Snowflake SAML Single Sign-On (SSO) integration

You can integrate the Snowflake application with CyberArk Identity to enable use of SSO.

Snowflake SSO supported features

This application template supports the following features:

• IdP-initiated SAML SSO (for SSO access through CyberArk Identity User Portal)

• SP-initiated SAML SSO (for SSO access through the Snowflake web application)

You can choose one or both. methods.

Before you begin

Before configuring the integration, you need the following information from your Snowflake application.

Name	Format
Snowflake domain SSO URL	https://<organization-account>.snowflakecomputing.com For example: https://example.snowflakecomputing.com
Your company subdomain	<organizationName-account> For example: https://example.snowflakecomputing.com
SP Entity ID	https://<organization-account>.snowflakecomputing.com For example: https://example.snowflakecomputing.com
Assertion Consumer Service (ACS) URL	https://<organization-account>.snowflakecomputing.com/fed/login For example: https://example.snowflakecomputing.com/fed/login

Confirm the following:

• You have an active Snowflake account with administrator rights for your organization.

• Snowflake users who will access CyberArk Identity User Portal through SSO have already been added to CyberArk.

Configure the Snowflake app template in the Identity Administration portal

Perform these steps in the Identity Administration portal to configure the Snowflake app template for SSO.

Step 1: Add the Snowflake web app template

1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

   

2. On the Search page, enter the application name in the Search field and click the search button.

3. Next to the application name, click Add.

4. On the Add Web App page, click Yes to confirm.

5. Click Close to exit the Application Catalog.

   The application opens to the Settings page.

Step 2: Configure the Trust page.

1. Go to the Trust page.

2. Select Metadata and click Download Metadata File.

   You will need this file later when you configure Snowflake.

3. In the Service Provider Configuration section, select Manual Configuration.

4. Enter the SP Entity ID and Assertion Consumer Service (ACS) URL (from the Snowflake application), then click Save.

Step 3: Configure the SAML Response page.

1. Map the following attributes with the Snowflake attribute name in the Attribute Name column and the CyberArk attribute in the Attribute Value column.

   Attributes are case-sensitive.

   Attribute Name	Attribute Value
   login_name	LoginUser.Email

2. Map any other attributes that you want to pass in the SAML response, then click Save.

Step 4: Configure Snowflake for single sign-on

1. Sign in to the Snowflake application as the administrator. Click New Worksheet.

2. Run the following query command:

   CREATE SECURITY INTEGRATION CYBERARKINTEGRATION

   The application displays SAML SP information.

3. Go to the Trust page in CyberArk Identity User Portal and copy the IdP Entity ID/Issuer and Single Sign-On URL values from the Identity Provider section.

   

4. Paste the IdP metadata values into their corresponding fields in the Snowflake query. The following table shows which values map to fields in the query.

   Target field in Snowflake	Required value
   Type	SAML2
   Enabled	True
   SAM2_Issuer	IdP Entity ID/Issuer (copied from IdP metadata)
   SAM2_SSO_URL	Single Sign-On URL (copied from IdP metadata)
   SAML2_PROVIDER	<your-company-name>
   SAML2_X509_CERT	Open the IdP metadata file that you downloaded and copy the signing certificate information.
   SAML2_ENABLE_SP_INITIATED_LOGIN_PAGE_LABEL	<your-company-SSO-URL>
   SAML2_ENABLE_SP_INITIATED	True

5. Edit the integration to add the Snowflake ACS URL and Snowflake SAM2 Issuer URL.
   

   use role accountadmin;
   alter security integration my_integration set saml2_snowflake_acs_url = 'https://<organization name>-<account name>.snowflakecomputing.com/fed/login';
   alter security integration my_integration set saml2_snowflake_issuer_url = 'https://<organization name>-<account name>.snowflakecomputing.com/fed/login'';

6. Enter a query to create a new user in Snowflake. This user must also exist in CyberArk Identity.

   For example:

   use role accountadmin;
      alter user APPSACCOUNTS set login_name= appsaccounts@cyberark.com

7. To confirm that the information you entered is valid, select one or more lines in the query and click Run.

Step 5: Configure the Permissions page to grant Snowflake users SSO access.

Grant SSO access to Snowflake by assigning permissions to users, groups, or roles. The user you select must already exist in Snowflake.

1. In CyberArk, go to the Permissions page and click Add.

   The Select User, Group, or Role window appears.

2. Select the user(s), group(s), or role(s) that you want to give permissions to, then click Add.

   The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

3. Select the permissions you want, then click Save.

Step 6: Review and save.

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.

Test the Snowflake SSO configuration

You can test both IdP and SP-initiated SSO for a user. The user's account must already exist in Snowflake.

1. Sign in to the CyberArk User Portal with the user's account credentials.

2. Click the Snowflake application tile to launch Snowflake in a new tab and automatically sign in.

The Snowflake application page displays after successful SSO.

1. Go to your organization's Snowflake SSO URL. For example: https://example.snowflakecomputing.com.

2. Sign in as your test user.

Additional information

See your Snowflake documentation for additional resources.