Support for SCIM Provisioning for Better Manageability and Security

We are thrilled to announce that we now offer SCIM provisioning support to extend the capabilities of SAML and OAuth. SCIM provides Sigma Administrators with a real-time way for Sigma to sync data with Identity Providers to automate adding and removing users from Sigma, as well as managing user metadata (i.e. name, team, roles). This enables faster deployments while improving manageability and security. Sigma has always made data governance and security a priority, ensuring that data accessed via Sigma is only available to the appropriate users and in a secure manner.

Identity Provider 101

Organizations large and small have many applications they need to provision to their employees. Trying to manage this provisioning and authentication “manually” via separate passwords and roles for each application, especially if there are hundreds or thousands of employees and dozens of applications, is a management nightmare. It also creates substantial security risks, especially when employees leave a company and they are not de-provisioned in a timely manner. The answer to this is Identity Providers (IdPs) like Okta, Azure AD, and OneLogin. An IdP acts as a central repository that maintains an employee’s information and roles (identity) and can be used to connect employees with the applications they need. IdPs provide a way to manage access, and add or remove privileges, while security remains tight. More specifically, IdPs can enable authentication, authorization, Single Sign On (SSO) and more.

Two popular, open standards used so an IdP can be used for authentication to other applications are SAML and OAuth.

Before

Sigma customers use IdPs heavily, so for some time we have offered authentication support for both SAML (with Okta, OneLogin, and Google SSO) and OAuth (with Snowflake). While this worked very well for customers, there were two main limitations:

1. SAML and OAuth do not provide a real-time way of syncing metadata like usernames or roles. This metadata was only updated when a user logged into Sigma. This also prevented real-time provisioning and deprovisioning of users.
   
2. Our current implementation of both SAML and OAuth supported syncing user names and roles in the IdP with Sigma, but not “Groups” in the IdP with “Teams” in Sigma. We could have built upon the standards to enable this, but the limitation in (1) would still exist - the update would only happen when the user logged into Sigma.

The bottom line was we needed a more robust way to expand metadata syncing between the IdP and Sigma so we could sync more data and in real-time.

What’s New: SCIM!

What we are announcing now is support for SCIM (System for Cross-domain Identity Management) provisioning. SCIM is an open standard for securely automating the exchange of user identity data between two services, in this case an IdP and Sigma.

With Sigma, SCIM works in combination with SAML and OAuth to resolve the two limitations mentioned in the prior section:

1. SCIM offers a real-time way to sync metadata (username, role, team, etc) from the IdP to Sigma. Users do not need to log into Sigma for this sync to happen.
2. Our SCIM support enables “Group” metadata in the IdP to now be mapped and auto-synced with “Teams” in Sigma.

The benefits of SCIM include:

Now Sigma Admins can fully automate management of Sigma users and their permissions from a single source of truth, the IdP. There is no need for a Sigma Admin to log into Sigma to adjust user or team permissions. When users log into Sigma they get access to workspaces and permissions for their given teams.

Automatic, real-time provisioning and deprovisioning of users in Sigma. When an employee leaves and they are deactivated in the IdP, they will also be deactivated in Sigma, thus increasing data security.

Enables Sigma and Sigma admins to recognize all users who have access to Sigma (not just all users who logged in). These new users can optionally be notified of their Sigma access via welcome emails even before they log into Sigma. And existing Sigma users can share content with these new users even before they’re signed in.

The Details

Today we have native SCIM+SAML support for Okta. Shortly we will also have native SCIM+SAML support for Azure Active Directory (Azure AD). This will include support in the Okta & Azure AD app directories/marketplaces for easy set-up.

Sigma also has SCIM+OAuth 2.0 support for Okta. Additionally, we support custom integrations with SCIM or OAuth and other IdPs, but some additional implementation work may be required.

To learn more, see the documentation on SCIM and Okta. As we add support for other IdPs, these will be documented as well.

Closing And Next Steps

In summary, SCIM support improves the manageability and security of Sigma, and also accelerates deployments.

More detail on how Sigma ensures secure data analytics, including the internal processes and technologies internal Sigma engineering and product security uses to secure customer data, is on our website here. Sigma can meet the high data governance and security standards of the most security-conscious organizations!

Lastly, if you would like to learn more about data governance, please see "Enterprise Data Governance."