Snowflake

Snowflake Security Integrations: Designing and Implementing SAML/OAuth

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

A Security Integration is an account-level object that connects Snowflake to an external identity provider (IdP) or authorization server. You choose the TYPE parameter based on the use case: SAML 2.0 for SSO, External OAuth for token-based authentication, or Snowflake OAuth for OAuth into Snowsight and official connectors. Creating one requires the ACCOUNTADMIN role (or the CREATE INTEGRATION privilege).

How SAML 2.0 Security Integrations Work

In a SAML 2.0 integration, Snowflake acts as the Service Provider (SP) and the external IdP acts as the Identity Provider. When a user accesses Snowsight, Snowflake redirects a SAML authentication request to the configured IdP, which returns a SAML response (Assertion) to Snowflake after authentication. Snowflake validates the Assertion's signature using the X.509 certificate, identifies the Snowflake user from the NameID, and establishes the session.

Creating a SAML2 Security Integration

-- SAML 2.0 Security Integration (Okta example)
CREATE SECURITY INTEGRATION okta_saml_integration
  TYPE = SAML2
  ENABLED = TRUE
  SAML2_ISSUER = 'http://www.okta.com/exk1234567890'
  SAML2_SSO_URL = 'https://myorg.okta.com/app/snowflake/exk1234567890/sso/saml'
  SAML2_PROVIDER = 'OKTA'
  SAML2_X509_CERT = 'MIIDpDCCAoygAw...base64 certificate...'
  SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = 'Okta SSO Login'
  SAML2_ENABLE_SP_INITIATED = TRUE;

-- For Azure AD
CREATE SECURITY INTEGRATION azure_ad_saml_integration
  TYPE = SAML2
  ENABLED = TRUE
  SAML2_ISSUER = 'https://sts.windows.net/<tenant-id>/'
  SAML2_SSO_URL = 'https://login.microsoftonline.com/<tenant-id>/saml2'
  SAML2_PROVIDER = 'CUSTOM'
  SAML2_X509_CERT = 'MIIDpDCCAoygAw...base64 certificate...'
  SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = 'Azure AD SSO'
  SAML2_ENABLE_SP_INITIATED = TRUE
  SAML2_SNOWFLAKE_ACS_URL = 'https://<account>.snowflakecomputing.com/fed/login'
  SAML2_SNOWFLAKE_ISSUER_URL = 'https://<account>.snowflakecomputing.com';

IdP Configuration Comparison

SettingOktaAzure ADPingFederate
SAML2_PROVIDEROKTACUSTOMCUSTOM
SAML2_ISSUERIssuer URI from Okta metadatahttps://sts.windows.net/<tenant-id>/PingFederate Entity ID
SAML2_SSO_URLOkta application SSO URLAzure AD SAML endpointPingFederate SSO URL
NameID formatemailAddress (recommended)emailAddress / UPNemailAddress / any
Group attribute propagationSent as SAML AttributeSent as Group ClaimSent via Attribute mapping
SCIM integrationAutomatic sync via Okta SCIM AppAutomatic sync via Azure AD ProvisioningRequires separate SCIM configuration

External OAuth Security Integration

With External OAuth, Snowflake validates an access token issued by an external authorization server (Azure AD, Okta, or a custom OAuth 2.0 server) and establishes the session. Use it when connecting from BI tools or custom applications to Snowflake without passwords.

-- External OAuth (Azure AD example)
CREATE SECURITY INTEGRATION azure_external_oauth
  TYPE = EXTERNAL_OAUTH
  ENABLED = TRUE
  EXTERNAL_OAUTH_TYPE = AZURE
  EXTERNAL_OAUTH_ISSUER = 'https://sts.windows.net/<tenant-id>/'
  EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys'
  EXTERNAL_OAUTH_AUDIENCE_LIST = ('https://<account>.snowflakecomputing.com')
  EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'upn'
  EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'LOGIN_NAME'
  EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';

Snowflake OAuth Security Integration

Snowflake OAuth is the pattern where Snowflake itself acts as the authorization server. It is used for authentication in Snowsight and the official drivers/connectors, with client_id/client_secret managed on the client application side.

