Custom SCIM Integration with Snowflake

Custom SCIM integrations allow users to build their own applications to interface with their identity provider to provision, map, and manage users and roles to Snowflake.

Currently, Custom SCIM integrations are supported for identity providers that are neither Okta nor Microsoft Azure AD.

After creating your SCIM application, follow the procedure below to create a Snowflake Security Integration and generate a SCIM API authorization token. Save the authorization token and include it in the SCIM API request header as described in Making a SCIM API Request.

Prerequisites

Before provisioning users or groups, ensure that the network policy in Snowflake allows access from the IP ranges that correspond to your organization. For more information, see Managing SCIM Network Policies.

Limitations

  • If your Snowflake account was created with underscores in the account name (e.g. my_account), you can access your Snowflake account with the account name having underscores or hyphens (e.g. my-account). If your SCIM provider reuses the same account name for both SAML SSO and SCIM, then account names with underscores are not supported. Therefore, use the hyphenated account name to configure SCIM.

  • A custom SCIM integration may or may not allow the provisioning and management of nested groups. Before attempting to use a custom SCIM integration to provision nested groups in Snowflake, please contact your identity provider to determine whether nested groups can be used with a SCIM integration.

Create a Custom SCIM Security Integration and API Token

The Snowflake configuration process creates a SCIM security integration to allow users and roles created in the identity provider to be owned by the GENERIC_SCIM_PROVISIONER SCIM role in Snowflake and creates an access token to use in SCIM API requests. The access token is valid for six months. Upon expiration, create a new access token manually using SYSTEM$GENERATE_SCIM_ACCESS_TOKEN as shown below.

Execute the following SQL statements in your preferred Snowflake client.

use role accountadmin;
create or replace role generic_scim_provisioner;
grant create user on account to role generic_scim_provisioner;
grant create role on account to role generic_scim_provisioner;
grant role generic_scim_provisioner to role accountadmin;
create or replace security integration generic_scim_provisioning
    type=scim
    scim_client='generic'
    run_as_role='GENERIC_SCIM_PROVISIONER';
select system$generate_scim_access_token('GENERIC_SCIM_PROVISIONING');

Each of the following statements is explained below.

  1. Since security integrations require the ACCOUNTADMIN role, verify the ACCOUNTADMIN role.

    use role accountadmin;
    
  2. Create the custom role GENERIC_SCIM_PROVISIONER. All users and roles in Snowflake created by the IdP will be owned by the scoped down GENERIC_SCIM_PROVISIONER role.

    create or replace role generic_scim_provisioner;
    grant create user on account to role generic_scim_provisioner;
    grant create role on account to role generic_scim_provisioner;
    
  3. Let the ACCOUNTADMIN role create the security integration using the GENERIC_SCIM_PROVISIONER custom role. For more information, see CREATE SECURITY INTEGRATION.

    create or replace security integration generic_scim_provisioning
        type=scim
        scim_client='generic'
        run_as_role='GENERIC_SCIM_PROVISIONER';
    
  4. Create and save the authorization token and store securely for later use. Use this token for each SCIM REST API request and place it in the request header. The access token expires after six months and a new access token can be generated with this statement.

    select system$generate_scim_access_token('GENERIC_SCIM_PROVISIONING');
    

Enabling Snowflake-initiated SSO

The SCIM provisioning process does not automatically enable single sign-on (SSO).

To use SSO after the SCIM provisioning process is complete, enable Snowflake-initiated SSO.

Managing SCIM Network Policies

The SCIM network policy has its own setting so that the SCIM provider can be specifically allowed to provision users and groups without adding these IP addresses for normal user access.

Setting up a network policy specific to the SCIM integration allows SCIM to be distinct from other network policies that may apply to the Snowflake account. The SCIM network policy does not affect other network policies on the account nor do other account network polices affect the SCIM network policy. Therefore, the SCIM network policy allows the Snowflake SCIM integration to provision users and groups as intended.

After creating the SCIM security integration, create the SCIM network policy using this this command:

alter security integration generic_scim_provisioning set network_policy = <scim_network_policy>;

To unset the SCIM network policy, use this command:

alter security integration generic_scim_provisioning unset <scim_network_policy>;

Where:

generic_scim_provisioning

Specifies the name of the Custom SCIM security integration.

<scim_network_policy>

Specifies the Custom SCIM network policy in Snowflake.

For more information, see Network Policies and ALTER SECURITY INTEGRATION.