Custom SCIM Integration with Snowflake

Custom SCIM integrations allow users to build their own applications to interface with their identity provider to provision, map, and manage users and roles to Snowflake.

Currently, Custom SCIM integrations are supported for identity providers that are neither Okta nor Microsoft Azure AD.

After creating your SCIM application, follow the procedure below to create a Snowflake Security Integration and generate a SCIM API authorization token. Save the authorization token and include it in the SCIM API request header as described in Making a SCIM API Request.

Create a Custom SCIM Security Integration and API Token

Execute the following SQL statements in either the Snowflake web interface or in SnowSQL to create the Custom SCIM security integration and the authorization token in Snowflake.

use role accountadmin;
create or replace role generic_scim_provisioner;
grant create user on account to role generic_scim_provisioner;
grant create role on account to role generic_scim_provisioner;
grant role generic_scim_provisioner to role accountadmin;
create or replace security integration generic_scim_provisioning
    type=scim
    scim_client='generic'
    run_as_role='GENERIC_SCIM_PROVISIONER';
select system$generate_scim_access_token('GENERIC_SCIM_PROVISIONING');

Each of the following statements are explained below.

  1. Since security intergrations require the ACCOUNTADMIN role, verify the ACCOUNTADMIN role.

    use role accountadmin;
    
  2. Create a user and role in Snowflake and assign that user and role to the GENERIC_SCIM_PROVISIONER role. All users and roles in Snowflake created by Generic will be owned by the scoped down GENERIC_SCIM_PROVISIONER role.

    create or replace role generic_scim_provisioner;
    grant create user on account to role generic_scim_provisioner;
    grant create role on account to role generic_scim_provisioner;
    
  3. Grant the GENERIC_SCIM_PROVISIONER role to the ACCOUNTADMIN role in Snowflake. The ACCOUNTADMIN role is necessary to create an integration.

    grant role generic_scim_provisioner to role accountadmin;
    
  4. Let the ACCOUNTADMIN role create the security integration using the GENERIC_SCIM_PROVISIONER role.

    create or replace security integration generic_scim_provisioning
        type=scim
        scim_client='generic'
        run_as_role='GENERIC_SCIM_PROVISIONER';
    
  5. Create and save the authorization token. Use this token for each SCIM REST API request and place in the request header. The access token expires after six months and a new access token can be generated with this statement.

    select system$generate_scim_access_token('GENERIC_SCIM_PROVISIONING');