preloader
blog-post

Configure Google Workspace as an identity provider for Snowflake SSO

Table of Contents

Federated authentication enables your users to connect to Snowflake using secure SSO (single sign-on). With SSO enabled, your users authenticate through an external, SAML 2.0-compliant identity provider (IdP). In this article we will see how to configure Google Workspace as an identity provider for Snowflake SSO.

Unlike SCIM(System for Cross-domain Identity Management) integration with Okta and Azure, automatic provisioning with Google Workspace does not work in Snowflake. Therefore you will have to manually create your users in Snowflake, if this is a requirement you should consider using either Okta OR Azure SCIM Integration with Snowflake as of the writing of this document.

Prerequisite

The next set of instructions assumes you have access to the Google Workspace admin console to configure Snowflake as an application.

Configure Google Workspace

  • Log into Google Admin console for your Google Workspace account

  • Navigate to Apps –> Web and mobile apps –> Add app –> Add custom SAML app

  • Enter the name for application and upload a snowflake logo

  • Click on download idP metadata and keep the information safe, this will be required in next steps

  • Fill the service provider details, In this case the service provider is Snowflake with ACS URL, Entity ID, Name ID format, Name ID

    ACS URL: https://[ACCOUNT].[region].snowflakecomputing.com/fed/login
    Entity ID: https://[ACCOUNT].[region].snowflakecomputing.com
    Name ID format: EMAIL
    Name ID: Basic Information > Primary email

    You should already have this information, but can be also retrieved by running the query

    select t.value:type::varchar as type,
         t.value:host::varchar as host,
         t.value:port as port
    from table(flatten(input => parse_json(system$whitelist()))) as t
    WHERE type = 'SNOWFLAKE_DEPLOYMENT';
    
  • Click “Finish” on this page to complete adding the SAML app. Since this process can’t auto provision users and groups, the group mapping here adds no value.

  • Navigate to “Apps > Web and mobile apps > Snowflake - Entechlog > Service Status”, click on “All users in the account” and turn on the service status for all users

Configure Snowflake

  • Login into Snowflake as account admin

  • Update below sql with certificate, issuer and ssoUrl information from idP metadata XML and execute the query to setup the SAML_IDENTITY_PROVIDER

    use role accountadmin;
    alter account set SAML_IDENTITY_PROVIDER =
    '{
      "certificate": "MII...WxO",
      "issuer": "https://accounts.google.com/o/saml2?idpid=Cxxxxxxx",
      "ssoUrl": "https://accounts.google.com/o/saml2/idp?idpid=Cxxxxxxx",
      "type"  : "custom",
      "label" : "GoogleSSO"
    }';
    alter account set sso_login_page = true;
    

Validate login

  • Add users to snowflake. This can be done manually using below sql OR using terraform

    CREATE USER "example@entechlog.com";
    
  • Navigate to the login URL for your account and click “Sign in using GoogleSSO”. This should authenticate into Snowflake if the integration has no errors in the setup.

Hope this was helpful. Did I miss something ? Let me know in the comments OR in the forum section.

References

Share this blog:
Comments

Related Articles