AWS IAM Identity Center (successor to AWS SSO) Integration Guide for Snowflake
Introduction
This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for Snowflake using SAML.
Topics
Prerequisites
You’ll need the following to set up SSO access to Snowflake:
-
Access to the IAM Identity Center console with permissions to manage applications.
-
A Snowflake account with permissions to configure SAML SSO.
Setup instructions
- On the Configure page in the IAM Identity Center Console, in the Details section, fill in the Display name, and the Description(optional) of the application.
Note
We suggest that you choose a unique display name if you plan to have more than one of the same application.
-
Login to your Snowflake account (example: https://ACCOUNTNAME.snowflakecomputing.com) as an administrator (with the ACCOUNTADMIN or SECURITYADMIN role).
-
Click on Worksheet.
-
Paste the following query in the worksheet window, but do not run the query.
alter account set saml_identity_provider = '{ "certificate": "CERTIFICATE", "ssoUrl": "SSOURL", "type": "Custom" }'; alter account set sso_login_page = true;
- Download IAM Identity Center certificate and copy its content and paste into the certificate attribute by replacing CERTIFICATE.
- Insert the URL below into ssoURL by replacing SSOURL.
-
Next, click on Run.
-
Go back to the IAM Identity Center console page where you are configuring the Application.
-
Under Application metadata, choose If you don't have a metadata file, you can manually type your metadata values. to display the application metadata settings.
-
Insert these values:
Field | Value |
---|---|
Application ACS URL | https://ACCOUNTNAME.snowflakecomputing.com/fed/login |
Application SAML audience | https://ACCOUNTNAME.snowflakecomputing.com |
-
Choose Save Changes.
-
Next, click on the Attribute mappings tab.
-
For the attribute Account, replace ACCOUNTNAME with your Account name.
-
Choose Save Changes.
-
Assign a user to the application in IAM Identity Center.
Verification
Use the following sections to verify the SSO integration.
Note
Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.
Note
Users will not be able to login using SSO unless the user exists in both your directory and Custom SAML 2.0, and the user is assigned to the application.
Verifying SSO from IAM Identity Center
-
Access the AWS access portal using the credentials of a user assigned to the Snowflake application.
-
In the list of applications, choose Snowflake to initiate a login to Snowflake.
-
If login was successful you will be signed-in to the Snowflake application.
Troubleshooting
If sign in was not successful, please see the troubleshooting steps.
Verifying Service Provider Initiated SSO from Snowflake
-
Access Snowflake using the following URL: https://ACCOUNTNAME.snowflakecomputing.com.
-
Click on Single Sign On.
-
Type the credentials of a user assigned to the application in the IAM Identity Center console and a user which exists in Snowflake.
-
Choose Sign In.
-
On the Snowflake home page, verify that both Snowflake and IAM Identity Center are logged in with the same user.
Troubleshooting
If sign in was not successful, please see the troubleshooting steps.
Troubleshooting
Error | Issue | Solution |
---|---|---|
Other | When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' and 'subject' fields (if they are present) from the connected directory to populate the 'Email' and 'Subject' attributes in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields. | Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings. |
For general troubleshooting problems, please refer to Troubleshooting Guide.
User Provisioning Types
There are two user provisioning you need to aware of:
-
Preprovisioned users
Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.
-
JIT users
JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.