SCIM Integration
You can provide configuration to Snowflake Object Lifecycle Engine for the following operation with SCIM integration:
- Manage the lifecycle of new and existing SCIM integrations
Usage
- Default Configuration
- Data Products Configuration
scim_integrations:
<scim_integration-name>:
<configuration-key>: <value>
- scim_integration:
name: <scim_integration-name>
<configuration-key>: <value>
Supported parameters
The engine supports the parameters listed below.
| Configuration Key | Required/Optional | Data Types and Values | Description |
|---|---|---|---|
scim_client | Required | String | Specifies the client type for the SCIM integration. Caution: The scim_client must be one of the [OKTA, AZURE, CUSTOM]. Refer to the Snowflake documentation. |
provisioner_role or run_as_role | Required | String | Specifies the SCIM role in Snowflake that owns any users and roles that are imported from the identity provider into Snowflake using SCIM. Caution: The provisioner_role must be one of the [OKTA_PROVISIONER, AAD_PROVISIONER, GENERIC_SCIM_PROVISIONER]. Refer to the Snowflake documentation. You cannot use both configuration keys provisioner_role and run_as_role simultaneously in a SCIM configuration. |
environment | Optional | String | Specifies the environment in which the SCIM integration is managed. Regex can be provided as well. |
manage_mode | Optional | String: all (default), none | Configures what properties to manage for the SCIM integration. See Changing Manage Mode before changing the value. |
namespacing | Optional | String: both (default), none, prefix, suffix | Specifies whether prefix or suffix or both are to be added to SCIM integration name |
network_policy | Optional | String | Specifies an active network policy for your account. The network policy restricts the list of user IP addresses when exchanging an authorization code for an access or refresh token and when using a refresh token to obtain a new access token. If this parameter is not set, the network policy for the account, if any, is used instead. |
Examples
- Default Configuration
- Data Products Configuration
scim_integrations:
SCIM_INTEGRATION_1:
provisioner_role: "GENERIC_SCIM_PROVISIONER"
scim_client: "AZURE"
SCIM_INTEGRATION_2:
run_as_role: "GENERIC_SCIM_PROVISIONER"
scim_client: "AZURE"
- scim_integration:
name: SCIM_INTEGRATION_1
provisioner_role: "GENERIC_SCIM_PROVISIONER"
scim_client: "AZURE"
- scim_integration:
name: SCIM_INTEGRATION_2
run_as_role: "GENERIC_SCIM_PROVISIONER"
scim_client: "AZURE"