Skip to main content

Azure AD / Entra ID & Snowflake Federated Identity Setup Guide

Step-by-step guide to configure Entra ID for OAuth 2.0 On-Behalf-Of (OBO) flow with Snowflake external OAuth integration, enabling seamless federated identity between Astrato, Entra ID, and Snowflake.

Updated today

This guide walks through configuring Entra ID for OAuth 2.0 On-Behalf-Of (OBO) flow with Snowflake external OAuth integration, enabling seamless federated identity between Astrato, Entra ID, and Snowflake.

Overview

The federated identity system allows users to authenticate once in Astrato via Entra ID and seamlessly access Snowflake without re-authentication. The system uses the OAuth 2.0 On-Behalf-Of flow to exchange Entra ID tokens for Snowflake-targeted tokens.

How it works

The authentication flow happens in three stages:

  1. Initial Authentication β€” The user logs into Astrato, which initiates an OAuth2 Authorization Request to the Entra ID Web App. The user authenticates (including MFA), and Astrato receives an ID Token, Access Token, and Refresh Token.

  2. OAuth 2.0 On-Behalf-Of Flow β€” When the user requests Snowflake data, Astrato uses the user's Access Token to request a Snowflake-scoped token from Entra ID via the OBO grant. Entra ID validates the app permissions and returns a Snowflake Access Token containing the user's email claim.

  3. Snowflake Authentication β€” Astrato connects to Snowflake using the federated token. Snowflake validates the token signature via the JWKS endpoint, maps the user by their email claim, assigns roles, and returns query results.

Prerequisites

  • Astrato Account with administrative access

  • Entra ID Tenant with administrative access

  • Snowflake Account with ACCOUNTADMIN privileges

Step 1: Configure Entra ID Web Application for Astrato

1.1 Create / Configure Web App Registration

  1. Navigate to Entra ID Portal β†’ App registrations

  2. Select your existing web app or create a new one

  3. Note down the Application (client) ID β€” this will be your {web-app-id} (used in section 2.1.5)

  4. Note down the Directory (tenant) ID β€” this will be your {entra-tenant-id} (used in section 2.1.5)

  5. In the top menu click Endpoints, then locate the OpenID Connect metadata document endpoint and open it. In the JSON response, find and copy the value of the issuer field β€” this will be your {issuer-url} (used in section 2.1.5)

1.2 Configure Authentication Settings

  1. Go to Authentication in the left menu

  2. Click + Add Redirect URI

  3. Select Web

  4. Add the following Redirect URIs (you can find these from section 2.1.4):

1.3 Configure Certificates & Secrets

  1. Go to Certificates & secrets

  2. Click + New client secret

  3. Add a Description: "Web App Client Secret"

  4. Set Expires: Choose an appropriate duration (6 months, 12 months, etc.)

  5. Click Add

  6. Copy and securely store the secret value β€” you'll need this in section 2.1.5

1.4 Configure API Permissions

  1. Navigate to API permissions

  2. Ensure the following Microsoft Graph delegated permissions are present:

    • User.Read

    • email

    • openid

    • profile

Note: Permission to access the Snowflake App API will be added in Step 4.1.

