PingOne Advanced Identity Cloud

Snowflake

Snowflake is a cloud-native data platform that allows organizations to unify data warehousing, data lakes, and data engineering into a single service while independently scaling compute and storage across major public clouds.

The Advanced Identity Cloud Snowflake application allows you to manage users, grant and revoke roles and database roles, and synchronize data between Advanced Identity Cloud and the Snowflake platform.

Register the application

  1. In the Advanced Identity Cloud admin console, go to Applications, and click grid_view Browse App Catalog.

  2. In the Browse App Catalog modal, select an application, and click Next.

  3. Review the Application Integration information, and click Next.

  4. In the Application Details window, specify the name, description, application owners, and logo for the application.

  5. To make the application an Authoritative source of identity data, select the Authoritative check box. This option is not available for every application.

  6. Click Create Application.

Snowflake requirements

To configure the application, you need a Snowflake account with the SYSADMIN role. Complete the following steps to gather the required values, then use them to Configure provisioning.

To modify the settings for an existing provisioning connection, in the Advanced Identity Cloud admin console, click the Provisioning tab, and then click Settings.

  1. Generate an unencrypted RSA key pair using OpenSSL:

    1. Generate a private key:

      openssl genrsa -out rsa_key.pem 2048

    2. Extract the public key:

      openssl rsa -in rsa_key.pem -pubout -out rsa_key.pub

  2. In your Snowflake cloud platform:

    1. Set SYSADMIN as the default role:

      ALTER USER YOUR_USERNAME SET DEFAULT_ROLE = 'SYSADMIN';

    2. Set the public key for the user:

      ALTER USER YOUR_USERNAME SET RSA_PUBLIC_KEY='-----BEGIN PUBLIC
KEY-----YOUR_PUBLIC_KEY-----END PUBLIC_KEY----';

    3. Run the following query to construct the account locator. An example value for an account locator is MLTBITH-UI23983:

      SELECT CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME();

    4. Define the claims:

      1. Query the user and make a note of the RSA_PUBLIC_KEY_FP field in the result:

        DESCRIBE USER YOUR_USERNAME;

      2. Construct the claims using the account locator and RSA_PUBLIC_KEY_FP:

        • Issuer: account_locator.username.RSA_PUBLIC_KEY_FP

        • Subject: account_locator.username

    5. Construct the Snowflake service endpoint URI:

      Snowflake URI example
      https://ACCOUNT_LOCATOR.snowflakecomputing.com/api/v2

Configure provisioning

  1. In the Advanced Identity Cloud admin console, configure the following fields:

    Field Description

    Service URI

    The service endpoint URI.

    Role

    The role for performing queries.

    Private Key

    The private key generated during the configuration Snowflake requirements.

    JWT Claims

    The claims to include in the payload to sign and get the access token. This object must contain the following keys:

    • iss: The issuer of the JWT, constructed from the account locator, username, and RSA_PUBLIC_KEY_FP.

      Example issuer
      acmecorp-prod_data_01.SVC_PING_PROVISIONING.SHA256:abc123def456ghi789jkl012mno345pqr815stu901v

    • sub: The subject of the JWT, constructed from the account locator and username.

      Example subject
      acmecorp-prod_data_01.SVC_PING_PROVISIONING

    Learn more about how to obtain these values in Snowflake requirements.

    Warehouse

    The warehouse name that provides computing resources.

    Excluded Databases

    A list of databases to exclude from operations.

    JWT Expiration time

    The access token expiration time in seconds.

  2. (Optional) Click Show advanced settings to set any of the following options:

    Application specific settings
    Field Description

    Connection Timeout

    The timeout for the underlying HTTP connection in seconds. The default is 30 seconds.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.
    Pool configuration
    Field Description

    Max idle and active container instances

    The maximum number of idle and active container instances. The default value is 10.

    Max Idle Connector Instances

    The maximum number of idle connector instances. The default value is 10.

    Set Timeout Period

    Select to enable a timeout period for the connection. After enabling, configure the following:

    • Timeout period (ms): The timeout period in milliseconds.

    Set Minimum Idle Time

    Select to set a minimum time (in milliseconds) before an idle object is removed. After enabling, configure the following:

    • Min idle time (ms): The minimum idle time in milliseconds.

    Min Idle Instances

    The minimum number of idle connector instances.
    Result Handler configuration
    Field Description

    Enable for connectors with the attribute normalizer interface

    Enables the attribute normalizer interface for supported connectors.

    Enable local filtering/search features

    Enables local filtering and search capabilities.

    Enable case insensitive filter

    Configures filters to ignore case sensitivity.

    Enable configuration of search attributes; disable for local connectors

    Enables search attribute configuration. Disable this option for local connectors.

    1. In the Operation Timeouts (ms) area, select the operations to enforce timeouts on and enter the duration in milliseconds.

      Available operations include Create, Validate, Test, Enable a Script on the Connector, Schema, Delete, Update, Sync, Authenticate, Get, Enable a Script on the Target, and Search.

    2. In the Operation Rate Limits area, select the operations to enforce rate limits on.

      You can enforce limits on specific operations, including Create, Validate, Test, Script on Connector, Schema, Delete, Update, Sync, Authenticate, Get, Script on Target, and Search.

      For each selected operation, configure the following fields:

      Field Description

      Request Limit

      Requests allowed over time.

      Request Period

      Limit resets after this time (ms).

      Request Timeout

      Time before exception thrown (ms).

  3. Click Connect.

  4. Verify the information in the Details tab.

Provision side tabs

The object type determines the side tabs that display on the Provisioning tab. Use the object type list to select an object type, such as Group. Afterward, you can configure properties in the different sub-tabs under the Provisioning tab.

Sub-tabs under the Provisioning tab
Provisioning tab Description Related sections

Details

View and manage an application, including name, ID, and native type.

Select the specific application from Provision settings for an application.

Properties

View and manage properties for the selected object type.

Manage application attributes

Data

View data about the selected object type.

View user access data

Mapping

View and manage mappings from the Advanced Identity Cloud admin console properties to external system properties and from external system properties to the Advanced Identity Cloud admin console properties.

Manage mappings

Reconciliation

Preview mappings on target applications between external systems and the Advanced Identity Cloud admin console, and reconcile the data between the two systems.

View and manage rules for the users and groups that use your application.

View and manage schedules for Full and Incremental reconciliation.

Reconcile and synchronize end-user accounts

Privacy & Consent

Manage end-user data sharing and synchronization.

Configure end-user data sharing

Rules

View and manage provisioning rules for mappings between Advanced Identity Cloud and a target application.

Manage provisioning rules

Advanced Sync

Create and manage mappings between a managed object type and an application or between applications.

Manage advanced sync

Next steps