Skip to content

SAML-based Single Sign-On for Snowflake (SSO)

SAML-based SSO is supported by Satori for Snowflake. Follow the instructions below to configure a SAML 2.0 application in your Identity Provider to route users who login using SSO via Satori.

Create a SAML Application

The first step is to create a SAML application in your Identity Provider that points to Satori instead of directly to Snowflake.

Okta

  1. Go to the Applications view in the Okta admin console
  2. Select “Create New App” and choose SAML 2.0
  3. Enter app name and additional details like logo, etc.
  4. Under “General”, in the Single Sign-On URL, enter the Snowflake login URL with your Satori generated hostname. For example: https://abc123.us-east1.a.p0.satoricyber.net/fed/login
  5. Uncheck the “Use this for Recipient URL and Destination URL” option
  6. Enter the Snowflake original login URL in the following fields: Recipient URL, Destination URL, Audience URI (SP Identity ID). For example: https://abc123.us-east1.snowflakecomputing.com/fed/login
  7. Complete the rest of the fields and click “Finish”

Screenshot

OneLogin

  1. Go to the Applications view in the OneLogin console.
  2. Select Add App and select the SAML Custom Connector (Advanced) application.
  3. Set a name, description and logo for the application and select Save.
  4. Select the Configuration tab.
  5. Enter your original Snowflake hostname in the following fields: Audience (EntityID), Recipient and ACS (Consumer) URL Validator. For example: https://abc123.us-east1.snowflakecomputing.com/fed/login.
  6. Enter the Satori hostname in the ACS (Consumer) URL field, for example: https://abc123.us-east1.a.p0.satoricyber.net/fed/login.
  7. In the SSO tab, select the SHA-256 option in the SAML Signature Algorithm field.

Screenshot

AzureAD

When using AzureAD as the Snowflake SAML Identity Provider, Satori acts as a SAML proxy between AzureAD and Snowflake. Follow these steps to configure the trust relationship between AzureAD and Satori.

  1. Go to the Satori management console.
  2. Select the Identity Providers section, click Add and select AzureAD.
  3. Select the Snowflake data store to configure the integration for.
  4. In a new browser window, go to your AzureAD console and access the Enterprise Application view.
  5. Select the application you use to enable access to a Satori-protected data store.
  6. Select the Single sign-on view and press Edit in the Basic SAML Configuration section.
  7. Change the Identifier (Entity ID) field to the value of the Satori Identifier (Entity ID), as shown in the Satori management console. For example, from https://abc123.us-east-1.snowflakecomputing.com/ to https://abc123.us-east-1.a.p0.satoricyber.net.
  8. Change the Reply URL (Assertion Consumer Service URL) field to the value of the Satori Reply URL (Assertion Consumer Service URL) as shown in the Satori management console. For example, from https://abc123.us-east-1.snowflakecomputing.com/fed/login to https://abc123.us-east-1.a.p0.satoricyber.net/fed/login.
  9. In the SAML Signing Certificate section, download the Certificate (Base64) file.
  10. Upload the certificate file to the Satori management console in the SAML Signing Certificate (Azure) field.
  11. Copy the Login URL and AzureAD Identifier fields from the Set up section in AzureAD.
  12. Update the Login URL and AzureAD Identifier fields in the Satori management console using the values you copied in the previous step.

Configure Snowflake

After a SAML application has been configured in the Identity Provider, configure Snowflake to trust the new SAML application. See the Snowflake documentation for reference.

Please note that when updating existing SAML-based SSO integration in Snowflake, access to Snowflake via an existing application might be disabled.