Step 2: Configure Astrato SSO Login

2.1 Create Astrato SSO Login

  1. In Astrato, go to the Administration section β†’ Enterprise Connection

  2. Click New Connection

  3. Select Microsoft Azure AD

  4. Note down the Callback URLs β€” you'll need these in step 1.2 above

  5. Go to the Setup tab and fill in the form:

    • Connection Name

    • Issuer URL: {issuer-url}

    • Client ID: {web-app-id}

    • Client Secret

    • Identity provider domains

  6. Click Save

2.2 Verify the Connection

  1. Click Verify to confirm the integration is working correctly

Step 3: Configure Entra ID Snowflake Resource

3.1 Create Snowflake App Registration

  1. Navigate to Entra ID Portal β†’ App registrations

  2. Click + New registration

  3. Name: "Snowflake External OAuth Integration" (or similar)

  4. Supported account types: Select Accounts in this organizational directory only (Single tenant)

  5. Click Register

  6. Note down the Application (client) ID β€” this will be your {snowflake-app-id}

3.2 Expose Snowflake API

  1. Navigate to Expose an API

  2. Click Add next to "Application ID URI"

  3. Use: api://{snowflake-app-id} β€” this will be your {entra-snowflake-audience}

  4. Click Save

  5. Click + Add a scope and fill in the following:

    • Scope name: session:role-any

    • Admin consent display name: "Access Snowflake on behalf of user"

    • Admin consent description: "Allow applications to access Snowflake on behalf of the signed-in user with flexible role assignment"

    • User consent display name: "Access Snowflake"

    • User consent description: "Allow this app to access Snowflake on your behalf"

    • State: Enabled

  6. Click Add scope

3.3 Configure Token Configuration

  1. Navigate to Token configuration

  2. Click + Add optional claim

  3. Token type: Access tokens

  4. Select the email claim

  5. Click Add

  6. If prompted about Microsoft Graph permissions, click "Turn on the Microsoft Graph email permission."

Step 4: Link Applications Together

4.1 Grant Astrato Web App Permission to Access Snowflake App API

  1. Navigate to your Web App registration ({web-app-id})

  2. Go to API permissions

  3. Click + Add a permission

  4. Click the APIs my organization uses tab

  5. Search for your Snowflake app name or {snowflake-app-id}

  6. Select the Snowflake application

  7. Select Delegated permissions

  8. Check session:role-any

  9. Click Add permissions

4.2 Grant Admin Consent

  1. In the API permissions page of your Web App, click Grant admin consent for [Your Organization]

  2. Click Yes in the confirmation dialog

  3. Verify that all permissions show "Granted for [Your Organization]" with green checkmarks

Step 5: Configure Astrato Federation for Snowflake

5.1 Create Entra ID – Snowflake Identity Federation

  1. In Astrato, go to Enterprise Connection β†’ Identity Provider tab

  2. Click New Provider

  3. Select Entra ID Token Exchange

  4. Fill in the Setup form:

    • Display Name

    • Service account URL: Your Snowflake account URL

    • SSO Connection: Select the Astrato SSO connection configured in section 2.1

    • Token Audience: {entra-snowflake-audience} (typically in the form api://{snowflake-app-id})

  5. Click Create

Once saved, users who sign in to Astrato with Entra ID will automatically gain access to the configured Snowflake account URL, provided they have been assigned the necessary permissions in both Entra ID and Snowflake.

Step 6: Configure Snowflake External OAuth Integration

6.1 Create External OAuth Integration

Execute the following SQL in Snowflake, replacing the placeholders with your actual values:

CREATE OR REPLACE SECURITY INTEGRATION AZURE_OAUTH_INTEGRATION
TYPE = EXTERNAL_OAUTH
ENABLED = TRUE
EXTERNAL_OAUTH_TYPE = AZURE
EXTERNAL_OAUTH_ISSUER = 'https://sts.windows.net/{entra-tenant-id}/'
EXTERNAL_OAUTH_AUDIENCE_LIST = ('{entra-snowflake-audience}')
EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://login.microsoftonline.com/{entra-tenant-id}/discovery/v2.0/keys'
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'email'
EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE'
EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'login_name';

6.2 Test the Integration

  1. In the Astrato Identity Federation created in section 5.1, click Generate to create a token

  2. In Snowflake, run the following SQL with the generated token:

    select SYSTEM$VERIFY_EXTERNAL_OAUTH_TOKEN('<token>')

Related Articles
Data Connections - Getting Started in Astrato
Enterprise Authentication - Open ID Connect Setup
Passthrough Authentication - Snowflake
Enabling multi-domain SCIM (Active Directory) for Astrato, with Azure Entra example
Identity Federation in Snowflake using External OAuth
Did this answer your question?