CREATE SECURITY INTEGRATION (SCIM)

Attention

Mentions of Microsoft Azure Active Directory refer to Microsoft Entra ID.

在账户中创建新的 SCIM 安全集成或替换现有集成。SCIM 安全集成通过在 Snowflake 和第三方身份提供商 (IdP) 之间创建接口,允许自动管理用户身份和组(即角色)。

For information about creating other types of security integrations (e.g. SAML2), see CREATE SECURITY INTEGRATION.

See also:

ALTER SECURITY INTEGRATION (SCIM) , DROP INTEGRATION , SHOW INTEGRATIONS

语法

CREATE [ OR REPLACE ] SECURITY INTEGRATION [ IF NOT EXISTS ]
    <name>
    TYPE = SCIM
    ENABLED = { TRUE | FALSE }
    SCIM_CLIENT = { 'OKTA' | 'AZURE' | 'GENERIC' }
    RUN_AS_ROLE = { 'OKTA_PROVISIONER' | 'AAD_PROVISIONER' | 'GENERIC_SCIM_PROVISIONER' | '<custom_role>' }
    [ NETWORK_POLICY = '<network_policy>' ]
    [ SYNC_PASSWORD = { TRUE | FALSE } ]
    [ COMMENT = '<string_literal>' ]

必填参数

name

字符串,指定集成的标识符(即名称);在账户中必须是唯一的。

In addition, the identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object"). Identifiers enclosed in double quotes are also case-sensitive.

For more details, see Identifier requirements.

TYPE = SCIM

指定集成类型:

  • SCIM: Creates a security interface between Snowflake and a client that supports SCIM.
ENABLED = { TRUE | FALSE }

Specify whether the security integration is enabled. To create a security integration that is disabled, set ENABLED = FALSE.

A SCIM security integration cannot be disabled. If you execute a SHOW SECURITY INTEGRATIONS command, the value of the enabled property might be false, but this property of the SCIM integration has no effect on functionality at this time.

The value is case-insensitive.

Default: TRUE

SCIM_CLIENT = { 'OKTA' | 'AZURE' | 'GENERIC' }

指定 SCIM 客户端。

RUN_AS_ROLE = { 'OKTA_PROVISIONER' | 'AAD_PROVISIONER' | 'GENERIC_SCIM_PROVISIONER' | 'custom_role' }

指定 Snowflake 中的 SCIM 角色,该角色拥有使用 SCIM 从身份提供商导入到 Snowflake 中的任何用户和角色。

The values OKTA_PROVISIONER, AAD_PROVISIONER, and GENERIC_SCIM_PROVISIONER are case-sensitive and must always be capitalized. You can also specify a custom role.

可选参数

NETWORK_POLICY = 'network_policy'

Specifies an existing network policy that controls SCIM network traffic.

If there are also network policies set for the account or user, see Network policy precedence.

SYNC_PASSWORD = { TRUE | FALSE }

指定是否启用或禁用 Okta SCIM 客户端中的用户密码同步(作为 Snowflake API 请求的一部分)。

  • TRUE enables password synchronization.
  • FALSE disables password synchronization.

Default FALSE. If a security integration is created without setting this parameter, Snowflake sets this parameter to FALSE.

If user passwords should not be synchronized from the client to Snowflake, ensure this property value is set to FALSE and disable password synchronization in the client.

Note that this property is supported for Okta and Custom SCIM integrations. Microsoft Entra ID SCIM integrations are not supported because Microsoft Entra ID does not support password synchronization. To request support, please contact Microsoft.

For more information, see Snowflake SCIM support.

COMMENT = 'string_literal'

指定集成的注释。

默认:无值

访问控制要求

A role used to execute this operation must have the following privileges at a minimum:

权限对象备注
CREATE INTEGRATION账户Only the ACCOUNTADMIN role has this privilege by default. The privilege can be granted to additional roles as needed.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

使用说明

  • 关于元数据:

    Attention

    Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.

  • The OR REPLACE and IF NOT EXISTS clauses are mutually exclusive. They can’t both be used in the same statement.

  • CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.

示例

Microsoft Entra ID example

The following example creates a Microsoft Entra ID SCIM integration with the default settings:

CREATE OR REPLACE SECURITY INTEGRATION aad_provisioning
    TYPE = scim
    SCIM_CLIENT = 'AZURE'
    RUN_AS_ROLE = 'AAD_PROVISIONER';

View the integration settings using DESCRIBE INTEGRATION:

DESC SECURITY INTEGRATION aad_provisioning;

The output includes a SCIM_ENDPOINT_ID property, which is the UUID used in SCIM API request URLs. For more information, see Send SCIM requests.

Okta 示例

以下示例使用默认设置来创建 Okta SCIM 集成:

CREATE OR REPLACE SECURITY INTEGRATION okta_provisioning
    TYPE = scim
    SCIM_CLIENT = 'OKTA'
    RUN_AS_ROLE = 'OKTA_PROVISIONER';

View the integration settings using DESCRIBE INTEGRATION:

DESC SECURITY INTEGRATION okta_provisioning;

The output includes a SCIM_ENDPOINT_ID property, which is the UUID used in SCIM API request URLs. For more information, see Send SCIM requests.