A Security Integration is an account-level object that connects Snowflake to an external identity provider (IdP) or authorization server. You choose the TYPE parameter based on the use case: SAML 2.0 for SSO, External OAuth for token-based authentication, or Snowflake OAuth for OAuth into Snowsight and official connectors. Creating one requires the ACCOUNTADMIN role (or the CREATE INTEGRATION privilege).
In a SAML 2.0 integration, Snowflake acts as the Service Provider (SP) and the external IdP acts as the Identity Provider. When a user accesses Snowsight, Snowflake redirects a SAML authentication request to the configured IdP, which returns a SAML response (Assertion) to Snowflake after authentication. Snowflake validates the Assertion's signature using the X.509 certificate, identifies the Snowflake user from the NameID, and establishes the session.
-- SAML 2.0 Security Integration (Okta example)
CREATE SECURITY INTEGRATION okta_saml_integration
TYPE = SAML2
ENABLED = TRUE
SAML2_ISSUER = 'http://www.okta.com/exk1234567890'
SAML2_SSO_URL = 'https://myorg.okta.com/app/snowflake/exk1234567890/sso/saml'
SAML2_PROVIDER = 'OKTA'
SAML2_X509_CERT = 'MIIDpDCCAoygAw...base64 certificate...'
SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = 'Okta SSO Login'
SAML2_ENABLE_SP_INITIATED = TRUE;
-- For Azure AD
CREATE SECURITY INTEGRATION azure_ad_saml_integration
TYPE = SAML2
ENABLED = TRUE
SAML2_ISSUER = 'https://sts.windows.net/<tenant-id>/'
SAML2_SSO_URL = 'https://login.microsoftonline.com/<tenant-id>/saml2'
SAML2_PROVIDER = 'CUSTOM'
SAML2_X509_CERT = 'MIIDpDCCAoygAw...base64 certificate...'
SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = 'Azure AD SSO'
SAML2_ENABLE_SP_INITIATED = TRUE
SAML2_SNOWFLAKE_ACS_URL = 'https://<account>.snowflakecomputing.com/fed/login'
SAML2_SNOWFLAKE_ISSUER_URL = 'https://<account>.snowflakecomputing.com';| Setting | Okta | Azure AD | PingFederate |
|---|---|---|---|
| SAML2_PROVIDER | OKTA | CUSTOM | CUSTOM |
| SAML2_ISSUER | Issuer URI from Okta metadata | https://sts.windows.net/<tenant-id>/ | PingFederate Entity ID |
| SAML2_SSO_URL | Okta application SSO URL | Azure AD SAML endpoint | PingFederate SSO URL |
| NameID format | emailAddress (recommended) | emailAddress / UPN | emailAddress / any |
| Group attribute propagation | Sent as SAML Attribute | Sent as Group Claim | Sent via Attribute mapping |
| SCIM integration | Automatic sync via Okta SCIM App | Automatic sync via Azure AD Provisioning | Requires separate SCIM configuration |
With External OAuth, Snowflake validates an access token issued by an external authorization server (Azure AD, Okta, or a custom OAuth 2.0 server) and establishes the session. Use it when connecting from BI tools or custom applications to Snowflake without passwords.
-- External OAuth (Azure AD example)
CREATE SECURITY INTEGRATION azure_external_oauth
TYPE = EXTERNAL_OAUTH
ENABLED = TRUE
EXTERNAL_OAUTH_TYPE = AZURE
EXTERNAL_OAUTH_ISSUER = 'https://sts.windows.net/<tenant-id>/'
EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys'
EXTERNAL_OAUTH_AUDIENCE_LIST = ('https://<account>.snowflakecomputing.com')
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'upn'
EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'LOGIN_NAME'
EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';Snowflake OAuth is the pattern where Snowflake itself acts as the authorization server. It is used for authentication in Snowsight and the official drivers/connectors, with client_id/client_secret managed on the client application side.
-- Snowflake OAuth Integration
CREATE SECURITY INTEGRATION snowflake_oauth_tableau
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = TABLEAU_DESKTOP
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 86400;
-- For custom clients
CREATE SECURITY INTEGRATION snowflake_oauth_custom
TYPE = OAUTH
ENABLED = TRUE
OAUTH_CLIENT = CUSTOM
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
OAUTH_REDIRECT_URI = 'https://myapp.example.com/callback'
OAUTH_ISSUE_REFRESH_TOKENS = TRUE
OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;-- List integrations
SHOW SECURITY INTEGRATIONS;
-- View details (settings and SAML SP info)
DESCRIBE SECURITY INTEGRATION okta_saml_integration;
-- Rotate the certificate
ALTER SECURITY INTEGRATION okta_saml_integration
SET SAML2_X509_CERT = 'MIIDpDCCAoygAw...new certificate...';
-- Temporarily disable
ALTER SECURITY INTEGRATION okta_saml_integration SET ENABLED = FALSE;
-- Delete
DROP SECURITY INTEGRATION okta_saml_integration;| Requirement | Recommended method | Reason |
|---|---|---|
| Browser-based SSO | SAML 2.0 | Simplest integration with Snowsight |
| BI tool authentication (e.g. Tableau) | Snowflake OAuth | Preset OAUTH_CLIENT values let you configure instantly |
| Connections from custom applications | External OAuth | Centralize token management on your existing OAuth platform |
| Batch processing and CI/CD | Key-pair authentication | Non-interactive and no token-expiry management needed |
Security & Governance
問題 1
A team has configured SAML SSO to Snowflake using Okta as the IdP. SSO works correctly overall, but some users see a 'User not found' error when logging in to Snowsight. What is the most likely cause?
正解: A
Because SSO is working, SAML authentication itself is succeeding. The 'User not found' error fires when no Snowflake user matches the NameID value (e.g. an email address) in the SAML Assertion. Verify that Okta's NameID configuration matches each Snowflake user's LOGIN_NAME or EMAIL attribute. If ENABLED were FALSE, SSO would be disabled entirely. Neither ACCOUNTADMIN role assignment nor Network Policy is a cause of this specific error.
Can I create multiple SAML2 and OAuth Security Integrations in a single account?
Only one SAML2 Security Integration can be enabled per account for SSO. Use DESCRIBE SECURITY INTEGRATION to inspect the existing SAML integration, and to switch to a new IdP either DROP and recreate it, or override settings with ALTER SECURITY INTEGRATION. OAuth integrations (External OAuth / Snowflake OAuth), on the other hand, can be created multiple times, so you can have a separate integration per client application.
Can users still log in with passwords after configuring SAML SSO?
By default, password authentication remains usable even after SAML SSO is enabled. To disable password login, run ALTER USER SET PASSWORD = '' for the target users, or use an Authentication Policy that allows only AUTHENTICATION_METHODS = ('SAML'). The SnowPro Security exam often tests the fact that enabling SSO alone does not block password login.
What action is required on Snowflake when the IdP certificate is rotated?
When the IdP's SAML signing certificate is rotated, you must replace the certificate on the Snowflake side with ALTER SECURITY INTEGRATION SET SAML2_X509_CERT = '<new certificate>'. If you miss the expiry, SSO authentication fails and every SSO user is locked out. Scheduling the Snowflake-side update before the IdP rotation is the operational key.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...