Connect Data Cloud to Snowflake Using Salesforce IDP

By | | Connect and Prepare Data, Summer 25 | Connectors
5
(3)

Connect your Snowflake data to Data Cloud and leverage Salesforce IDP for secure and seamless connections

In today’s data-driven world, seamless and secure integration between platforms isn’t just a technical requirement — it’s a business imperative. Thanks to our partnership with Snowflake, we’re happy to announce that companies can now connect their Snowflake instance to Salesforce Data Cloud without having to rely on providing username-password to establish the connection. Customers can now leverage Salesforce IDP as an identity provider* for secure and seamless connections with their data warehouse. This enhancement simplifies connection setup, eliminates security risks associated with static credentials, and enables organizations to focus on what matters most — extracting insights and driving value from their data.

In this blog, we’ll review the benefits of using Salesforce as an identity provider and walk through the steps to set up Salesforce IDP in Data Cloud, connect to Snowflake, and set up access permissions.

*An identity provider (IDP) is a system that authenticates users’ identities and authorizes their access to various applications and services by managing and verifying digital credentials.

About Snowflake

Snowflake is designed for high performance and scalability, supporting structured and semi-structured and unstructured data. It offers a fully managed, multi-cloud platform with features like data sharing, real-time analytics, and automatic scaling. Its architecture separates compute and storage for cost efficiency and flexibility.

Connecting Data Cloud to Snowflake using static credentials

  • Traditionally, connecting Data Cloud to external systems like Snowflake required a manual process involving static credentials like usernames and private keys. This method created several challenges :
  • Security risks: Static credentials are inherently vulnerable as they are live for days and weeks, posing a risk of unauthorized access 
  • Operational complexity: Setting up connections required collaboration between Data Cloud and Snowflake administrators, often leading to delays
  • Overhead: Enterprises typically have a policy requiring credential updates every 60 or 90 days, leading to unnecessary operational overhead in updating credentials across all relevant connections

Connecting Data Cloud to Snowflake using Salesforce IDP

The introduction of Salesforce IDP-based authentication addresses some of the most pressing challenges faced by organizations when connecting Salesforce Data Cloud with external Snowflake systems.

  • Enhanced security: Static credentials, such as usernames and private keys, have been a longstanding security concern. With IDP-based authentication, customers can eliminate the need to store static credentials and update them whenever changed. Short-lived scoped tokens will ensure just-in-time access, reducing the risk of any phishing attacks.
  • Streamlined collaboration : Setting up secure connections previously required significant manual coordination between Data Cloud and Snowflake administrators. This feature simplifies workflows, where Data Cloud admins can create new connections using Workload identity type user configured by the Snowflake admin, leveraging Salesforce IDP as trusted identity provider, that align with their security frameworks. 
  • Aligned with compliance and best practices: Organizations, especially those operating in regulated industries like financial services or healthcare, prioritize secure data access. By using IDP-based authentication, they can adhere to industry standards for identity and access management. It also reduces the risk of non-compliance, ensuring secure data operations at every step.

How to set up IDP authentication and Snowflake connection in Data Cloud

Let’s now take a look at the step-by-step process for setting up the  Snowflake connector in Data Cloud using a secure connection leveraging Salesforce IDP.

Part 1 :  To set up the connection with Snowflake in Data Cloud, follow these steps in DataCloud:

  1. In Data Cloud, go to Data Cloud Setup.
  2. Select Snowflake under External Integrations on left hand side panel
  3. Click New.
Creating a new Snowflake connection in Data Cloud
  1. Select Snowflake and click Next.
Creating a new Snowflake connection in Data Cloud
  1. Enter a connection name, and a connection API name of your choice.
  2. On this page,  you’ll see a toggle saying : Use Salesforce IDP Auth. We will focus on the flow using this toggle in the document.
  1. Choose the toggle(Using Salesforce IDP Auth and you’ll notice a unique External ID (auto-generated) and a Username field. Please notice there are no-credentials involved here.
  2. External ID is a unique ID (also known as a connection ID), and it will be used to create a trust relationship with Snowflake.
  1. Username is a db snowflake user which is linked to salesforce DataCloud Org (using domain name).
  2. Copy this External ID and use it as subject in the Workload_Identity section of the OIDC user on Snowflake console (refer part 2).

Part 2:  Defining the Snowflake OIDC user on Snowflake console 

  1. Create an OIDC user using the following command. Please refer to picture below
  1. Define the issuer as the URL of the Salesforce Org in this format
    ‘https://yourcompany.my.salesforce.com/services/connectors’
  2. Define the audience as the URL of the Salesforce Org in this format
    ‘https://yourcompany.my.salesforce.com’
  3. Add Subject in following format
    ‘app:<external_ID>’
  4. Create this user 
  5. Once this user is created please grant permissions so that this user can access the required schema tables
    grant usage on database <database_name> to role SYSADMIN
    grant usage on database <database_name> to role SYSADMIN
    grant role SYSADMIN to user <sf_oidc_user>;
  6. Copy the username and go back to the Salesforce connector screen.

Part 3:  Configuring the snowflake connector in Datacloud

  1. Once you have added the username (created in earlier step) and account URL of Snowflake account, hit “Next”.
  1. Select the warehouse name in the next step and click “Save”.  Finish configuring the connection name.
  1. Connector is successfully created and you can use this to configure Datastreams.

Improvements on the roadmap

At Salesforce, we believe in empowering organizations to unlock the full potential of their data ecosystems. If your business uses Snowflake and Salesforce Data Cloud, this feature is designed with you in mind. Looking ahead, we’re committed to further enhancing this experience with more features to make this process seamless. Learn more about this feature or reach out to your Salesforce representative for guidance on getting started. Together, let’s build secure, scalable, and impactful data-driven solutions.

Resources

How useful was this post?

Click on a star to rate useful the post is!

Written by

Gaurav Garg

Gaurav Garg

Gaurav Garg is a Senior Product Manager on the Salesforce Data Cloud team. With over a decade of experience in product management, he has held key roles at Amazon India, JioMart, OLACabs, and Oracle. In his most recent role at Amazon, he led the video shopping platform for Amazon India and emerging markets. Currently, he is part of the Bring Your Own Lake – Zero Copy Data Federation product team, collaborating closely with leading data lake partners. You can follow him on LinkedIn.

See author's posts

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top