SCIM Integration
You can provide configuration to Snowflake Object Lifecycle Engine for the following operation with SCIM integration:
- Manage the lifecycle of new and existing SCIM integrations
Usage
We have introduced SOLE for Data Products as a new framework for SOLE to help you easily build an ecosystem of data products. The major difference is in how you define Snowflake objects in the configuration file.
Rather than having a grouped collection of objects, SOLE for Data Products goes for modular, self-describing, and explicit object definition.
Learn more about SOLE for Data Products, currently available as a public preview.
We have also introduced Data products as an extra layer on top of the data product platform capabilities making managing data products easier than ever. Learn more about Data Products, currently available as a private preview.
- Default Configuration
- Data Products Configuration
scim_integrations:
<scim_integration-name>:
<configuration-key>: <value>
- scim_integration:
name: <scim_integration-name>
<configuration-key>: <value>
Supported parameters
The engine supports the parameters listed below.
| Configuration Key | Required/Optional | Data Types and Values | Description |
|---|---|---|---|
scim_client | Required | String | Specifies the client type for the SCIM integration. Caution: The scim_client must be one of the [OKTA, AZURE, CUSTOM]. Refer to the Snowflake documentation. |
provisioner_role or run_as_role | Required | String | Specifies the SCIM role in Snowflake that owns any users and roles that are imported from the identity provider into Snowflake using SCIM. Caution: The provisioner_role must be one of the [OKTA_PROVISIONER, AAD_PROVISIONER, GENERIC_SCIM_PROVISIONER]. Refer to the Snowflake documentation. You cannot use both configuration keys provisioner_role and run_as_role simultaneously in a SCIM configuration. |
environment | Optional | String | Specifies the environment in which the SCIM integration is managed. Regex can be provided as well. |
manage_mode | Optional | String: all (default), none | Configures what properties to manage for the SCIM integration. See Changing Manage Mode before changing the value. |
namespacing | Optional | String: both (default), none, prefix, suffix | Specifies whether prefix or suffix or both are to be added to SCIM integration name |
network_policy | Optional | String | Specifies an active network policy for your account. The network policy restricts the list of user IP addresses when exchanging an authorization code for an access or refresh token and when using a refresh token to obtain a new access token. If this parameter is not set, the network policy for the account, if any, is used instead. |
Examples
- Default Configuration
- Data Products Configuration
scim_integrations:
SCIM_INTEGRATION_1:
provisioner_role: "GENERIC_SCIM_PROVISIONER"
scim_client: "AZURE"
SCIM_INTEGRATION_2:
run_as_role: "GENERIC_SCIM_PROVISIONER"
scim_client: "AZURE"
- scim_integration:
name: SCIM_INTEGRATION_1
provisioner_role: "GENERIC_SCIM_PROVISIONER"
scim_client: "AZURE"
- scim_integration:
name: SCIM_INTEGRATION_2
run_as_role: "GENERIC_SCIM_PROVISIONER"
scim_client: "AZURE"