Okta Integration Phase 1: Test Integration using sandbox account

[melanie-logan]

We needed to test Okta integration using a Sandbox account to determine how integration might impact ongoing projects.

• [x] Create sandbox account
• [x] Deploy Snowflake Infrastructure
• [x] Create security integration
• [x] Create okta integration
• [x] Test SSO

Notes:

• SSO will be required for all ODI staff, for other users, local login will still be available.
• The sandbox/test account is located HERE

[melanie-logan]

Adding sample integration script here:

-- Configure a SAML2 Security Integration in your Snowflake account
-- note: replaced underscores in URLs with dashes
-- source: https://community.snowflake.com/s/article/How-To-Setup-SSO-Using-Okta-with-Snowflake-new-URL-format

-- Note: replce _ with - in snowflake account URLs

USE ROLE ACCOUNTADMIN;
CREATE SECURITY INTEGRATION OKTAINTEGRATION
TYPE = SAML2 
ENABLED = TRUE 
SAML2_ISSUER = 'http://www.okta.com/[...]' 
SAML2_SSO_URL = 'https://login-preview.[...]/sso/saml' 
SAML2_PROVIDER = 'OKTA' 
SAML2_X509_CERT='[...]' 
SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = 'OKTA SSO'
SAML2_ENABLE_SP_INITIATED = TRUE
SAML2_SNOWFLAKE_ACS_URL = 'https://vsb79059-test-account.snowflakecomputing.com/fed/login';
SAML2_SNOWFLAKE_ISSUER_URL = 'https://vsb79059-test-account.snowflakecomputing.com';

DESC SECURITY INTEGRATION OKTAINTEGRATION;

-- Okta SCIM integration with Snowflake
-- source: https://docs.snowflake.com/en/user-guide/scim-okta

use role accountadmin;
create role if not exists okta_provisioner;
grant create user on account to role okta_provisioner;
grant create role on account to role okta_provisioner;
grant role okta_provisioner to role accountadmin;
create or replace security integration okta_provisioning
    type = scim
    scim_client = 'okta'
    run_as_role = 'OKTA_PROVISIONER';
select system$generate_scim_access_token('OKTA_PROVISIONING');

DESC security integration okta_provisioning;