terraform-provider-snowflake [Bug]: Default saml2 urls fail to redirect because they are malformed with underscores in snowflake_saml

[Bug]: Default saml2 urls fail to redirect because they are malformed with underscores in snowflake_saml_integration

Open kcd83 opened this issue 8 months ago • 2 comments

Terraform CLI Version

1.7.0

Terraform Provider Version

0.90

Terraform Configuration

# The defaults for saml2_snowflake_acs_url and saml2_snowflake_issuer_url are no good
# workaround is:


locals {
  okta_config                = jsondecode(data.aws_secretsmanager_secret_version.snowflake_saml_integration.secret_string)["myaccount"]
  # workaround
  snowflake_url_standardised = lower(replace(data.snowflake_current_account.current.url, "_", "-"))
}
resource "snowflake_saml_integration" "okta" {
  name = "OKTA"

  saml2_provider = "OKTA"
  saml2_issuer   = local.okta_config["saml2_issuer"]
  saml2_sso_url  = local.okta_config["saml2_sso_url"]

  saml2_x509_cert = local.okta_config["saml2_x509_cert"]

  saml2_enable_sp_initiated           = true
  saml2_sp_initiated_login_page_label = "Okta SSO"

  saml2_snowflake_acs_url    = "${local.snowflake_url_standardised}/fed/login"
  saml2_snowflake_issuer_url = local.snowflake_url_standardised

  enabled = true

  provider = snowflake.accountadmin
}

Object type(s)

No response

Expected Behavior

SSO sign in works and redirects as expect regardless of where the login flow starts. For this we need no _ in urls as follows:

SAML2_SNOWFLAKE_ACS_URL  = https://myorg-myaccount.snowflakecomputing.com/fed/login  

SAML2_SNOWFLAKE_ISSUER_URL  = https://myorg-myaccount.snowflakecomputing.com/

Actual Behavior

Refreshing from Snowsight or DBT Cloud fails. The redirect stops throwing an Javascript error visible in the developer console. (Note starting from Okta always works)

The root cause of this is _ in the url as follows

SAML2_SNOWFLAKE_ACS_URL  = https://myorg_myaccount.snowflakecomputing.com/fed/login 

SAML2_SNOWFLAKE_ISSUER_URL  = https://myorg_myaccount.snowflakecomputing.com/

Steps to Reproduce

Use snowflake_saml_integration
Do not set saml2_snowflake_acs_url or saml2_snowflake_issuer_url (rely on defaults)
Open snow sight directly
Initiate reauth SSO flow
Redirect does not return to Snowflake, you get a blank screen and a javascript error

This is more severe for DBT Cloud with fails to establish an SSO connection for a user.

How much impact is this issue causing?

Low

Logs

No response

Additional Information

Snowflake support suggested the root cause is that SNOWFLAKE_DEPLOYMENT URL from the system$allowlist() output has _

Would you like to implement a fix?

[ ] Yeah, I'll take it 😎

Jun 05 '24 23:06 kcd83

terraform-provider-snowflake
terraform-provider-snowflake copied to clipboard

[Bug]: Default saml2 urls fail to redirect because they are malformed with underscores in snowflake_saml_integration

Terraform CLI Version

Terraform Provider Version

Terraform Configuration

Category

Object type(s)

Expected Behavior

Actual Behavior

Steps to Reproduce

How much impact is this issue causing?

Logs

Additional Information

Would you like to implement a fix?

terraform-provider-snowflake terraform-provider-snowflake copied to clipboard

[Bug]: Default saml2 urls fail to redirect because they are malformed with underscores in snowflake_saml_integration

Terraform CLI Version

Terraform Provider Version

Terraform Configuration

Category

Object type(s)

Expected Behavior

Actual Behavior

Steps to Reproduce

How much impact is this issue causing?

Logs

Additional Information

Would you like to implement a fix?

terraform-provider-snowflake
terraform-provider-snowflake copied to clipboard