In this article, I will show you how to integrate Snowflake with Azure Active Directory (Azure AD). When you integrate Snowflake with Azure AD, you can:
- Control in Azure AD who has access to Snowflake.
- Enable your users to be automatically signed-in to Snowflake with their Azure AD accounts.
- Manage your accounts in one central location – the Azure portal.
Prerequisites
To configure Azure AD integration with Snowflake, you need the following items:
- An Azure subscription. You need to be a subscription owner to perform these steps.
- Snowflake single sign-on enabled subscription. You need to be part of the ACCOUNTADMIN role.
Add Snowflake from the gallery
To configure the integration of Snowflake into Azure AD, you need to add Snowflake from the gallery to your list of managed SaaS apps.
- Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
- On the left navigation pane, select the Azure Active Directory service.
- Navigate to Enterprise Applications and then select All Applications.
- To add new application, select New application.
- In the Add from the gallery section, type Snowflake in the search box.
- Select Snowflake from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
Once the Snowflake app is added to your applications in Azure AD it should look like this.
Now select the Snowflake app and on the left side choose Single sign-on, then choose SAML in the middle pane
In the basic SAML configurations section enter the following
Identifier (Entity ID) – https://<account name>.region.azure.snowflakecomputing.com
Reply URL (Assertion Consumer Service URL) – https://<account name>.region.azure.snowflakecomputing.com/fed/login
Sign on URL – https://<account name>.region.azure.snowflakecomputing.com
Logout Url – https://<account name>.region.azure.snowflakecomputing.com/fed/logout
After this, click save!
On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base64) AND the Federation Metadata XML from the given options and save them on your computer for later use.
In the Set up Snowflake section, copy the Login URL for later use.
Now lets head over to Snowflake. Login to Snowflake with an account with ACCOUNTADMIN role.
In a new worksheet execute the following SQL query to create a new SECURITY INTEGRATION
CREATE SECURITY INTEGRATION AZUREADINTEGRATION--Any name you prefer
TYPE = SAML2
ENABLED = TRUE
SAML2_ISSUER = 'https://sts.windows.net/XXXXXXXXX/'-- (This is entity ID in the Identifier Provider Metadata downloaded earlier and will be in a URL format)
SAML2_SSO_URL = 'https://login.microsoftonline.com/XXXXXX/saml2'--(this is the Login URL)
SAML2_PROVIDER = 'CUSTOM'
SAML2_X509_CERT = '<Base64 encoded IdP signing certificate>' -- (DO NOT ENTER THE BEGIN OR END CERTIFICATE TAGS)
SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = 'AzureADSSO'
SAML2_ENABLE_SP_INITIATED = TRUE;Once above query executes successfully verify the INTEGRATION.
desc security integration AZUREADINTEGRATION;
Check and make sure all values match the setting in the Azure AD portal.
The final step is to create users in Snowflake for your Azure AD accounts. here is the query for that.
USE ROLE ACCOUNTADMIN;
CREATE USER snowflakeuser1_azuread PASSWORD = ” LOGIN_NAME = ‘AZUREADUSER1@YOURCOMPANY.com’ DISPLAY_NAME = ‘Azure AD User 1’;
Finally you can verify the configurations worked by trying to login to your snowflake account. Below is a screenshot showing option to login with Azure AD. Enjoy!
Sujay's Microsoft Azure Data Platform Blog 