search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
540 stars 416 forks source link

[Bug]: Default saml2 urls fail to redirect because they are malformed with underscores in snowflake_saml_integration #2855

Closed kcd83 closed 4 weeks ago

kcd83 commented 4 months ago

Terraform CLI Version

1.7.0

Terraform Provider Version

0.90

Terraform Configuration

# The defaults for saml2_snowflake_acs_url and saml2_snowflake_issuer_url are no good
# workaround is:

locals {
  okta_config                = jsondecode(data.aws_secretsmanager_secret_version.snowflake_saml_integration.secret_string)["myaccount"]
  # workaround
  snowflake_url_standardised = lower(replace(data.snowflake_current_account.current.url, "_", "-"))
}
resource "snowflake_saml_integration" "okta" {
  name = "OKTA"

  saml2_provider = "OKTA"
  saml2_issuer   = local.okta_config["saml2_issuer"]
  saml2_sso_url  = local.okta_config["saml2_sso_url"]

  saml2_x509_cert = local.okta_config["saml2_x509_cert"]

  saml2_enable_sp_initiated           = true
  saml2_sp_initiated_login_page_label = "Okta SSO"

  saml2_snowflake_acs_url    = "${local.snowflake_url_standardised}/fed/login"
  saml2_snowflake_issuer_url = local.snowflake_url_standardised

  enabled = true

  provider = snowflake.accountadmin
}

Category

category:resource

Object type(s)

No response

Expected Behavior

SSO sign in works and redirects as expect regardless of where the login flow starts. For this we need no _ in urls as follows:

SAML2_SNOWFLAKE_ACS_URL  = https://myorg-myaccount.snowflakecomputing.com/fed/login  

SAML2_SNOWFLAKE_ISSUER_URL  = https://myorg-myaccount.snowflakecomputing.com/

Actual Behavior

Refreshing from Snowsight or DBT Cloud fails. The redirect stops throwing an Javascript error visible in the developer console. (Note starting from Okta always works)

The root cause of this is _ in the url as follows

SAML2_SNOWFLAKE_ACS_URL  = https://myorg_myaccount.snowflakecomputing.com/fed/login 

SAML2_SNOWFLAKE_ISSUER_URL  = https://myorg_myaccount.snowflakecomputing.com/

Steps to Reproduce

  1. Use snowflake_saml_integration
  2. Do not set saml2_snowflake_acs_url or saml2_snowflake_issuer_url (rely on defaults)
  3. Open snow sight directly
  4. Initiate reauth SSO flow
  5. Redirect does not return to Snowflake, you get a blank screen and a javascript error

This is more severe for DBT Cloud with fails to establish an SSO connection for a user.

How much impact is this issue causing?

Low

Logs

No response

Additional Information

Snowflake support suggested the root cause is that SNOWFLAKEDEPLOYMENT URL from the system$allowlist() output has ``

Would you like to implement a fix?

kcd83 commented 4 months ago

My initial suggestion would be to document this limitation if it turns out that system$allowlist() is the cause and the terraform provider should not be responsible for formatting the default urls

Thanks

sfc-gh-jcieslak commented 3 months ago

Hey @kcd83 👋 We're currently working on improving all security integrations. We'll take a look at this issue when working on SAML integration. cc: @sfc-gh-jmichalak.

sfc-gh-jmichalak commented 2 months ago

Hi @kcd83 👋 This is expected, as stated in docs. We can add this limitation to provider docs. cc @sfc-gh-asawicki

sfc-gh-jmichalak commented 2 months ago

@kcd83, we've added this limitation to docs and linked to a Snowflake doc about Okta URLs in v0.94.

sfc-gh-asawicki commented 4 weeks ago

Closing as completed.