Snowflake

Snowflake SCIM Provisioning Implementation Guide: Designing and Operating Automated User Sync

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

SCIM (System for Cross-domain Identity Management) 2.0 is the standard protocol for automatically provisioning and deprovisioning users and groups from an IdP (Identity Provider) into Snowflake. Once a SCIM integration is configured, user additions, changes, and deactivations on the IdP side are automatically reflected in Snowflake, eliminating the need for manual CREATE USER / DROP USER operations.

SCIM Integration Architecture

In a SCIM integration, the IdP acts as the SCIM client and sends HTTP requests to Snowflake's SCIM API endpoint. Snowflake acts as the SCIM server and creates, updates, or disables users and groups in response to those requests. Authentication uses a Bearer Token (an OAuth token generated when the SCIM Security Integration is created).

Creating the SCIM Security Integration

-- Run as the ACCOUNTADMIN role
USE ROLE ACCOUNTADMIN;

-- Create a custom role for SCIM provisioning
CREATE ROLE IF NOT EXISTS scim_provisioner;
GRANT CREATE USER ON ACCOUNT TO ROLE scim_provisioner;
GRANT CREATE ROLE ON ACCOUNT TO ROLE scim_provisioner;

-- SCIM Security Integration for Okta
CREATE SECURITY INTEGRATION okta_scim_integration
  TYPE = SCIM
  SCIM_CLIENT = 'OKTA'
  RUN_AS_ROLE = 'SCIM_PROVISIONER';

-- SCIM Security Integration for Azure AD
CREATE SECURITY INTEGRATION azure_scim_integration
  TYPE = SCIM
  SCIM_CLIENT = 'AZURE'
  RUN_AS_ROLE = 'SCIM_PROVISIONER';

-- Generic SCIM (e.g., PingFederate)
CREATE SECURITY INTEGRATION generic_scim_integration
  TYPE = SCIM
  SCIM_CLIENT = 'GENERIC'
  RUN_AS_ROLE = 'SCIM_PROVISIONER';

Generating the SCIM Token

-- Retrieve the SCIM API endpoint and token
-- Check it with SELECT after creating the integration
SELECT SYSTEM$GENERATE_SCIM_ACCESS_TOKEN('OKTA_SCIM_INTEGRATION');

-- SCIM endpoint URL
-- https://<account>.snowflakecomputing.com/scim/v2/

-- Enter the token in the IdP's SCIM provisioning settings

Setup Flow by IdP

Okta Setup Steps

  1. From Okta App Integrations, add the "Snowflake" app
  2. Provisioning tab → enable Configure API Integration
  3. Enter the SCIM token generated in Snowflake into the API Token field
  4. Enter https://<account>.snowflakecomputing.com/scim/v2/ as the Base URL
  5. Under Provisioning to App, enable Create Users / Update Attributes / Deactivate Users
  6. Assign the target groups/users for sync on the Assignments tab

Azure AD Setup Steps

  1. Azure Portal → Enterprise Applications → add Snowflake
  2. Provisioning → select Automatic
  3. Enter https://<account>.snowflakecomputing.com/scim/v2/ as the Tenant URL
  4. Enter the SCIM token generated in Snowflake into the Secret Token field
  5. Verify connectivity with Test Connection
  6. Review and customize user and group attribute mappings under Mappings
  7. Configure Scope (Sync assigned users and groups only) under Settings
  8. Set Provisioning Status to On and save

Sync Targets and Behavior

TargetIdP OperationResult in Snowflake
UsersUser createdCREATE USER is executed (LOGIN_NAME, DISPLAY_NAME, EMAIL, etc. are set)
UsersUser attribute updatedALTER USER updates fields such as DISPLAY_NAME and EMAIL
UsersUser disabled/deletedALTER USER SET DISABLED = TRUE (DROP USER is NOT executed)
GroupsGroup createdCREATE ROLE is executed (with the privileges of RUN_AS_ROLE)
GroupsMember added to groupGRANT ROLE <group_role> TO USER <user> is executed
GroupsMember removed from groupREVOKE ROLE <group_role> FROM USER <user> is executed
GroupsGroup deletedThe role itself is not deleted (DROP ROLE must be run manually)

Designing RUN_AS_ROLE

RUN_AS_ROLE on a SCIM Security Integration is the role that SCIM provisioning uses when it performs operations inside Snowflake. Provisioning runs only within the privileges granted to this role.

