How we got Single Sign-On to work with Snowflake, SAML2 and Keycloak! The signed certificate version…
If you’re still interested… This is an alternative method compared to the previously posted article on the same topic, found here
We wanted to se if we could enable client side signed certificates, e.g. signing on Snowflake. Meaning we could enhance security and set the Keycloak parameter Client Signature Required to ON. Fast forward… and Anna Skorokhodova succeded with this task as well.
Ok, so how was it done then?
In order to get the accurate information to put inside Snowflake SAML IdP definition, we must first configure Keycloak.
Step 1; Gather configuration
In order to gather the Keycloak SAML Identity Provider metadata, access KeyClock adminstration and goto “configure->Realm Settings”. On the “ General tab”, click on the link “Endpoints- SAML 2.0 Identity Provider Metadata”.
A page containing an XML document with metadata will be presented, similar to ours in the picture below. Copy entityID, Certificate and the Single Sign On Service POST link.
Please bear in mind that Realm names are case sensitive. So, copy the values to Snowflake configuration exactly as stated in the metadata.
Step 2; Create a Snowflake client
Next step (still in Keycloak), is to create a Snowflake client. Go to “configuration->Clients” press the button “Create” and enter the following information:
Client ID: https://<account>.<region>.snowflakecomputing.com
Client Protocol: saml
Client Signature Required: ON
Force POST Binding: ON
Name ID Format: username
Valid Redirect URIs: https://<account>.<region>.snowflakecomputing.com/fed/login/
Master SAML Processing URL: https://<account>.<region>.snowflakecomputing.com
Assertion Consumer Service POST Binding URL: https://<account>.<region>.snowflakecomputing.com/fed/login/
Logout Service Redirect Binding URL: https://<account>.<region>.snowflakecomputing.com/fed/logout/
It is important to have the <account> name in all URL’s in the same case as in Snowflake. i.e. if you set ACCOUNT in capital letters in the Snowflake configuration, the same must be configured in Keycloak. Notice a new tab appears named “SAML Keys”. We will have to modify those later.
NOTE! Keycloak identifies the snowflake client id in lowercase when Client Signature Required is set to ON.
Step 3; Setup Snowflake!
First logon to Snowflake using a user with “ accountadmin “ authorities.
In order to use signed certificate and additional properties we must define a SECURITY INTEGRATION. Set it up according to the following script.
use role accountadmin;
create security integration snowflakekeycloak
type = saml2
enabled = true
saml2_provider = ‘Custom’
saml2_issuer =’https://your.keycloak.server/auth/realms/YourRealm'
saml2_sso_url = ‘https://your.keycloak.server/auth/realms/YourRealm/protocol/saml'
saml2_x509_cert=’tHiSISaF@keC3rt1fc@t3'
saml2_sp_initiated_login_page_label = ‘OpenId Connect’
saml2_enable_sp_initiated = false;
Required fields are
- type = saml
- enabled = true
- saml2_provider = ‘Custom’
- saml2_issuer = the value of attribute entityID of the <md:EntityDescriptor> tag
- saml2_sso_url = the value of the Location attribute for the binding at <md:SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=https://your.keycloak.server/auth/realms/YourRealm/protocol/saml/>
- saml2_x509_cert = the value of the <ds:x509certificate></ds:x509certificate> tag
We added some additional optional settings as well.
- saml2_enable_sp_initiated = false, meaning this it is not yet a default login…
- saml2_sp_initiated_login_page_label which is the login label you wish to prompt your users with.
Then execute;
desc security integration snowflakekeycloak;
Look at row 1 and 7. Notice that both contain the same value. Non of the values correspond to the certificate in Keycloak under the tab “SAML Keys” present on the “Configure Clients” page. Therefore we must align the certificates in Keycloak and Snowflake in order to get this to work.
Still in Snowflake, execute;
alter security integration snowflakekeycloak refresh saml2_snowflake_private_key;
Which generates a new private key for your SECURITY INTEGRATION.
Continue on by executing;
alter security integration snowflakekeycloak set saml2_sign_request = true;
Which tells Snowflake that signing is required before sending data to Keycloak.
Check the integration again by executing;
desc security integration snowflakekeycloak;
Look at row 1 and 7 once again, you will notice that they now contain different values. Copy the row 7 value (SAML2_SNOWFLAKE_X509_CERT) and import it into Keycloak certificate for our client.
Step 4; Adjusting the certificarte in Keycloak
Now back in Keycloak. Go to “Configure Clients”, pick our client (snowflake). Check the tab “SAML Keys” and press “import”.
NOTE! You will need to format your copied certificate before importing similar to the example below.
-----BEGIN CERTIFICATE-----
THE COPIED CERTIFICATE WITH THE
CORRECT LINEBREAKS ETC
-----END CERTIFICATE-----
Save, and launch your browser and go to Snowflake preview logon page;
https://<account>.<region>.snowflakecomputing.com/console/login?fedpreview=true
Press the button “Sign in using OpenId Connect” and if it works, make it permanent by running a final update statement
alter security integration snowflakekeycloak set saml2_enable_sp_initiated = true;
I really hope this post will save you a few hours of head banging :)
