Snowflake Security: Federated Authentication and SSO using OKTA
In this blog, we are going to see how we can use OKTA as federation authentication to connect to Snowflake.
What is Federated Authentication & SSO?
Federated authentication enables a user to connect to Snowflake using secure SSO (single sign-on). With SSO enabled, your users authenticate through an external, SAML 2.0-compliant identity provider (IdP).
In Federated authentication, user authentication is separated from user access through the use of one or more external entities(in our case, OKTA) that provide independent authentication of user credentials.
In the Snowflake login screen, the user needs to click on the IdP Sign-in option and authenticate themselves. Once authenticated, they are immediately granted access to Snowflake.
See Snowflake login screen using OKTA below:
What is an Identity provider (IdP)?
Identity providers (IdP) are external independent entities responsible for providing the following services to the Service provider(SP).
- Creating and maintaining user credentials and other profile information.
- Authenticating users for SSO access to the SP.
OKTA has native Snowflake support for federated authentication and SSO.
Note: To use an IdP other than Okta or ADFS, you must define a custom application for Snowflake in the IdP.
What is OKTA?
Okta connects any person with any application on any device.
It’s an enterprise-grade, identity management service, built for the cloud, but compatible with many on-premises applications. With Okta, IT can manage any employee’s access to any application or device. Okta runs in the cloud, on a secure, reliable, extensively audited platform, which integrates deeply with on-premises applications, directories, and identity management systems.
Okta features include provisioning, Single Sign-On (SSO), Active Directory (AD) and LDAP integration, the centralized de-provisioning of users, multifactor authentication (MFA), mobile identity management, and flexible policies for organization security and control.
Consistently named a Leader by major analyst firms. Trusted by 13,000+ customers to secure digital interactions and accelerate innovation.
In the Forrester report, Okta received the highest possible score in 14 of the 18 evaluation criteria, including product vision, innovation roadmap, user experience and navigation, and supporting products and services.
How does the user connect to Snowflake using OKTA?
Below is the IdP initiated login flow:
- The user goes to the IdP site/application and authenticates using their IdP credentials (e.g. email address and password).
- In the IdP, the user clicks on the Snowflake application (if using Okta or ADFS) or the custom application that has been defined in the IdP (if using another IdP).
- The IdP sends a SAML response to Snowflake to initiate a session and then displays the Snowflake web interface.
How user disconnects from Snowflake using OKTA?
OKTA supports standard logout, which requires users to explicitly log out of both the IdP(OKTA) and Snowflake to completely disconnect. All IdPs support standard logout.
When a user logs out of Okta, they are not automatically logged out of any of their active Snowflake sessions and they can continue working. However, to initiate any new Snowflake sessions, they must authenticate again through Okta.
Can IdP timeout?
After a certain period of time defined in IdP, a user’s session in IdP automatically times out, but this does not impact their existing Snowflake session. For any future Snowflake session, they need to re-authenticate.
Is OKTA free IdP?
No, but OKTA does provide 30 days free trial to get the feel of what OKTA can do for you and your Organization.
How to set up OKTA for Snowflake?
You can follow below Snowflake documentation for OKTA setup.
You can follow below Snowflake documentation to understand how to configure at the Snowflake end
If you are still not sure how to set up OKTA for Snowflake by reading the above documentation, then you can follow my instruction below video:
How does the client application connect to Snowflake using SSO?
With an IdP (Okta, ADFS, or any of the other supported SAML 2.0-compliant services/applications) configured for your account, Snowflake supports using SSO to connect and authenticate with the following Snowflake-provided clients:
SnowSQL → v1.1.43 or higher
Python Connector → v1.4.8 or higher
JDBC Driver → v3.2.7 or higher
ODBC Driver → v2.13.11 or higher
.NET Driver → v1.0.13 or higher
Node.js Driver → v1.6.0 or higher (for browser-based SSO); v1.6.1 or higher (for native SSO authentication through Okta)
Snowflake supports two methods of authenticating:
- Browser-based SSO
- Programmatic SSO (only for Okta)
Hope this blog & YouTube video helps you to get insight on the Snowflake Security Federated Authentication and SSO using OKTA. If you are interested in learning more details about Snowflake Federation & SSO, you can refer to their SF documentation. Feel free to ask a question in the comment section if you have any doubts regarding this. Give a clap if you like the blog. Stay connected to see many more such cool stuff. Thanks for your support.
You Can Find Me:
Follow me on Medium: https://rajivgupta780184.medium.com/
Follow me on Twitter: https://twitter.com/RAJIVGUPTA780
Connect with me in LinkedIn: https://www.linkedin.com/in/rajiv-gupta-618b0228/
Subscribe to my YouTube Channel: https://www.youtube.com/c/RajivGuptaEverydayLearning
#Keep learning #Keep Sharing #Everyday Learning.
