Categories:

User & Security DDL (Third-Party Service Integrations)

CREATE SECURITY INTEGRATION (SCIM)

Creates a new SCIM security integration in the account or replaces an existing integration. A SCIM security integration allows the automated management of user identities and groups (i.e. roles) by creating an interface between Snowflake and a third-party Identity Provider (IdP).

For information about creating other types of security integrations (e.g. SAML2), see CREATE SECURITY INTEGRATION.

See also:

ALTER SECURITY INTEGRATION (SCIM) , DROP INTEGRATION , SHOW INTEGRATIONS

In this Topic:

Syntax

CREATE [ OR REPLACE ] SECURITY INTEGRATION [ IF NOT EXISTS ]
    <name>
    TYPE = SCIM
    SCIM_CLIENT = 'OKTA' | 'AZURE' | 'GENERIC'
    RUN_AS_ROLE = 'OKTA_PROVISIONER' | 'AAD_PROVISIONER' | 'GENERIC_SCIM_PROVISIONER'
    [ NETWORK_POLICY = '<network_policy>' ]
    [ SYNC_PASSWORD = TRUE | FALSE ]
    [ COMMENT = '<string_literal>' ]

Required Parameters

name

String that specifies the identifier (i.e. name) for the integration; must be unique in your account.

In addition, the identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object"). Identifiers enclosed in double quotes are also case-sensitive.

For more details, see Identifier Requirements.

TYPE = SCIM

Specify the type of integration:

  • SCIM: Creates a security interface between Snowflake and a client that supports SCIM.

SCIM_CLIENT = 'OKTA' | 'AZURE' | 'GENERIC'

Specify the SCIM client.

RUN_AS_ROLE = 'OKTA_PROVISIONER' | 'AAD_PROVISIONER' | 'GENERIC_SCIM_PROVISIONER'

Specify the SCIM role in Snowflake that owns any users and roles that are imported from the identity provider into Snowflake using SCIM.

  • The values OKTA_PROVISIONER, AAD_PROVISIONER, and GENERIC_SCIM_PROVISIONER are case-sensitive and must always be capitalized.

Optional Parameters

NETWORK_POLICY = 'network_policy'

Specifies an existing network policy active for your account. The network policy restricts the list of user IP addresses when exchanging an authorization code for an access or refresh token and when using a refresh token to obtain a new access token. If this parameter is not set, the network policy for the account (if any) is used instead.

SYNC_PASSWORD = TRUE | FALSE

Specifies whether to enable or disable the synchronization of a user password from an Okta SCIM client as part of the API request to Snowflake.

  • TRUE enables password synchronization.

  • FALSE disables password synchronization.

Default TRUE. If a security integration is created without setting this parameter, Snowflake sets this parameter to TRUE.

If user passwords should not be synchronized from the client to Snowflake, ensure this property value is set to FALSE and disable password synchronization in the client.

Note that this property is supported for Okta and Custom SCIM integrations. Azure SCIM integrations are not supported because Microsoft Azure does not support password synchronization. To request support, please contact Microsoft Azure.

For details, see Managing Users & Groups with SCIM.

COMMENT

String (literal) that specifies a comment for the integration.

Default: No value

Access Control Requirements

A role used to execute this SQL command must have the following privileges at a minimum:

Privilege

Object

Notes

CREATE INTEGRATION

Account

Only the ACCOUNTADMIN role has this privilege by default. The privilege can be granted to additional roles as needed.

For instructions on creating a custom role with a specified set of privileges, see Creating Custom Roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Access Control in Snowflake.

Usage Notes

  • Regarding metadata:

    Attention

    Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata Fields in Snowflake.

Examples

Microsoft Azure AD Example

The following example creates a Microsoft Azure AD SCIM integration with the default settings:

create or replace security integration okta_provisioning
    type=scim
    scim_client='azure'
    run_as_role='AAD_PROVISIONER';

View the integration settings using DESCRIBE INTEGRATION:

DESC SECURITY INTEGRATION aad_provisioning;

Okta Example

The following example creates an Okta SCIM integration with the default settings:

create or replace security integration okta_provisioning
    type=scim
    scim_client='okta'
    run_as_role='OKTA_PROVISIONER';

View the integration settings using DESCRIBE INTEGRATION:

DESC SECURITY INTEGRATION okta_provisioning;
Back to top