身份验证策略

身份验证策略允许您指定以下内容，从而控制客户端或用户的身份验证方式：

Whether users must enroll in multi-factor authentication (MFA).
哪些身份验证方法需要多重身份验证。
The allowed authentication methods, such as SAML, passwords, OAuth, key pair authentication, and programmatic access tokens.
The SAML2 security integrations that are available to users during the login experience. For example, if there are multiple security integrations, you can specify which identity provider (IdP) can be selected and used to authenticate.

If you are using authentication policies to control which IdP a user can use to authenticate, you can further refine that control using the ALLOWED_USER_DOMAINS and ALLOWED_EMAIL_PATTERNS properties of the SAML2 security integrations associated with the IdPs. For more details, see Using multiple identity providers for federated authentication.
The clients that users can use to connect to Snowflake, such as Snowsight, Snowflake CLI, drivers, or SnowSQL (CLI client). The CLIENT_TYPES property of an authentication policy is a best-effort method to block user logins based on specific clients. It should not be used as the sole control to establish a security boundary. Notably, it does not restrict access to the Snowflake REST APIs..

By defining a “client policy” within an authentication policy, you can also set the minimum version that is allowed for specific client types.
The default and maximum expiration times and the network policy requirements for programmatic access tokens.

您可以对账户或账户中的用户设置身份验证策略。如果对账户设置身份验证策略，则身份验证策略将适用于账户中的所有用户。如果同时对账户和用户设置身份验证策略，则用户级身份验证策略将替换账户级身份验证策略。

Note

If you already have access to the identifier-first login flow, you need to migrate your account from the unsupported SAML_IDENTITY_PROVIDER account parameter using the SYSTEM$MIGRATE_SAML_IDP_REGISTRATION function.

用例

The following non-exhaustive list describes use cases for authentication policies:

您要控制某个用户、某个账户中的所有用户或特定身份验证方法是否需要 MFA。
您希望在有多个登录选项时控制用户登录流。
You want to control the authentication methods, specific client types, minimum versions of clients, and security integrations available to specific users or all users.
You have customers building services on top of Snowflake using Snowflake drivers, but the customers do not want their users accessing Snowflake through Snowsight.
您希望为特定用户提供多个身份提供商作为身份验证选项。

限制

The CLIENT_TYPES property of an authentication policy is a best-effort method to block user logins based on specific clients. It should not be used as the sole control to establish a security boundary. Notably, it does not restrict access to the Snowflake REST APIs..

注意事项

Ensure authentication methods and security integrations listed in your authentication policies do not conflict. For example, if you add a SAML2 security integration in the list of allowed security integrations, and you only allow OAuth as an allowed authentication method, then you cannot create an authentication policy.
Use an additional non-restrictive authentication policy for administrators in case users are locked out. For an example, see 防止锁定.

安全策略优先顺序

When more than one type of security policy is activated, precedence between the policies occur. For example, network policies take precedence over authentication policies, so if the IP address of a request matches an IP address in the blocked list of the network policy, then the authentication policy is not checked, and evaluation stops at the network policy.

以下列表描述了评估安全策略的顺序：

Network policies: Allow or deny IP addresses, VPC IDs, and VPCE IDs.
身份验证策略 - 允许或拒绝客户端、身份验证方法和安全集成。
Password policies (For local authentication only): Specify password requirements such as character length, characters, password age, retries, and lockout time.
Session policies: Require users to re-authenticate after a period of inactivity

如果为账户和用户身份验证都分配了策略，则会强制执行用户级别策略。

将标识符优先登录与身份验证策略相结合

By default, Snowsight provides a generic login experience that provides several options for logging in, regardless if the options are relevant to users. This means that authentication is attempted regardless of whether the login option is a valid option for the user.

You can alter this behavior to enable a identifier-first login flow for Snowsight. In this flow, Snowflake prompts the user for an email address or username before presenting authentication options. Snowflake uses the email address or username to identify the user, and then only displays the login options that are relevant to the user, and are allowed by the authentication policy set on the account or user.

