Attention
Mentions of Microsoft Azure Active Directory refer to Microsoft Entra ID.
Creates a new SCIM security integration in the account or replaces an existing integration. A SCIM security integration allows the automated management of user identities and groups (i.e. roles) by creating an interface between Snowflake and a third-party Identity Provider (IdP).
For information about creating other types of security integrations (e.g. SAML2), see CREATE SECURITY INTEGRATION.
Syntax¶CREATE [ OR REPLACE ] SECURITY INTEGRATION [ IF NOT EXISTS ]
<name>
TYPE = SCIM
ENABLED = { TRUE | FALSE }
SCIM_CLIENT = { 'OKTA' | 'AZURE' | 'GENERIC' }
RUN_AS_ROLE = { 'OKTA_PROVISIONER' | 'AAD_PROVISIONER' | 'GENERIC_SCIM_PROVISIONER' }
[ NETWORK_POLICY = '<network_policy>' ]
[ SYNC_PASSWORD = { TRUE | FALSE } ]
[ COMMENT = '<string_literal>' ]
Copy
Required parameters¶name
String that specifies the identifier (i.e. name) for the integration; must be unique in your account.
In addition, the identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object"). Identifiers enclosed in double quotes are also case-sensitive.
For more details, see Identifier requirements.
TYPE = SCIM
Specify the type of integration:
SCIM: Creates a security interface between Snowflake and a client that supports SCIM.
ENABLED = { TRUE | FALSE }
Specify whether the security integration is enabled. To create a security integration that is disabled, set ENABLED = FALSE.
Default: TRUE
SCIM_CLIENT = { 'OKTA' | 'AZURE' | 'GENERIC' }
Specify the SCIM client.
RUN_AS_ROLE = { 'OKTA_PROVISIONER' | 'AAD_PROVISIONER' | 'GENERIC_SCIM_PROVISIONER' }
Specify the SCIM role in Snowflake that owns any users and roles that are imported from the identity provider into Snowflake using SCIM.
The values OKTA_PROVISIONER, AAD_PROVISIONER, and GENERIC_SCIM_PROVISIONER are case-sensitive and must always be capitalized.
NETWORK_POLICY = 'network_policy'
Specifies an existing network policy that controls SCIM network traffic.
If there are also network policies set for the account or user, see Network policy precedence.
SYNC_PASSWORD = { TRUE | FALSE }
Specifies whether to enable or disable the synchronization of a user password from an Okta SCIM client as part of the API request to Snowflake.
TRUE enables password synchronization.
FALSE disables password synchronization.
Default FALSE. If a security integration is created without setting this parameter, Snowflake sets this parameter to FALSE.
If user passwords should not be synchronized from the client to Snowflake, ensure this property value is set to FALSE and disable password synchronization in the client.
Note that this property is supported for Okta and Custom SCIM integrations. Microsoft Entra ID SCIM integrations are not supported because Microsoft Entra ID does not support password synchronization. To request support, please contact Microsoft.
For more information, see Snowflake SCIM support.
COMMENT = 'string_literal'
Specifies a comment for the integration.
Default: No value
A role used to execute this operation must have the following privileges at a minimum:
Privilege
Object
Notes
CREATE INTEGRATION
Account
Only the ACCOUNTADMIN role has this privilege by default. The privilege can be granted to additional roles as needed.
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Usage notes¶Regarding metadata:
Attention
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.
The OR REPLACE and IF NOT EXISTS clauses are mutually exclusive. They can’t both be used in the same statement.
CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.
The following example creates a Microsoft Entra ID SCIM integration with the default settings:
CREATE OR REPLACE SECURITY INTEGRATION okta_provisioning
TYPE = scim
SCIM_CLIENT = 'AZURE'
RUN_AS_ROLE = 'AAD_PROVISIONER';
Copy
View the integration settings using DESCRIBE INTEGRATION:
DESC SECURITY INTEGRATION aad_provisioning;
Copy
Okta example¶The following example creates an Okta SCIM integration with the default settings:
CREATE OR REPLACE SECURITY INTEGRATION okta_provisioning
TYPE = scim
SCIM_CLIENT = 'OKTA'
RUN_AS_ROLE = 'OKTA_PROVISIONER';
Copy
View the integration settings using DESCRIBE INTEGRATION:
DESC SECURITY INTEGRATION okta_provisioning;Copy
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4