Snowflake SAML Single Sign-On (SSO) integration

You can integrate the Snowflake application with CyberArk Identity to enable use of SSO.

Snowflake SSO supported features

This application template supports the following features:

  • IdP-initiated SAML SSO (for SSO access through CyberArk Identity User Portal)

  • SP-initiated SAML SSO (for SSO access through the Snowflake web application)

You can choose one or both. methods.

Before you begin

Before configuring the integration, you need the following information from your Snowflake application.



Snowflake domain SSO URL


For example:

Your company subdomain


For example:

SP Entity ID


For example:

Assertion Consumer Service (ACS) URL


For example:

Confirm the following:

  • You have an active Snowflake account with administrator rights for your organization.

  • Snowflake users who will access CyberArk Identity User Portal through SSO have already been added to CyberArk.

Configure the Snowflake app template in the Identity Administration portal

Perform these steps in the Identity Administration portal to configure the Snowflake app template for SSO.

Step 1: Add the Snowflake web app template

  1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

    Add a web app screen

  2. On the Search page, enter the application name in the Search field and click the search button.

  3. Next to the application name, click Add.

  4. On the Add Web App page, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Settings page.

Step 2: Configure the Trust page.

  1. Go to the Trust page.

  2. Select Metadata and click Download Metadata File.

    You will need this file later when you configure Snowflake.

  3. In the Service Provider Configuration section, select Manual Configuration.

  4. Enter the SP Entity ID and Assertion Consumer Service (ACS) URL (from the Snowflake application), then click Save.

Step 3: Configure the SAML Response page.

  1. Map the following attributes with the Snowflake attribute name in the Attribute Name column and the CyberArk attribute in the Attribute Value column.

    Attributes are case-sensitive.

    Attribute Name Attribute Value
    login_name LoginUser.Email
  2. Map any other attributes that you want to pass in the SAML response, then click Save.

Step 4: Configure Snowflake for single sign-on

  1. Sign in to the Snowflake application as the administrator. Click New Worksheet.

  2. Run the following query command:


    The application displays SAML SP information.

  3. Go to the Trust page in CyberArk Identity User Portal and copy the IdP Entity ID/Issuer and Single Sign-On URL values from the Identity Provider section.

  4. Paste the IdP metadata values into their corresponding fields in the Snowflake query. The following table shows which values map to fields in the query.

    Target field in Snowflake

    Required value





    SAM2_Issuer IdP Entity ID/Issuer (copied from IdP metadata)
    SAM2_SSO_URL Single Sign-On URL (copied from IdP metadata)




    Open the IdP metadata file that you downloaded and copy the signing certificate information.





  5. Edit the integration to add the Snowflake ACS URL and Snowflake SAM2 Issuer URL.

    use role accountadmin;
    alter security integration my_integration set saml2_snowflake_acs_url = 'https://<organization name>-<account name>';
    alter security integration my_integration set saml2_snowflake_issuer_url = 'https://<organization name>-<account name>'';
  1. Enter a query to create a new user in Snowflake. This user must also exist in CyberArk Identity.

    For example:

    use role accountadmin;
       alter user APPSACCOUNTS set login_name=
  2. To confirm that the information you entered is valid, select one or more lines in the query and click Run.

Step 5: Configure the Permissions page to grant Snowflake users SSO access.

Grant SSO access to Snowflake by assigning permissions to users, groups, or roles. The user you select must already exist in Snowflake.

  1. In CyberArk, go to the Permissions page and click Add.

    The Select User, Group, or Role window appears.

  2. Select the user(s), group(s), or role(s) that you want to give permissions to, then click Add.

    The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

  3. Select the permissions you want, then click Save.

Step 6: Review and save.

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.

Test the Snowflake SSO configuration

You can test both IdP and SP-initiated SSO for a user. The user's account must already exist in Snowflake.

To test IdP-initiated SSO:
  1. Sign in to the CyberArk User Portal with the user's account credentials.

  2. Click the Snowflake application tile to launch Snowflake in a new tab and automatically sign in.

The Snowflake application page displays after successful SSO.

To test SP-initiated SSO:
  1. Go to your organization's Snowflake SSO URL. For example:

  2. Sign in as your test user.

Additional information

See your Snowflake documentation for additional resources.