Summary and recommendation
Snowflake supports SCIM 2.0 for automated provisioning across all editions (Standard, Enterprise, Business Critical), which is rare among enterprise data platforms. However, Snowflake's SCIM implementation has operational friction that creates ongoing overhead: SCIM tokens expire every 6 months requiring manual renewal, SSO must be configured separately from SCIM, and native Snowflake roles cannot be managed through SCIM provisioning.
For data teams managing warehouse access and database permissions, this creates a hybrid provisioning scenario where users are created automatically but role assignments still require manual intervention. The 6-month token expiration is particularly problematic for IT teams—miss the renewal and provisioning breaks until someone notices users can't access their data warehouses. Additionally, network policies must be configured to allow your IdP's IP addresses, adding complexity for organizations using PrivateLink or restrictive network configurations.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Snowflake with automated token renewal, unified SSO + provisioning setup, and intelligent role mapping. Works with any Snowflake edition and consumption-based pricing. Flat pricing under $5K/year with 24/7 human-in-the-loop support.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Custom |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OAuth |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Snowflake accounts manually. Here's what that costs:
The Snowflake pricing problem
Snowflake gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | $2.00/credit | ||
| Enterprise | $3.00/credit | ||
| Business Critical | $4.00/credit |
Plan Structure (Consumption-Based Pricing)
| Plan | Price | Storage | SCIM |
|---|---|---|---|
| Standard | $2.00/credit | $23/TB/month | ✓ |
| Enterprise | $3.00/credit | $23/TB/month | ✓ |
| Business Critical | $4.00/credit | $23/TB/month | ✓ |
Note: Credits are consumed based on compute usage. A small warehouse uses ~1 credit/hour, while larger warehouses can consume 128+ credits/hour. Pre-purchased capacity offers 10-30% discounts but requires upfront commitment.
What this means in practice
SCIM access isn't gated by plan tier, but operational costs scale with usage patterns:
| Scenario | Monthly Consumption | Standard Cost | Enterprise Cost |
|---|---|---|---|
| Light analytics (50 users, 2-4 hrs/day) | ~200 credits | $400 | $600 |
| Production workloads (24/7 small warehouse) | ~720 credits | $1,440 | $2,160 |
| Heavy data processing (large warehouses) | ~5,000+ credits | $10,000+ | $15,000+ |
Storage costs are additional: A 10TB data warehouse adds $230/month regardless of plan.
Additional constraints
Summary of challenges
- Snowflake supports SCIM but only at Custom tier ($3.00/credit (on-demand))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Snowflake includes SCIM 2.0 provisioning across all editions (Standard, Enterprise, Business Critical), but it's not a simple plug-and-play feature. Here's what you're actually getting:
The challenge isn't pricing—it's operational complexity. SCIM tokens expire every 6 months requiring manual rotation. Network policies must be configured to allow your IdP's IP addresses. SSO and SCIM are separate configurations that don't automatically work together. You can't manage Snowflake's built-in roles via SCIM, only custom roles created through group sync.
For data teams that just need reliable user provisioning, you're essentially managing a complex identity infrastructure on top of your actual data platform work. Most teams spend more time troubleshooting expired tokens and network policies than they save from automation.
What IT admins are saying
Community sentiment on Snowflake's SCIM implementation is mixed, with frustrations centered around operational complexity rather than pricing. Common complaints:
- SCIM tokens expiring every 6 months requiring manual renewal
- SSO and SCIM being separate configurations that must be managed independently
- Network policy complications, especially with PrivateLink environments
- Inability to manage native Snowflake roles through SCIM automation
The 6-month token expiration is a pain point - you have to remember to rotate these or provisioning just breaks silently.
SSO works fine but then you realize SCIM is a whole separate beast to configure, and God help you if you're using PrivateLink.
The recurring theme
While Snowflake includes SCIM across all editions, the operational overhead of managing token rotations and separate SSO/SCIM configurations creates ongoing maintenance burden for IT teams.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but want to avoid consumption pricing complexity | Use Stitchflow: flat $5K/year vs unpredictable credit costs |
| Can't manage SCIM token renewals every 6 months | Use Stitchflow: we handle token lifecycle management |
| Need to sync native Snowflake roles or nested groups | Use Stitchflow: we work around SCIM limitations |
| Already on Enterprise with dedicated admin resources | Use native SCIM: you have the credits and expertise |
| Small data team with minimal user changes | Manual may work: but watch for data access governance gaps |
The bottom line
Snowflake's native SCIM works but comes with operational overhead—6-month token renewals, network policy complexity, and consumption-based pricing uncertainty. For data teams that need reliable provisioning automation without the administrative burden, Stitchflow delivers predictable costs and managed operations.
Automate Snowflake without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Snowflake at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Custom
Prerequisites
SSO must be configured first
Key limitations
- SCIM tokens expire after 6 months
- SCIM does not automatically enable SSO
- Cannot manage native Snowflake roles via SCIM
- Network policy required to allow IdP IP addresses
- Nested groups not supported in Okta SCIM sync
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM 2.0 support for user and group provisioning. Push Groups creates roles in Snowflake. Supports attribute mapping for Default Role & Warehouse.
Native SCIM is available on Custom. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 support via Microsoft Entra. Syncs every 40 minutes.
Native SCIM is available on Custom. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
Snowflake
Stop paying the SCIM Tax for Snowflake. Get enterprise-grade SCIM at a fraction of the enterprise plan cost.
See how it works