For instructions for enabling the identifier-first login flow, see Identifier-first login.

下表提供了如何组合标识符优先登录和身份验证策略以控制用户登录体验的示例配置。

配置	结果
身份验证策略的 AUTHENTICATION_METHODS 参数仅包含 PASSWORD。	Snowflake 提示用户输入电子邮件地址或用户名，以及密码。
身份验证策略的 AUTHENTICATION_METHODS 参数仅包含 SAML，并且存在活动的 SAML2 安全集成。	如果电子邮件地址或用户名仅与一个 SAML2 安全集成匹配，Snowflake 会将用户重定向到身份提供商的登录页面。
身份验证策略的 AUTHENTICATION_METHODS 参数同时包含 PASSWORD 和 SAML，并且存在活动的 SAML2 安全集成。	如果电子邮件地址或用户名仅与一个 SAML2 安全集成匹配，则 Snowflake 显示 SAML SSO 按钮，以及使用电子邮件地址或用户名和密码登录的选项。
身份验证策略的 AUTHENTICATION_METHODS 参数仅包含 SAML，并且有多个活动的 SAML2 安全集成。	如果电子邮件地址或用户名与多个 SAML2 安全集成匹配，则 Snowflake 会显示多个 SAML SSO 按钮。
身份验证策略的 AUTHENTICATION_METHODS 参数同时包含 PASSWORD 和 SAML，并且有多个活动的 SAML2 安全集成。	如果电子邮件地址或用户名与多个 SAML2 安全集成匹配，则 Snowflake 会显示多个 SAML SSO 按钮，以及使用电子邮件地址或用户名和密码登录的选项。

创建身份验证策略

An administrator can use the CREATE AUTHENTICATION POLICY command to create a new authentication policy, specifying which clients can connect to Snowflake, which authentication methods can be used, and which security integrations are available to users. By default, all client types, authentication methods, and security integrations can be used to connect to Snowflake. The CLIENT_TYPES property of an authentication policy is a best-effort method to block user logins based on specific clients. It should not be used as the sole control to establish a security boundary. Notably, it does not restrict access to the Snowflake REST APIs..

For example, the following commands create a custom policy_admin role and an authentication policy that allows authentication using Snowsight. The user must authenticate with SAML or a password.

Note

To run this example, you must replace <username> in the GRANT ROLE command with your login username.

USE ROLE ACCOUNTADMIN;

CREATE OR REPLACE DATABASE my_database;
USE DATABASE my_database;

CREATE OR REPLACE SCHEMA my_schema;
USE SCHEMA my_schema;

CREATE ROLE policy_admin;

GRANT USAGE ON DATABASE my_database TO ROLE policy_admin;
GRANT USAGE ON SCHEMA my_database.my_schema TO ROLE policy_admin;
GRANT CREATE AUTHENTICATION POLICY ON SCHEMA my_database.my_schema TO ROLE policy_admin;
GRANT APPLY AUTHENTICATION POLICY ON ACCOUNT TO ROLE policy_admin;

GRANT ROLE policy_admin TO USER <username>;
USE ROLE policy_admin;

CREATE AUTHENTICATION POLICY my_example_authentication_policy
  CLIENT_TYPES = ('SNOWFLAKE_UI')
  AUTHENTICATION_METHODS = ('SAML', 'PASSWORD');

For detailed examples, see 登录配置示例.

对账户或用户设置身份验证策略

When you set an authentication policy on an account or user, the restrictions specified in the authentication policy apply to the account or user. You can use the ALTER ACCOUNT or ALTER USER commands to set an authentication policy on an account or user.

