使用多个身份提供商进行联合身份验证

您可以将 Snowflake 配置为允许用户通过多个身份提供商 (IdPs) 进行身份验证。

实现使用多个 IdPs 的联合环境包括以下步骤：

1. Enable the identifier-first login flow (in this topic).
2. Configure each identity provider.
3. Create multiple SAML security integrations, one for each IdP.
4. Associate users with IdPs (in this topic).

启用标识符优先登录

当账户的联合环境使用多个 IdPs 时，Snowflake 必须能够在向用户提供身份验证选项 之前 确定哪个 IdPs 与用户关联。在此流程中，Snowflake 仅提示用户输入其电子邮件地址或用户名，然后在识别用户后显示身份验证方法。只有与用户关联的 IdPs 将显示为身份验证选项。

The identifier-first login flow must be enabled if you are using multiple IdPs. To enable identifier-first login, set the ENABLE_IDENTIFIER_FIRST_LOGIN parameter to TRUE:

1. Sign in to Snowsight.
2. In the navigation menu, select Projects » Worksheets.
3. 执行以下 SQL 语句：
   Copy codeExpand code block

   USE ROLE ACCOUNTADMIN;
   ALTER ACCOUNT SET ENABLE_IDENTIFIER_FIRST_LOGIN = true;

   Show lessSee more

   Scroll to top

For more information about the identifier-first login flow, see Identifier-first login.

将用户与 IdPs 关联¶

在具有多个 IdPs 的环境中，您可以选择如何将用户与 IdP 关联。您可以使用与 IdP 关联的安全集成、身份验证策略，或结合使用这两种方法。

Security Integration:

Use the ALLOWED_USER_DOMAINS and ALLOWED_EMAIL_PATTERNS properties of the SAML2 security integration associated with each IdP. In this configuration, a user only sees an IdP as an authentication option if their EMAIL matches an email address domain or pattern in the security integration.

Authentication Policy:

Use the SECURITY_INTEGRATIONS property of an authentication policy to specify which security integrations are available to the user. In this configuration, the authentication policy is assigned to an entire account or an individual user. A user can only authenticate with IdPs associated with security integrations that are specified in the authentication policy.

如果希望用户只能看到允许他们使用的身份提供商，请创建多个身份验证策略，然后将适当的策略分配给用户。

For an example of using an authentication policy to implement multiple IdPs, see Allow authentication from multiple identity providers on an account.

Combined:

您可以将安全集成和身份验证策略方法结合起来，以进一步优化用户在具有多个 IdPs 的环境中的身份验证方式。

If you use both methods, Snowflake first evaluates which security integrations are associated with the authentication policy governing the user’s login. Once Snowflake has identified the security integrations, the user’s EMAIL is matched to one of the integrations based on the ALLOWED_USER_DOMAINS and ALLOWED_EMAIL_PATTERNS properties. Snowflake only displays the IdP option for the security integration that matches the user’s EMAIL.

Use multiple SAML2 security integrations with Microsoft Entra ID using the same issuer ID¶

This section guides you through configuring Snowflake and Microsoft Entra ID to let users authenticate through SSO using both a public or private issuer URL. You can use two different SAML2 security integrations with Microsoft Entra ID to implement this experience. You can configure Microsoft Entra ID to differentiate between public and private issuer URLs by appending a different application ID to each issuer URL.

Before continuing, you must enable the identifier-first login flow.

Follow the sections below to learn how to use multiple SAML2 security integrations with Microsoft Entra ID using the same issuer ID:

• Configure Microsoft Entra ID to append application IDs to Microsoft Entra Identifier URLs.
• 收集登录 URL、Microsoft Entra 标识符和应用程序 ID.
• 创建公共和私有 SAML2 安全集成.

Configure Microsoft Entra ID to append application IDs to Microsoft Entra Identifier URLs¶

1. Log in to Microsoft Azure (https://portal.azure.com/).
2. Under Azure services, select **Microsoft Entra ID**.
3. In the left navigation, select Manage » Enterprise applications.
4. 选择您的应用程序。
5. In the left navigation, select Manage » Single sign-on.
6. In Attributes & Claims, select Edit.
7. Under Additional claims, expand Advanced settings.
8. Beside Advanced SAML claims options, select Edit.

右侧面板会显示。

9. Select Append application ID to issuer.

收集登录 URL、Microsoft Entra 标识符和应用程序 ID¶

1. Ensure you configured Microsoft Entra ID.

2. In the left navigation, select Manage » Single sign-on.

3. Under Set up <your application name>, save the following values for later:

   • Login URL
   • Microsoft Entra Identifier

4. In the left navigation, select Overview

5. Under Properties, save the Application ID for later.

6. 为其他应用程序重复以上操作。

创建公共和私有 SAML2 安全集成¶

1. Ensure you configured Microsoft Entra ID.

2. Ensure you gathered the Login URL, Microsoft Entra identifier, and application ID.

3. Sign in to Snowsight.

4. In the navigation menu, select Projects » Worksheets.

5. Switch to a role with the CREATE INTEGRATION privilege.

6. 执行以下 SQL 语句以创建 SAML2 安全集成：

   Copy codeExpand code block

   CREATE OR REPLACE SECURITY INTEGRATION entra_id_public
     TYPE = SAML2
     ENABLED = TRUE
     SAML2_ISSUER = '<microsoft_entra_identifier>/<application_id>'
     SAML2_SSO_URL = '<login_url>'
     SAML2_PROVIDER = 'CUSTOM'
     SAML2_X509_CERT = 'MIIC...TAs/'
     SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = 'Entra ID SSO Public'
     SAML2_ENABLE_SP_INITIATED = TRUE
     SAML2_SNOWFLAKE_ACS_URL = 'https://<organization_name>-<account_name>.snowflakecomputing.cn/fed/login'
     SAML2_SNOWFLAKE_ISSUER_URL = 'https://<organization_name>-<account_name>.snowflakecomputing.cn';

   Show lessSee more

   Scroll to top

   Where the following placeholders are replaced with the values you gathered earlier:

   | | 占位符 | 示例值 | | ------------------------------ | ------------------------------------------------------------------------------ | | | <login_url> | https://login.microsoftonline.com/91ccae45-d439-xxxx-xxxx-e22c06bfe4f9/saml2 | | | <microsoft_entra_identifier> | https://sts.windows.net/91ccae45-d439-xxxx-xxxx-e22c06bfe4f9 | | | <application_id> | 456xyz00-4567-4567-4567-4567xyz5678 | | | <organization_name> | EXAMPLE-USER12_AA12 | | | <account_name> | MSMITH |

7. Create another SAML2 security integration, appending the private application ID to the Microsoft Entra Identifier in the SAML2_ISSUER parameter.