SCIM (System for Cross-domain Identity Management) 2.0 is the standard protocol for automatically provisioning and deprovisioning users and groups from an IdP (Identity Provider) into Snowflake. Once a SCIM integration is configured, user additions, changes, and deactivations on the IdP side are automatically reflected in Snowflake, eliminating the need for manual CREATE USER / DROP USER operations.
In a SCIM integration, the IdP acts as the SCIM client and sends HTTP requests to Snowflake's SCIM API endpoint. Snowflake acts as the SCIM server and creates, updates, or disables users and groups in response to those requests. Authentication uses a Bearer Token (an OAuth token generated when the SCIM Security Integration is created).
-- Run as the ACCOUNTADMIN role
USE ROLE ACCOUNTADMIN;
-- Create a custom role for SCIM provisioning
CREATE ROLE IF NOT EXISTS scim_provisioner;
GRANT CREATE USER ON ACCOUNT TO ROLE scim_provisioner;
GRANT CREATE ROLE ON ACCOUNT TO ROLE scim_provisioner;
-- SCIM Security Integration for Okta
CREATE SECURITY INTEGRATION okta_scim_integration
TYPE = SCIM
SCIM_CLIENT = 'OKTA'
RUN_AS_ROLE = 'SCIM_PROVISIONER';
-- SCIM Security Integration for Azure AD
CREATE SECURITY INTEGRATION azure_scim_integration
TYPE = SCIM
SCIM_CLIENT = 'AZURE'
RUN_AS_ROLE = 'SCIM_PROVISIONER';
-- Generic SCIM (e.g., PingFederate)
CREATE SECURITY INTEGRATION generic_scim_integration
TYPE = SCIM
SCIM_CLIENT = 'GENERIC'
RUN_AS_ROLE = 'SCIM_PROVISIONER';-- Retrieve the SCIM API endpoint and token
-- Check it with SELECT after creating the integration
SELECT SYSTEM$GENERATE_SCIM_ACCESS_TOKEN('OKTA_SCIM_INTEGRATION');
-- SCIM endpoint URL
-- https://<account>.snowflakecomputing.com/scim/v2/
-- Enter the token in the IdP's SCIM provisioning settingshttps://<account>.snowflakecomputing.com/scim/v2/ as the Base URLhttps://<account>.snowflakecomputing.com/scim/v2/ as the Tenant URL| Target | IdP Operation | Result in Snowflake |
|---|---|---|
| Users | User created | CREATE USER is executed (LOGIN_NAME, DISPLAY_NAME, EMAIL, etc. are set) |
| Users | User attribute updated | ALTER USER updates fields such as DISPLAY_NAME and EMAIL |
| Users | User disabled/deleted | ALTER USER SET DISABLED = TRUE (DROP USER is NOT executed) |
| Groups | Group created | CREATE ROLE is executed (with the privileges of RUN_AS_ROLE) |
| Groups | Member added to group | GRANT ROLE <group_role> TO USER <user> is executed |
| Groups | Member removed from group | REVOKE ROLE <group_role> FROM USER <user> is executed |
| Groups | Group deleted | The role itself is not deleted (DROP ROLE must be run manually) |
RUN_AS_ROLE on a SCIM Security Integration is the role that SCIM provisioning uses when it performs operations inside Snowflake. Provisioning runs only within the privileges granted to this role.
-- Example custom role design for RUN_AS_ROLE
CREATE ROLE scim_provisioner;
-- Privileges to create users and roles
GRANT CREATE USER ON ACCOUNT TO ROLE scim_provisioner;
GRANT CREATE ROLE ON ACCOUNT TO ROLE scim_provisioner;
-- If you want ACCOUNTADMIN to manage roles created by SCIM
GRANT ROLE scim_provisioner TO ROLE ACCOUNTADMIN;
-- Note: assigning ACCOUNTADMIN as RUN_AS_ROLE is
-- not recommended for security reasons. Use a least-privilege custom role.-- Audit SCIM API calls
SELECT *
FROM TABLE(INFORMATION_SCHEMA.REST_EVENT_HISTORY(
DATE_RANGE_START => DATEADD(DAY, -7, CURRENT_DATE()),
DATE_RANGE_END => CURRENT_DATE()
))
WHERE event_type = 'SCIM'
ORDER BY event_timestamp DESC;Security & Governance
問題 1
You create a group "data_team" on the Okta side via SCIM provisioning and add members to it. Which option most accurately describes what is automatically executed on the Snowflake side?
正解: B
When a SCIM Provisioning sync brings an IdP group into Snowflake, a ROLE matching the group name is created (CREATE ROLE data_team) and the role is granted to each member user via GRANT ROLE data_team TO USER <user>. SCIM only provisions users and roles; it does not create Snowflake objects such as databases or warehouses.
What happens to Snowflake users when they are deleted on the IdP side via SCIM Provisioning?
When a user is deleted on the IdP side (or unassigned from the app), the SCIM API sets the Snowflake user to DISABLED. The user object itself is not removed from Snowflake. To fully delete the user, an administrator must manually run DROP USER. This behavior is by design so that Snowflake preserves audit trails and OWNERSHIP consistency.
How are passwords managed for users synced via SCIM?
SCIM Provisioning does not sync passwords. Users created via SCIM are expected to authenticate through SSO (SAML 2.0), so no password is set on the Snowflake side. If password authentication is required, an administrator must run ALTER USER SET PASSWORD individually, but the recommended design for SCIM-integrated environments is to standardize on SSO authentication.
Can I sync via SCIM from both Okta and Azure AD?
You can create multiple SCIM Security Integrations on a Snowflake account, but syncing the same user from multiple IdPs risks conflicts. In production, the most stable setup is to sync via SCIM from only one IdP and use the other for SSO authentication only. If syncing from multiple IdPs is truly required, scope the target groups and users on the IdP side so they do not overlap.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...