Configure Snowsight Cloud

Last modified on October 25, 2022

This guide explains how to connect Snowsight, Snowflake’s administrative user interface, as a cloud resource to StrongDM. Note that the configuration allows single sign-on (SSO).

Limitations

For the configuration to work, you must be able to connect to your Snowflake interface via SnowSQL. An admin or web interface will not work.

Prerequisites

  • Before enabling this resource, ensure the Login Name for each Snowflake user (that is, not Username or Email) is set to match a StrongDM email. An email address serves as the ID StrongDM sends to Snowflake to log in a user. The following process disables identity provider (IdP) logins via any other method. Password logins still work.

  • We recommend that you reach out to Snowflake support and request that users are not allowed to change their own passwords. Otherwise, once a user logs in to Snowflake via StrongDM, they may change their password and retain access to Snowflake even after their access is revoked in StrongDM.

Get StrongDM’s IdP Metadata

StrongDM’s IdP metadata is required for creating an integration account with Snowsight.

  1. Go to app.strongdm.com/saml/idp_metadata. This is a public URL that returns a XML blob. Within this output, note the value of the X509Certificate. The value is present twice. Both instances should have the same value.
  2. Copy the certificate value and proceed to the next step.

Add the StrongDM IdP Certificate

The StrongDM IdP metadata certificate is necessary for defining the SAML identity provider.

In SnowSQL, execute the following command.

alter account set saml_identity_provider = '{"certificate": "<StrongDM's IdP x509Certificate>", "ssoUrl": "https://app.strongdm.com/saml/idp_sso", "type":"Custom", "label":"StrongDM" }';

Create a StrongDM Integration Account

This integration account sets StrongDM information, including the IdP certificate.

  1. Note your Snowflake account name. This is most easily referenced by the web interface login URL. Navigate to app.snowflake.com and then pick your login account. A URL similar to this displays, where abc12345 is the account name:

    https://abc12345.snowflakecomputing.com/oauth/authorize?...
    
  2. In SnowSQL, execute the following command.

    create security integration strongdm_idp
      type = saml2
      enabled = true
      saml2_issuer = 'https://app.strongdm.com/saml/idp_metadata'
      saml2_sso_url = '<any string in URL format>'
      saml2_provider = 'Custom'
      saml2_x509_cert='<StrongDM's IdP x509Certificate>'
      saml2_sp_initiated_login_page_label = '<any string>'
      saml2_enable_sp_initiated = true
      saml2_force_authn = false
      saml2_requested_nameid_format = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
      saml2_snowflake_issuer_url = 'https://<account_name>.snowflakecomputing.com'
      saml2_snowflake_acs_url = 'https://<account_name>.snowflakecomputing.com/fed/login';
    

Turn on SSO

After defining the SAML SSO URL in the integration account, you must turn SSO on.

Execute the following command to turn on SSO to Snowsight.

USE ROLE ACCOUNTADMIN;

ALTER ACCOUNT SET SSO_LOGIN_PAGE = TRUE;

Get the Snowsight Metadata XML Blob

The Snowsight metadata XML blob allows connection to StrongDM.

  1. Run desc security integration strongdm_idp; in SnowSQL.
  2. Take the SAML2_SNOWFLAKE_METADATA value and copy it for the resource configured in the following step.

Configure the Snowsight Cloud Resource

When you configure this cloud resource in the Admin UI, you will use the Snowsight metadata XML blob to allow connection between Snowsight and StrongDM.

  1. Log into the Admin UI.
  2. Go to Infrastructure > Clouds.
  3. Click the Add cloud button.
  4. Select Snowsight (Snowflake Web Console) as the Cloud Type and set the other resource properties.

Resource properties

Configuration properties are visible when you add a cloud resource or when you click to view its settings. The following table describes the settings available for Snowsight (Snowflake Web Console).

PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Datasource TypeRequiredSelect Snowsight (Snowflake Web Console)
Secret StoreOptionalCredential store location with the default set to StrongDM; learn more about Secret Store options
SAML MetadataRequiredMetadata XML blob from your Snowflake IdP integration
Healthcheck UsernameRequiredStrongDM user email to use for healthchecks; this email must match your Snowflake Login Name (that is, not Username or Email)
SubdomainRequiredValue to use for your local DNS address (for example, app-prod1 turns into http://app-prod1.<your-org-name>.sdm.network/; note that this subdomain should be unique and not used by any other resource)
Resource TagsOptionalDatasource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Secret store options

By default, resource credentials are stored in StrongDM. However, these credentials can also be saved in AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, or HashiCorp Vault.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

If any errors occur, please contact support@strongdm.com.

Top