-- Snowflake OAuth Integration
CREATE SECURITY INTEGRATION snowflake_oauth_tableau
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_DESKTOP
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 86400;

-- For custom clients
CREATE SECURITY INTEGRATION snowflake_oauth_custom
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://myapp.example.com/callback'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;

Security Integration Management Commands

-- List integrations
SHOW SECURITY INTEGRATIONS;

-- View details (settings and SAML SP info)
DESCRIBE SECURITY INTEGRATION okta_saml_integration;

-- Rotate the certificate
ALTER SECURITY INTEGRATION okta_saml_integration
  SET SAML2_X509_CERT = 'MIIDpDCCAoygAw...new certificate...';

-- Temporarily disable
ALTER SECURITY INTEGRATION okta_saml_integration SET ENABLED = FALSE;

-- Delete
DROP SECURITY INTEGRATION okta_saml_integration;

Choosing an Authentication Method

RequirementRecommended methodReason
Browser-based SSOSAML 2.0Simplest integration with Snowsight
BI tool authentication (e.g. Tableau)Snowflake OAuthPreset OAUTH_CLIENT values let you configure instantly
Connections from custom applicationsExternal OAuthCentralize token management on your existing OAuth platform
Batch processing and CI/CDKey-pair authenticationNon-interactive and no token-expiry management needed

Troubleshooting

  • "User not found" error after SSO: The NameID sent by the IdP (typically an email address) does not match the Snowflake user's LOGIN_NAME or EMAIL. Use DESCRIBE SECURITY INTEGRATION to check the SAML2_SNOWFLAKE_USER_MAPPING_ATTRIBUTE setting.
  • "Invalid SAML response" error: X.509 certificate mismatch is the most common cause. Check whether the IdP has rotated its certificate and update it via ALTER SECURITY INTEGRATION.
  • Roles unavailable with External OAuth: When EXTERNAL_OAUTH_ANY_ROLE_MODE is DISABLE (the default), only roles contained in the token's scope are usable. Set it to ENABLE, or include role names in the scope.

Check Your Understanding

Security & Governance

問題 1

A team has configured SAML SSO to Snowflake using Okta as the IdP. SSO works correctly overall, but some users see a 'User not found' error when logging in to Snowsight. What is the most likely cause?

  1. The NameID value sent in Okta's SAML Assertion does not match the Snowflake LOGIN_NAME
  2. The Security Integration's ENABLED parameter is set to FALSE
  3. The target users have not been granted the ACCOUNTADMIN role
  4. A Network Policy is blocking Okta's IP addresses

正解: A

Because SSO is working, SAML authentication itself is succeeding. The 'User not found' error fires when no Snowflake user matches the NameID value (e.g. an email address) in the SAML Assertion. Verify that Okta's NameID configuration matches each Snowflake user's LOGIN_NAME or EMAIL attribute. If ENABLED were FALSE, SSO would be disabled entirely. Neither ACCOUNTADMIN role assignment nor Network Policy is a cause of this specific error.

Frequently Asked Questions

Can I create multiple SAML2 and OAuth Security Integrations in a single account?

Only one SAML2 Security Integration can be enabled per account for SSO. Use DESCRIBE SECURITY INTEGRATION to inspect the existing SAML integration, and to switch to a new IdP either DROP and recreate it, or override settings with ALTER SECURITY INTEGRATION. OAuth integrations (External OAuth / Snowflake OAuth), on the other hand, can be created multiple times, so you can have a separate integration per client application.

Can users still log in with passwords after configuring SAML SSO?

By default, password authentication remains usable even after SAML SSO is enabled. To disable password login, run ALTER USER SET PASSWORD = '' for the target users, or use an Authentication Policy that allows only AUTHENTICATION_METHODS = ('SAML'). The SnowPro Security exam often tests the fact that enabling SSO alone does not block password login.

What action is required on Snowflake when the IdP certificate is rotated?

When the IdP's SAML signing certificate is rotated, you must replace the certificate on the Snowflake side with ALTER SECURITY INTEGRATION SET SAML2_X509_CERT = '<new certificate>'. If you miss the expiry, SSO authentication fails and every SSO user is locked out. Scheduling the Snowflake-side update before the IdP rotation is the operational key.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Snowflake

Snowflake Certifications: All 11 Exams Explained (2026)

Every SnowPro certification — Associate, Core, Specialty, Ad...

Snowflake

Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)

All 11 SnowPro exams ranked by difficulty with study-time es...

Snowflake

Snowflake Study Guide: Fastest Pass Route by Exam (2026)

How to pass SnowPro certifications efficiently — official ma...

Snowflake

SnowPro Core (COF-C03): Complete Exam Guide (2026)

Pass the SnowPro Core exam — six domains, scope, sample ques...

Snowflake

SnowPro Associate Platform (SOL-C01): Complete Guide (2026)

The entry-level SnowPro Associate exam — scope, weighting, s...

Browse all Snowflake articles (103)
© 2026 NicheeLab All rights reserved.