Enabling SSO for Snowflake (Enterprise Reporting)

  • Updated

RecordPoint now supports Microsoft Entra SSO for access to our Snowflake data warehouse, which powers our Enterprise Reporting and Analytics capabilities.

The following are the steps to enable SSO within your account. Steps will be performed either by RecordPoint or by the Customer, as indicated in the step title.

Getting Started

RecordPoint's support team will carry out a series of steps to get SSO setup prior to starting the steps below, and will provide the Identifier and Reply URL to be used during the setup. If you have not been provided an Identifier and Reply URL to be used, please contact RecordPoint support.

1. Create a new Enterprise Application in Microsoft Entra

  • In the Azure Portal, search for “Microsoft Entra ID” service.
  • In the left menu, click on “Enterprise Applications”.
  • Click on “+ New application”.
  • In the “Search application” field of Microsoft Entra Gallery, enter “snowflake”.
  • Click on “Snowflake for Microsoft Entra ID”.
  • A pop-up form will appear.
  • Enter an appropriate name, such as “Snowflake SSO”.
  • Click on Create.

sso1.png

 

2. Add users or groups to the Snowflake SSO Enterprise Application

  • In the Snowflake SSO Enterprise Application, and on the left menu, click on “Users and groups”.
  • Add users or groups who will be using Snowflake.

sso2.png

3. Set up Single Sign-On (SSO) in the Enterprise Application

  • In the Snowflake SSO Enterprise Application, in the left menu, click on “Single sign-on”.
  • When selecting a single sign-on method, click on “SAML”.

sso3.png

  • In the “Identity (Entity ID)” and “Reply URL” fields, enter the values provided by Recordpoint:
    • Identifier: recordpoint-[***].snowflakecomputing.com
    • Reply URL: recordpoint-[***].snowflakecomputing.com/fed/login

sso4.png

  • Click on “Save”. Do not attempt to test the setup at this stage.
  • Back in the Snowflake SSO Enterprise Application page, scroll down to the “SAML Certificates” section, at the “Federation Metadata XML” line, click on “Download”.

sso5.png

 

  • Send this file securely to RecordPoint's support team.

After completing this step, RecordPoint will do the following:

  • Create security integration in Snowflake
  • Update Snowflake URLs

Once you have received confirmation these steps have been completed, continue with the following steps:

 

4. Create users in Snowflake

  • A user with USERADMIN role will create users in Snowflake by logging in to the Snowflake URL provided (recordpoint-[***].snowflakecomputing.com), and using the following command:
CREATE USER "username@customer.com" PASSWORD='' LOGIN_NAME='username@customer.com' 
EMAIL='username@customer.com' DISPLAY_NAME='username@customer.com' 
DEFAULT_ROLE='PUBLIC' DEFAULT_WAREHOUSE='QUERY_WH';
  • Replace all instances of username@customer.com with the Entra ID’s email address.

5. Test Microsoft Entra SSO

  • Test login from a web browser at https://recordpoint-[***].snowflakecomputing.com
  • Test login from PowerBI. Create a new report and add Snowflake as a data source. When prompted, enter the following values:
    • Server: recordpoint-[***].snowflakecomputing.com
    • Warehouse: QUERY_WH

sso6.png

  • Click on the “Microsoft Account” tab and the “Sign In” button. A browser will open. Log in using Entra ID.

sso7.png

6. Update any existing report details 

For any Power BI reports being used, update the following:

  • Server URL
  • Database name
  • Authentication method

To do this, open the report in Power BI and go to Transform Data > Edit parameters. Enter the Snowflake URL (recordpoint-[***].snowflakecomputing.com) and database name provided by Support following the setup, and save these settings.

To update the Authentication Method, go to Transform Data > Data source settings and select "Edit Permissions". Select "Edit" under Credentials and choose Microsoft Account > Sign In. After successfully signing in, save these changes and save/publish the report.

Note: If using Power BI Online, the authentication details must also be updated in Power BI Online after publishing the report.

From there, inform RecordPoint that the tests are successful. We will finalise the process on our side and notify you when SSO is fully set up and ready to use.

 

Authenticating as a Service Account

For organisations utilising service accounts, reporting gateways or who require programmatic access to the Snowflake data warehouse, you can utilise Snowflake's Programmatic Access Tokens. These tokens can be set to last up to 365 days, after which they will need to be rotated. Please contact RecordPoint support to enable this functionality. Once enabled, tokens can be created by a user with the USERADMIN role using:

ALTER USER IF EXISTS "user@example.com" ADD PROGRAMMATIC ACCESS TOKEN example_token;

 

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request