In a Snowsight worksheet, use either of the following commands to set an authentication policy on an account or user:

ALTER ACCOUNT SET AUTHENTICATION POLICY my_example_authentication_policy;

ALTER USER example_user SET AUTHENTICATION POLICY my_example_authentication_policy;

You can also set an authentication policy on all users of a specific type. For example, to set an authentication policy on all users of type SERVICE within the account, but not on users of type PERSON, run the following command:

ALTER ACCOUNT SET AUTHENTICATION POLICY my_example_authentication_policy
  FOR ALL SERVICE USERS;

只有安全管理员（具有 SECURITYADMIN 角色的用户）或其角色拥有 APPLY AUTHENTICATION POLICY 的用户可以对账户或用户设置身份验证策略。要向角色授予此权限以便用户可以对账户或用户设置身份验证策略，请执行以下命令之一：

GRANT APPLY AUTHENTICATION POLICY ON ACCOUNT TO ROLE my_policy_admin;

GRANT APPLY AUTHENTICATION POLICY ON USER example_user TO ROLE my_policy_admin;

For detailed examples, see 登录配置示例.

使用 MFA 加强用户或账户身份验证¶

To improve the security of user logins, you can create an authentication policy that requires users to enroll in MFA, and then apply the authentication policy to individual users or the account. After users enroll in MFA, the authentication policy requires users to authenticate with MFA.

Note

Snowflake is deprecating single-factor password logins. When the rollout is complete, all users who authenticate with a password must enroll in MFA.

Run the following command if you want to create an authentication policy that requires password users to authenticate with MFA when using any Snowflake client, not just Snowsight. Single sign-on (SSO) users won’t be required to use MFA.

CREATE AUTHENTICATION POLICY require_mfa_authentication_policy
  MFA_ENROLLMENT = 'REQUIRED'
  MFA_POLICY=  (
    ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION = 'NONE'
  );

Run the following command if you want to create an authentication policy that requires password and single sign-on users to authenticate with MFA.

CREATE AUTHENTICATION POLICY require_mfa_authentication_policy
  MFA_ENROLLMENT = 'REQUIRED'
  MFA_POLICY=  (
    ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION = 'ALL'
  );

要为账户中的所有用户设置此身份验证策略，请执行以下 SQL 语句：

ALTER ACCOUNT SET AUTHENTICATION POLICY require_mfa_authentication_policy;

Note

If you set the MFA_ENROLLMENT parameter, then the CLIENT_TYPES parameter must include SNOWFLAKE_UI, because Snowsight is the only place users can enroll in multi-factor authentication (MFA).

跟踪身份验证策略使用情况

Use the Information Schema table function POLICY_REFERENCES to return a row for each user that is assigned to the specified authentication policy and a row for the authentication policy assigned to the Snowflake account.

身份验证策略支持以下语法：

POLICY_REFERENCES( POLICY_NAME => '<authentication_policy_name>' )

POLICY_REFERENCES( REF_ENTITY_DOMAIN => 'USER', REF_ENTITY_NAME => '<username>')

POLICY_REFERENCES( REF_ENTITY_DOMAIN => 'ACCOUNT', REF_ENTITY_NAME => '<accountname>')

Where authentication_policy_name is the fully qualified name of the authentication policy.

For example, execute the following query to return a row for each user that is assigned the authentication policy named authentication_policy_prod_1, which is stored in the database named my_db and the schema named my_schema:

SELECT *
FROM TABLE(
  my_db.INFORMATION_SCHEMA.POLICY_REFERENCES(
  POLICY_NAME => 'my_db.my_schema.authentication_policy_prod_1'
  )
);

防止锁定

In situations where the authentication policy governing an account is strict, you can create a non-restrictive authentication policy for an administrator to use as a recovery option in case of a lockout caused by a security integration. For example, you can include the PASSWORD authentication method for the administrator only. The user-level authentication policy overrides the more restrictive account-level policy.

