Migrating the Snowflake Identity Provider from Okta to Azure Active Directory

Azure Active directory (AAD) is one of the popular Identity Providers among Snowflake Customers. Snowflake supports Azure AD through SAML 2.0 as external authentication. It can also be extended to client applications through OAuth. This article provides reference for Customers migrating from Okta to Azure AD.

Azure AD also provides native SCIM integration with Snowflake through the Enterprise App that is easy to configure. The Azure AD groups and users can be synced into Snowflake as roles and users and helps to manage the security easier.

Advantages of Azure AD

Azure AD provides the following advantages for Snowflake Customers.

· Increased security and compliance

· Single Sign-On (SSO) and multi-factor authentication (MFA)

· Central Management of Users and Groups through SCIM

· Support for External applications through OAuth

· Seamless SSO experience with Power BI and Snowflake

Migrating SSO from Okta to Azure AD

1. Configure the Azure AD Snowflake Application. Follow Azure AD SSO integration with Snowflake.

2. The existing Security integration should be updated to SAML2 if it’s not already done. The Tenant ID can be obtained from the Azure AD.

select system$migrate_saml_idp_registration(‘<integration_name>’,’https://sts.windows.net/<Tenant id>/’);

3. The SAML issuer and the provider details along with the certificate needs to be updated to Azure AD

alter security integration <integration_name> set SAML2_ISSUER = ‘https://sts.windows.net/<id>/'

alter security integration <integration_name> set SAML2_SSO_URL = ‘https://login.microsoftonline.com/<Tenant_ID>/saml2'

alter security integration <integration_name> set SAML2_PROVIDER = ‘CUSTOM’

alter security integration <integration_name> set SAML2_X509_CERT = ‘<Base64 encoded IdP signing certificate>’

alter security integration <integration_name> set SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = ‘Login with Azure AD’

4. The Snowflake Users username should match the UPN field from Azure AD that is set in the Application.

Migrating Okta SCIM to Azure AD SCIM

1. Create a Security integration for Azure AD. To configure SCIM follow Azure SCIM Integration with Snowflake.

use role accountadmin;

create role if not exists aad_provisioner;

grant create user on account to role aad_provisioner;

grant create role on account to role aad_provisioner;

grant role aad_provisioner to role accountadmin;

create or replace security integration aad_provisioning

type = scim

scim_client = ‘azure’

run_as_role = ‘AAD_PROVISIONER’;

select system$generate_scim_access_token(‘AAD_PROVISIONING’)

2. The ownership of existing users synced from Okta SCIM should be changed to the role “aad_provisioner”

3. Delete the existing Okta Security integration.

4. If the username does not match the UPN from Azure AD, then the Custom attribute for SCIM needs to be updated. To configure Custom attribute follow Snowflake custom attributes in Azure AD SCIM user provisioning