The SAML certificate used by the IdP has expired and needs to be renewed in Snowflake's security integration. The SAML NameID format does not match the login_name or email attribute expected by Snowflake. The SP Entity ID or ACS URL in the IdP is misconfigured and does not match Snowflake's expected values. Clock skew between the IdP server and Snowflake's servers exceeds the acceptable SAML assertion window. The user's IdP account attribute (email/UPN) does not match any Snowflake login_name

Check the IdP's SAML certificate expiry date and rotate it in Snowflake: ALTER SECURITY INTEGRATION ... SET SAML2_X509_CERT = '...'.. Compare the SP Entity ID and ACS URL in the IdP configuration against Snowflake's expected values from SELECT SYSTEM$GET_LOGIN_FAILURE_DETAILS(...).. Use SYSTEM$GET_LOGIN_FAILURE_DETAILS to decode the specific SAML failure reason.. Synchronize clocks on the IdP server — SAML assertions expire within minutes and clock drift will cause 390133.. Verify that the Snowflake user's LOGIN_NAME matches the NameID attribute sent by the IdP.

High severityaccess controlSnowflake →

Snowflake Error:
390133

What does this error mean?

Snowflake rejected the SAML assertion from the identity provider during federated SSO authentication — the assertion was malformed, expired, or signed with a certificate that no longer matches what is configured in the Snowflake security integration.formed, expired, or contained attributes that do not match the configured Snowflake security integration.

Common causes

1The SAML certificate used by the IdP has expired and needs to be renewed in Snowflake's security integration
2The SAML NameID format does not match the login_name or email attribute expected by Snowflake
3The SP Entity ID or ACS URL in the IdP is misconfigured and does not match Snowflake's expected values
4Clock skew between the IdP server and Snowflake's servers exceeds the acceptable SAML assertion window
5The user's IdP account attribute (email/UPN) does not match any Snowflake login_name

How to fix it

1Check the IdP's SAML certificate expiry date and rotate it in Snowflake: ALTER SECURITY INTEGRATION ... SET SAML2_X509_CERT = '...'.
2Compare the SP Entity ID and ACS URL in the IdP configuration against Snowflake's expected values from SELECT SYSTEM$GET_LOGIN_FAILURE_DETAILS(...).
3Use SYSTEM$GET_LOGIN_FAILURE_DETAILS to decode the specific SAML failure reason.
4Synchronize clocks on the IdP server — SAML assertions expire within minutes and clock drift will cause 390133.
5Verify that the Snowflake user's LOGIN_NAME matches the NameID attribute sent by the IdP.

Frequently asked questions

How do I decode a 390133 error to find the specific SAML problem?

Run SELECT SYSTEM$GET_LOGIN_FAILURE_DETAILS(LAST_QUERY_ID()); immediately after a failed login attempt. It returns a JSON object with the exact SAML validation failure reason.

Can individual users bypass SSO while it is being fixed?

Yes, if the Snowflake user has BYPASS_MFA_TEMPORARILY or a password set and the account allows password logins. An admin can temporarily set USE_CACHED_RESULT = FALSE and allow password auth while SSO is repaired.

Source · docs.snowflake.com/en/error-codes/error-390133