Use Snowflake SSO for Role-Based Access Control

Last modified: July 25, 2024

1 Introduction

You can use Snowflake’s SSO capabilities to enable your Mendix app to use role-based access control (RBAC) automatically.

The following diagram is a visual representation of how the Snowflake SSO can be used with a Mendix application with the help of the an external OAUTH provider.

You can integrate between Snowflake and Mendix applications by using OAUTH providers such as Azure Entra ID, Amazon Cognito, OKTA, and others. The following sections describe an example of how you can use Azure Entra ID to enable automatic role-based access control (RBAC) in a Mendix application. In the context of integration between Snowflake and Mendix, RBAC helps ensure that the data being exposed to a certain user or role within Snowflake is the same as the data presented to the same user in a Mendix app.

1.1 Prerequisites

To enable SSO-based RBAC for your Mendix app, you must first install and configure the OIDC SSO module.

2 Configuring Azure Entra ID

Firstly, create a resource application in Azure Entra ID. The resource application must contain the application ID URI and the scope.

  1. Add a new user in Azure Entra ID. For more information, see How to create, invite, and delete users in Microsoft Entra documentation.

  2. Create an enterprise application. For more information, see Configure Microsoft Azure AD for External OAuth in Snowflake documentation.

  3. In Azure Entra ID, create a new resource application by clicking App registration > New registration.

  4. Enter a descriptive name for the app, for example, Snowflake OAUTH Resource.

  5. Select the one tenant application, and then click Register.

  6. Click Add an Application ID URI, and then click Add.

  7. On the Expose an API page, in the Scopes defined by this API section, click Add a scope.

  8. In the Scope name field, enter session:scope:AnyRole.

  9. Fill out the other mandatory fields, and then click Add scope.

3 Creating a Client Application

After creating the resource application, create a client application. The client application must give API permissions to the resource app.

  1. Create a new application by following steps 3-5 from the previous section.

  2. In the API Permissions page, add a new permission.

  3. In the APIs my organization uses tab, double-click the resource app that you created in the previous section.

  4. Select Delegated permissions, and then click Permission options > Add permission.

  5. Click Grant admin consent.

  6. In the left navigation menu, click Certificates & secrets.

  7. Add a new client secret.

    Make sure that you copy the value of the secret and store it safely. The value is only shown after you first create the secret.

  8. Register the callback URI for your Mendix app by performing the following steps:

    1. In the left navigation menu, click Authentication.
    2. Click Add platform > Web.
    3. In the Redirect URI and Logout URL fields, enter https://<your application URI>/auth/v2/callback
    4. Select Access tokens and ID tokens as the tokens that you would like to issue.
    5. Select Accounts in this organization directory only to give access only for the account of the organization.

  9. Add the user to the app by performing the following steps:

    1. In the left navigation menu, click Enterprise applications.

    2. Select your client app, and then click Assign users and groups.

    3. Click Add user/group.

    4. Add the user that you previously created.

4 Configuring Snowflake Security Integration

To configure Snowflake SSO for your app, perform the following steps:

  1. Log in to Snowflake with Account Administrator privileges.

  2. Create a user with the same user name and password as the one in Azure. If required, you can use the following command to set the login name to the same value as in Azure:

    alter user <current user name> set login_name = "<User name as used in Azure>"

  3. Use the following code to create the security integration

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

    create security integration external_oauth_azure
    type = external_oauth
    enabled = true
    external_oauth_type = azure
    external_oauth_issuer = 'https://sts.windows.net/TenantID/'
    external_oauth_jws_keys_url = 'https://login.microsoftonline.com/TenantID/discovery/v2.0/keys'
    external_oauth_audience_list = ('Application ID URI')
    external_oauth_token_user_mapping_claim = 'upn'
    external_oauth_snowflake_user_mapping_attribute = 'login_name';
desc security integration external_oauth_azure;
ALTER USER TestUser1 SET DEFAULT_ROLE = ROLETESTA;

5 Configuring Your Mendix App

To configure your Mendix application, perform the following steps:

  1. Ensure that you have installed and configured the OIDC SSO module.

  2. Log in to your Mendix app as administrator.

  3. To add a new OpenID provider for Azure, access the OpenID setup page, add a new client configuration, and give it an Alias so you can identify it if you have more than one client configuration.

  4. Add the Client ID. You can find it in Azure as the Application (Client) ID:

  5. Select the Client_secret_basic as the Client authentication method and add the secret value.

  6. Enter https://login.microsoftonline.com/<yourTenantID>/v2.0/.well-known/openid-configuration as the Automatic Configuration URL.

  7. Click Import configuration.

  8. Save the configuration.

  9. For the scope, select openid, profile, email, offline_access, and scope that you defined in Azure Entra ID.

  10. For UserParsing, select the default method.

  11. Configure the UserProvisioning tab as shown in the following figure:

  12. Run the application and log in with the user that you use in Snowflake and Azure.