This guide provides a comprehensive walkthrough of integrating Cloudflare SAML with Snowflake, enhancing security and simplifying user access. The process involves configuring both Cloudflare and Snowflake, and this document is divided into two sections to cover each aspect.
Part 1: Cloudflare Configuration
- Access Zero Trust: Begin by logging into the Cloudflare Zero Trust dashboard.
- Navigate to Applications: Go to Access → Applications.
- Add Application: Click Add Application and choose "SAAS" as the application type.
- Name Application: Enter "Snowflake" as the application name.
- Placeholder for Snowflake URLs: Leave the "Entity ID" and "Assertion Consumer Service URL" fields blank for now. We will populate these later with information from Snowflake.
Part 2: Snowflake Configuration
All Snowflake configurations are performed within Worksheets, not the GUI.
1. Check Existing Integrations and Policies
Use the following commands to check for existing SAML integrations and authentication policies:
SHOW INTEGRATIONS;
SHOW AUTHENTICATION POLICIES;Review the output. If any authentication policies are already configured, understand their impact before proceeding, as the following steps might override them.
2. Gather Cloudflare Information
You'll need the following information from your Cloudflare Snowflake application configuration:
- SAML2_ISSUER (Access Entity ID or Issuer): Found in the Cloudflare Snowflake application settings.
- SAML2_SSO_URL (SSO Endpoint): Also found in the Cloudflare Snowflake application settings.
- SAML2_X509_CERT:
- Copy the "SAML Metadata endpoint" URL from your Cloudflare Snowflake application settings.
- Paste this URL into your browser.
- Copy the value within the
<X509Certificate>tags.
3. Create Security Integration
Use the following SQL command in a Snowflake Worksheet, replacing the placeholder values with the information gathered in the previous step:
CREATE SECURITY INTEGRATION cloudflare
TYPE = saml2
ENABLED = true
SAML2_ISSUER = ''
SAML2_SSO_URL = ''
SAML2_PROVIDER = 'Custom'
SAML2_X509_CERT = ''
SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = 'cloudflare'
SAML2_ENABLE_SP_INITIATED = true; 4. Verify Integration
After running the command, verify the integration by executing:
SHOW INTEGRATIONS;Confirm that the "cloudflare" integration is listed with the type "SAML2".
5. Retrieve Snowflake URLs for Cloudflare
Now, gather the necessary URLs from Snowflake to complete the Cloudflare configuration. Execute the following command in a Snowflake Worksheet:
DESC INTEGRATION cloudflare;- SAML2_SNOWFLAKE_ACS_URL: Copy the value from the "Property_value" column for this property. This is the "Assertion Consumer Service URL" for your Cloudflare Snowflake application.
- SAML2_SNOWFLAKE_ISSUER_URL: Copy the value from the "Property_value" column for this property. This is the "Entity ID" for your Cloudflare Snowflake application.
6. Complete Cloudflare Configuration
Return to your Cloudflare Snowflake application settings and paste the "SAML2_SNOWFLAKE_ACS_URL" into the "Assertion Consumer Service URL" field and the "SAML2_SNOWFLAKE_ISSUER_URL" into the "Entity ID" field. Ensure the "Name ID Format" is set to "Email" and save the application.
7. Create Authentication Policy
Define an authentication policy to control user access. Replace cloudflareSAML with your desired policy name and cloudflare with the name of your security integration:
CREATE AUTHENTICATION POLICY cloudflareSAML
AUTHENTICATION_METHODS = ('SAML', 'PASSWORD')
CLIENT_TYPES = ('SNOWFLAKE_UI')
SECURITY_INTEGRATIONS = ('cloudflare');8. Enable Authentication Policy
Apply the policy to your Snowflake account:
ALTER ACCOUNT SET AUTHENTICATION POLICY cloudflareSAML;Replace cloudflareSAML with the name of your authentication policy.
9. Login
Users should now be able to log in to Snowflake using Cloudflare as their SAML identity provider.
By following these steps, you can successfully integrate Cloudflare SAML with Snowflake, providing a secure and streamlined authentication experience.