome this. This guide provides step-by-step instructions on how to do this.

 

Before we begin, you will need to ensure that you have the appropriate permissions to do the following:

  1. Add a new application in Okta

  2. ACCOUNTADMIN or SECURITYADMIN role in Snowflake

Creating a new Okta application

  1. Go to the Applications view in the Okta admin console

  2. Select “Create New App” and choose SAML 2.0

  3. Enter application name and additional details like logo, etc.

  4. Under “General,” in the Single Sign-On URL, enter the Snowflake login URL with your Satori generated hostname. For example:

    https://abc123-us-east-1.a.p0.satoricyber.net/fed/login

  5. Uncheck the “Use this for Recipient URL and Destination URL” option

  6. Enter the Snowflake original login URL in the following fields: Recipient URL, Destination URL, Audience URI (SP Identity ID). For example:

    Recipient URL: https://abc123-us-east-1.snowflakecomputing.com/fed/login

    Destination URL: https://abc123-us-east-1.snowflakecomputing.com/fed/login

    Audience URL: https://abc123-us-east-1.snowflakecomputing.com/fed/login

  7. Complete the rest of the fields and click “Finish”

SAML 2 Okta

Once the new application is assigned to users, they’ll be able to log in to Snowflake via Satori. Please note that users that are assigned to the old application can still use it to log in to Snowflake unless you decide otherwise.

Known Limitations

The new Okta application we created works alongside your existing Snowflake Okta application, but only when users log in to Snowflake via their Okta dashboard. For users logging in using the “Single Sign On” button on the Snowflake login page or other login flows that are not triggered from the Okta dashboard, Snowflake will use the existing Snowflake application.

 

To move your entire user-base to log in to Snowflake with Okta SSO via Satori, perform the following steps:

  1. Assign all users to the new Okta application you created instead of the existing Snowflake application

  2. Configure Snowflake to use the new Okta application you created:

    1. Log in to Snowflake using ACCOUNTADMIN or SECURITYADMIN roles

    2. Run the following query, copying the relevant values from the setup instructions in Okta:

alter account set saml_identity_provider = '{
 "certificate": "[Certificate from setup instructions*]",
 "issuer": "[Issuer from setup instructions]",
 "ssoUrl": "[SSO URL from setup instructions]",
 "type"  : "OKTA",
 "label" : ""
}';

* The certificate should be copied without newlines (“\n”) and without the header and footer (“BEGIN CERTIFICATE”, “END CERTIFICATE”).