Skip to content

Instantly share code, notes, and snippets.

@joscha

joscha/Snowflake Google Workspace SSO.md

Last active April 8, 2025 13:51
Show Gist options
  • Save joscha/b52e567ffc9969118d82ed24c1ca5f9e to your computer and use it in GitHub Desktop.
Save joscha/b52e567ffc9969118d82ed24c1ca5f9e to your computer and use it in GitHub Desktop.
Download ZIP
Snowflake Google Workspace SSO
Raw
Snowflake Google Workspace SSO.md

Detailed description can be found here.

The most important part, easily overread:

The email address for your IdP users must be matching the Snowflake LOGIN_NAME value for the user.

If not, you'll end up with an error looking like this:

SCR-20250408-ndax-2

for the respective user when they try to log in.

Raw
snowflake_google_sso.tf
locals {
pem_certificate = file("./Google_2026-1-11-356_SAML2_0.pem")
pem_body = trimspace(trimprefix(trimsuffix(local.pem_certificate, "-----END CERTIFICATE-----"), "-----BEGIN CERTIFICATE-----\n"))
}
resource "snowflake_account_parameter" "enable_identifier_first_login" {
provider = snowflake.accountadmin
key = "ENABLE_IDENTIFIER_FIRST_LOGIN"
value = "true"
}
resource "snowflake_saml2_integration" "google_sso" {
provider = snowflake.accountadmin
enabled = true
allowed_user_domains = ["yourdomain.com"]
name = "GOOGLE_SSO"
saml2_provider = "CUSTOM"
saml2_issuer = "https://accounts.google.com/o/saml2?idpid=<...>"
saml2_sso_url = "https://accounts.google.com/o/saml2/idp?idpid=<...>"
saml2_x509_cert = local.pem_body
saml2_sp_initiated_login_page_label = "GOOGLE_SSO"
saml2_enable_sp_initiated = true
saml2_snowflake_acs_url = "https://<...>.snowflakecomputing.com/fed/login"
saml2_snowflake_issuer_url = "https://<...>.snowflakecomputing.com"
}
@joscha
Copy link
Author

joscha commented Apr 8, 2025

SCR-20250408-ndax-2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment