Okta Integration Phase 1: Test Integration using sandbox account
melanie-logan opened this issue · comments
We needed to test Okta integration using a Sandbox account to determine how integration might impact ongoing projects.
- Create sandbox account
- Deploy Snowflake Infrastructure
- Create security integration
- Create okta integration
- Test SSO
Notes:
- SSO will be required for all ODI staff, for other users, local login will still be available.
- The sandbox/test account is located HERE
Adding sample integration script here:
-- Configure a SAML2 Security Integration in your Snowflake account
-- note: replaced underscores in URLs with dashes
-- source: https://community.snowflake.com/s/article/How-To-Setup-SSO-Using-Okta-with-Snowflake-new-URL-format
-- Note: replce _ with - in snowflake account URLs
USE ROLE ACCOUNTADMIN;
CREATE SECURITY INTEGRATION OKTAINTEGRATION
TYPE = SAML2
ENABLED = TRUE
SAML2_ISSUER = 'http://www.okta.com/[...]'
SAML2_SSO_URL = 'https://login-preview.[...]/sso/saml'
SAML2_PROVIDER = 'OKTA'
SAML2_X509_CERT='[...]'
SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = 'OKTA SSO'
SAML2_ENABLE_SP_INITIATED = TRUE
SAML2_SNOWFLAKE_ACS_URL = 'https://vsb79059-test-account.snowflakecomputing.com/fed/login';
SAML2_SNOWFLAKE_ISSUER_URL = 'https://vsb79059-test-account.snowflakecomputing.com';
DESC SECURITY INTEGRATION OKTAINTEGRATION;
-- Okta SCIM integration with Snowflake
-- source: https://docs.snowflake.com/en/user-guide/scim-okta
use role accountadmin;
create role if not exists okta_provisioner;
grant create user on account to role okta_provisioner;
grant create role on account to role okta_provisioner;
grant role okta_provisioner to role accountadmin;
create or replace security integration okta_provisioning
type = scim
scim_client = 'okta'
run_as_role = 'OKTA_PROVISIONER';
select system$generate_scim_access_token('OKTA_PROVISIONING');
DESC security integration okta_provisioning;