CREATE AUTHENTICATION POLICY admin_authentication_policy
  AUTHENTICATION_METHODS = ('SAML', 'PASSWORD')
  CLIENT_TYPES = ('SNOWFLAKE_UI', 'SNOWFLAKE_CLI', 'SNOWSQL', 'DRIVERS')
  SECURITY_INTEGRATIONS = ('EXAMPLE_OKTA_INTEGRATION');

然后，您可以将此策略分配给管理员：

ALTER USER <administrator_name> SET AUTHENTICATION POLICY admin_authentication_policy

复制身份验证策略

You can replicate authentication policies using failover and replication groups. For details, see Replication and security policies.

登录配置示例

本节提供了如何使用和组合身份验证策略与 SAML2 安全集成来控制登录流和安全的示例。

按客户端类型限制用户对 Snowflake 的访问权限¶

The CLIENT_TYPES property of an authentication policy is a best-effort method to block user logins based on specific clients. It should not be used as the sole control to establish a security boundary. Notably, it does not restrict access to the Snowflake REST APIs..

Create an authentication policy named restrict_client_type_policy that only allows access through Snowsight:

CREATE AUTHENTICATION POLICY restrict_client_type_policy
  CLIENT_TYPES = ('SNOWFLAKE_UI')
  COMMENT = 'Only allows access through the web interface';

对用户设置身份验证策略：

ALTER USER example_user SET AUTHENTICATION POLICY restrict_client_type_policy;

允许对账户使用多个身份提供商的身份验证

Create a SAML2 security integration that allows users to log in through SAML using Okta as an IdP:

CREATE SECURITY INTEGRATION example_okta_integration
  TYPE = SAML2
  SAML2_SSO_URL = 'https://okta.example.com';
  ...

Create a security integration that allows users to log in through SAML using Microsoft Entra ID as an IdP:

CREATE SECURITY INTEGRATION example_entra_integration
  TYPE = SAML2
  SAML2_SSO_URL = 'https://entra-example_acme.com';
  ...

Create an authentication policy associated with the example_okta_integration and example_entra_integration integrations:

CREATE AUTHENTICATION POLICY multiple_idps_authentication_policy
  AUTHENTICATION_METHODS = ('SAML')
  SECURITY_INTEGRATIONS = ('EXAMPLE_OKTA_INTEGRATION', 'EXAMPLE_ENTRA_INTEGRATION');

对账户设置身份验证策略：

ALTER ACCOUNT SET AUTHENTICATION POLICY multiple_idps_authentication_policy;

权限和命令

身份验证策略权限参考

Snowflake 支持以下身份验证策略权限，以确定用户是否可以创建、设置和拥有身份验证策略。

Operating on an object in a schema requires at least one privilege on the parent database and at least one privilege on the parent schema.

权限	对象	用途
CREATE	架构	允许在架构中创建新的身份验证策略。
APPLY AUTHENTICATION POLICY	账户	允许在账户或用户级别应用身份验证策略。
OWNERSHIP	身份验证策略	授予对身份验证策略的完全控制权。更改身份验证策略的大多数属性时需要此权限。

身份验证策略 DDL 参考¶

有关身份验证策略权限和命令的详细信息，请参阅以下参考文档：

命令	权限	描述
CREATE AUTHENTICATION POLICY	CREATE SCHEMA 的 AUTHENTICATION POLICY	创建新的身份验证策略。
ALTER AUTHENTICATION POLICY	AUTHENTICATION POLICY 的 OWNERSHIP	修改现有的身份验证策略。
DROP AUTHENTICATION POLICY	AUTHENTICATION POLICY 的 OWNERSHIP	从系统中移除现有的身份验证策略。
DESCRIBE AUTHENTICATION POLICY	AUTHENTICATION POLICY 的 OWNERSHIP	描述现有身份验证策略的属性。
SHOW AUTHENTICATION POLICIES	AUTHENTICATION POLICY 的 OWNERSHIP 或 SCHEMA 的 USAGE	列出系统中的所有身份验证策略。