CREATE SECURITY INTEGRATION (SCIM)¶

Syntax¶

CREATE [ OR REPLACE ] SECURITY INTEGRATION [ IF NOT EXISTS ]
    <name>
    TYPE = SCIM
    ENABLED = { TRUE | FALSE }
    SCIM_CLIENT = { 'OKTA' | 'AZURE' | 'GENERIC' }
    RUN_AS_ROLE = { 'OKTA_PROVISIONER' | 'AAD_PROVISIONER' | 'GENERIC_SCIM_PROVISIONER' }
    [ NETWORK_POLICY = '<network_policy>' ]
    [ SYNC_PASSWORD = { TRUE | FALSE } ]
    [ COMMENT = '<string_literal>' ]

Required parameters¶

name

String that specifies the identifier (i.e. name) for the integration; must be unique in your account.

In addition, the identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object"). Identifiers enclosed in double quotes are also case-sensitive.

For more details, see Identifier requirements.

TYPE = SCIM

Specify the type of integration:

• SCIM: Creates a security interface between Snowflake and a client that supports SCIM.

ENABLED = { TRUE | FALSE }

Specify whether the security integration is enabled. To create a security integration that is disabled, set ENABLED = FALSE.

Default: TRUE

SCIM_CLIENT = { 'OKTA' | 'AZURE' | 'GENERIC' }

Specify the SCIM client.

RUN_AS_ROLE = { 'OKTA_PROVISIONER' | 'AAD_PROVISIONER' | 'GENERIC_SCIM_PROVISIONER' }

Specify the SCIM role in Snowflake that owns any users and roles that are imported from the identity provider into Snowflake using SCIM.

The values OKTA_PROVISIONER, AAD_PROVISIONER, and GENERIC_SCIM_PROVISIONER are case-sensitive and must always be capitalized.

Optional parameters¶

NETWORK_POLICY = 'network_policy'

Specifies an existing network policy that controls SCIM network traffic.

If there are also network policies set for the account or user, see Network policy precedence.

SYNC_PASSWORD = { TRUE | FALSE }

Specifies whether to enable or disable the synchronization of a user password from an Okta SCIM client as part of the API request to Snowflake.

• TRUE enables password synchronization.

• FALSE disables password synchronization.

Default TRUE. If a security integration is created without setting this parameter, Snowflake sets this parameter to TRUE.

If user passwords should not be synchronized from the client to Snowflake, ensure this property value is set to FALSE and disable password synchronization in the client.

Note that this property is supported for Okta and Custom SCIM integrations. Microsoft Entra ID SCIM integrations are not supported because Microsoft Entra ID does not support password synchronization. To request support, please contact Microsoft.

For details, see Snowflake SCIM support.

COMMENT = 'string_literal'

Specifies a comment for the integration.

Default: No value

Access control requirements¶

A role used to execute this SQL command must have the following privileges at a minimum:

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Usage notes¶

• Regarding metadata:

  Attention

  Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.

• CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.

Examples¶

CREATE OR REPLACE SECURITY INTEGRATION okta_provisioning
    TYPE = scim
    SCIM_CLIENT = 'AZURE'
    RUN_AS_ROLE = 'AAD_PROVISIONER';

DESC SECURITY INTEGRATION aad_provisioning;

CREATE OR REPLACE SECURITY INTEGRATION okta_provisioning
    TYPE = scim
    SCIM_CLIENT = 'OKTA'
    RUN_AS_ROLE = 'OKTA_PROVISIONER';