-- Example custom role design for RUN_AS_ROLE
CREATE ROLE scim_provisioner;

-- Privileges to create users and roles
GRANT CREATE USER ON ACCOUNT TO ROLE scim_provisioner;
GRANT CREATE ROLE ON ACCOUNT TO ROLE scim_provisioner;

-- If you want ACCOUNTADMIN to manage roles created by SCIM
GRANT ROLE scim_provisioner TO ROLE ACCOUNTADMIN;

-- Note: assigning ACCOUNTADMIN as RUN_AS_ROLE is
-- not recommended for security reasons. Use a least-privilege custom role.

Troubleshooting

  • Users are not being synced: the SCIM token on the IdP side may have expired. Generate a new token with SYSTEM$GENERATE_SCIM_ACCESS_TOKEN and reconfigure it on the IdP.
  • Groups sync but roles are not created: RUN_AS_ROLE has not been granted CREATE ROLE. Run GRANT CREATE ROLE ON ACCOUNT TO ROLE <run_as_role>.
  • Synced user conflicts with an existing user: if a user with the same LOGIN_NAME already exists in Snowflake, SCIM will update that user. Check for duplicate LOGIN_NAMEs in advance to prevent unintended overwrites.
  • Checking SCIM logs: the REST_EVENT_HISTORY view lets you trace successes and failures of SCIM API calls.
-- Audit SCIM API calls
SELECT *
FROM TABLE(INFORMATION_SCHEMA.REST_EVENT_HISTORY(
  DATE_RANGE_START => DATEADD(DAY, -7, CURRENT_DATE()),
  DATE_RANGE_END => CURRENT_DATE()
))
WHERE event_type = 'SCIM'
ORDER BY event_timestamp DESC;

Check Your Understanding

Security & Governance

問題 1

You create a group "data_team" on the Okta side via SCIM provisioning and add members to it. Which option most accurately describes what is automatically executed on the Snowflake side?

  1. A DATA_TEAM database is created and members are automatically granted SELECT privilege
  2. A DATA_TEAM role is created and the role is GRANTed to the member users
  3. A DATA_TEAM warehouse is created and members are automatically granted USAGE privilege
  4. A DATA_TEAM resource monitor is created and member credit consumption is tracked

正解: B

When a SCIM Provisioning sync brings an IdP group into Snowflake, a ROLE matching the group name is created (CREATE ROLE data_team) and the role is granted to each member user via GRANT ROLE data_team TO USER <user>. SCIM only provisions users and roles; it does not create Snowflake objects such as databases or warehouses.

Frequently Asked Questions

What happens to Snowflake users when they are deleted on the IdP side via SCIM Provisioning?

When a user is deleted on the IdP side (or unassigned from the app), the SCIM API sets the Snowflake user to DISABLED. The user object itself is not removed from Snowflake. To fully delete the user, an administrator must manually run DROP USER. This behavior is by design so that Snowflake preserves audit trails and OWNERSHIP consistency.

How are passwords managed for users synced via SCIM?

SCIM Provisioning does not sync passwords. Users created via SCIM are expected to authenticate through SSO (SAML 2.0), so no password is set on the Snowflake side. If password authentication is required, an administrator must run ALTER USER SET PASSWORD individually, but the recommended design for SCIM-integrated environments is to standardize on SSO authentication.

Can I sync via SCIM from both Okta and Azure AD?

You can create multiple SCIM Security Integrations on a Snowflake account, but syncing the same user from multiple IdPs risks conflicts. In production, the most stable setup is to sync via SCIM from only one IdP and use the other for SSO authentication only. If syncing from multiple IdPs is truly required, scope the target groups and users on the IdP side so they do not overlap.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Snowflake

Snowflake Certifications: All 11 Exams Explained (2026)

Every SnowPro certification — Associate, Core, Specialty, Ad...

Snowflake

Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)

All 11 SnowPro exams ranked by difficulty with study-time es...

Snowflake

Snowflake Study Guide: Fastest Pass Route by Exam (2026)

How to pass SnowPro certifications efficiently — official ma...

Snowflake

SnowPro Core (COF-C03): Complete Exam Guide (2026)

Pass the SnowPro Core exam — six domains, scope, sample ques...

Snowflake

SnowPro Associate Platform (SOL-C01): Complete Guide (2026)

The entry-level SnowPro Associate exam — scope, weighting, s...

Browse all Snowflake articles (103)
© 2026 NicheeLab All rights reserved.