Snowflake integration with Okta

What am I trying to do:

Use Okta API to programmatically add Snowflake App into my OKTA org account.

Question:

Which API should I use ?

What have I tried ?

I have used the /api/v1/apps API so far but I am not able to get it right. My issues are:

  1. I don’t understand the various fields in the API for adding a custom SAML app.
  2. By using the API I am not able to replicate the results of adding the Snowflake App manually.

What should I do? Any help appreciated. Thanks

Hi @ankur

To add the Snowflake application in Okta, you should use the Add Custom SAML App API as described here.

Here is a cURL example for this request

curl -X POST \
  https://org.okta.com/api/v1/apps \
  -H 'Accept: application/json' \
  -H 'Authorization: SSWS API_TOKEN_HERE' \
  -H 'Content-Type: application/json' \
  -d '{
  "label": "Custom Saml 2.0 App",
  "accessibility": {
    "selfService": false,
    "errorRedirectUrl": null,
    "loginRedirectUrl": null
  },
  "visibility": {
    "autoSubmitToolbar": false,
    "hide": {
      "iOS": false,
      "web": false
    }
  },
  "features": [],
  "signOnMode": "SAML_2_0",
  "credentials": {
    "userNameTemplate": {
      "template": "${fn:substringBefore(source.login, \"@\")}",
      "type": "BUILT_IN"
    },
    "signing": {}
  },
  "settings": {
    "app": {},
    "notifications": {
      "vpn": {
        "network": {
          "connection": "DISABLED"
        },
        "message": null,
        "helpUrl": null
      }
    },
    "signOn": {
      "defaultRelayState": "",
      "ssoAcsUrl": "http://example.okta.com",
      "idpIssuer": "http://www.okta.com/${org.externalKey}",
      "audience": "https://example.com/tenant/123",
      "recipient": "http://recipient.okta.com",
      "destination": "http://destination.okta.com",
      "subjectNameIdTemplate": "${user.userName}",
      "subjectNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
      "responseSigned": true,
      "assertionSigned": true,
      "signatureAlgorithm": "RSA_SHA256",
      "digestAlgorithm": "SHA256",
      "honorForceAuthn": true,
      "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
      "spIssuer": null,
      "requestCompressed": false,
      "attributeStatements": []
    }
  }
}'

The values for settings.signOn are the ones provided by Snowflake.

Regarding the replication through adding the Snowflake app manually, are you referring to adding the application directly from Okta Integration Network? If this is the case, then unfortunately we do not have a public API in order to achieve the same result.

@dragos Thank you for your response.

I did see the API for creating a custom SAML app and also tried it out.

A few more follow up questions:

  1. Where do I get the values for settings.signOn fields from Snowflake? For e.g.

“ssoAcsUrl”: “”,
“idpIssuer”: “”,
“audience”: “”,
“recipient”: “”,
“destination”: “”,

I also understand that there is no API to simulate manual addition of Snowflake App directly in Okta.

Thanks
Ankur

Hi @ankur

This details can be taken from Snowflake. You can find here further details and the endpoints.

Hey @dragos

Sorry still doesn’t make sense to me.

What I understand is:

  1. The SSO url is generated by Okta after the app has already been created. But in the API it is needed at the time of making the API call. See here

How do I sepcify these values at the time of making the API call:

"ssoAcsUrl": "http://example.okta.com",
"idpIssuer": "http://www.okta.com/${org.externalKey}",
"audience": "https://example.com/tenant/123",
"recipient": "http://recipient.okta.com",
"destination": "http://destination.okta.com",

Does this: “http://www.okta.com/${org.externalKey}” translate to
"http://www.okta.com/“my account ord id from welcome email” ??

Hi @ankur

The cURL provided earlier is an example based on the App Postman collection provided here.

The ACS URL, audience, recipient and destination are provided by Snowflake. IDP Issuer is provided by Okta and you can configure it to a pre-defined value which will need to be added afterwards in Snowflake.

@dragos Is there a phone number I can reach you at? Thanks

Hi @ankur

You can open a support ticket with us by sending us an email to support@okta.com, through Okta Community Portal at support.okta.com or via phone. Depending where you are located, you can call one of the following numbers:

  • US: +1 (800) 219-0964
  • Australia: +61 1800 095441
  • France: +33 (0) 800 914949
  • Netherlands: +31 (0) 800 0224471
  • UK: +44 (0) 800 8085574
  • Germany: +49 800 7234788
  • Spain: +34 900 993228
  • Sweden: +46 200 123771

Ok thanks @dragos Appreciate your help.

Ankur