TL;DR
Okta is deployed. SSO works. Provisioning doesn't.
You disable someone in Okta. SSO access is revoked. But a week later, they're still active in Zendesk, Gusto, QuickBooks - because SSO isn't provisioning.
We analyzed 721 apps:
- 57% have no SCIM at all - never built it
- 42% paywall it behind tier upgrades - ransom economics
- 1.2% include it on base tier
Your Okta deployment handles authentication. But without provisioning, offboarding still fails and you're still opening 15 browser tabs. Stitchflow bypasses both problems.
The gap every Okta admin knows
You've done everything right.
Okta is deployed. SSO is configured. Users click a tile and they're in. The board presentation shows a nice diagram with Okta at the center, arrows pointing to all your apps.
Then someone leaves the company.
You disable them in Okta. SSO access is revoked. But when you audit their accounts a week later, they're still active in Zendesk. Still have a seat in Gusto. Still showing up in QuickBooks.
Because SSO isn't provisioning.
Okta gave you authentication. It didn't give you lifecycle management - not for most of your stack.
The numbers nobody talks about
We analyzed 721 SaaS applications to understand why Okta provisioning fails for most of your stack.
| SCIM Status | Apps | What it means for Okta |
|---|---|---|
| No SCIM on any tier | 411 (57%) | Okta can't provision - no endpoint exists |
| SCIM paywalled (requires tier upgrade) | 301 (42%) | Okta can provision - if you pay 2-3x more |
| SCIM on base tier | 9 (1.2%) | Okta provisions out of the box |
The math: 98.8% of apps either lack SCIM entirely or paywall it. Your Okta catalog shows hundreds of integrations, but most are SSO-only. An app can appear in the Okta Integration Network, work perfectly for authentication, and still require you to manually create and remove users.
Popular Okta catalog apps without provisioning
These apps are in the Okta Integration Network. They work for SSO. But provisioning? Either it doesn't exist, or it's locked behind expensive upgrades.
No SCIM at any price
| App | Category | What you get |
|---|---|---|
| Gusto | HR/Payroll | JIT user creation, no deprovisioning |
| QuickBooks | Finance | SSO only - no provisioning exists |
| ADP | HR/Payroll | SSO only - no provisioning exists |
| Lever | Recruiting | SSO only - no provisioning exists |
| Mailchimp | Marketing | SSO only - no provisioning exists |
SCIM paywalled behind tier upgrades
| App | Category | The ransom |
|---|---|---|
| Slack | Collaboration | Enterprise Grid only (2.2x Pro pricing) |
| Figma | Design | Organization tier only (3.4x Professional pricing) |
| Notion | Productivity | Enterprise only |
| HubSpot | CRM | Enterprise only (4x Professional pricing) |
| GitHub | DevOps | Enterprise Cloud only (5.25x Team pricing) |
| Asana | Project Mgmt | Enterprise only |
| Zendesk | Support | Professional tier (2.1x Team pricing) - via Okta connector |
The pattern: HR systems, finance tools, and recruiting platforms often have no SCIM at all. Collaboration and productivity tools have SCIM - but make you pay ransom to access it.
Note: Zendesk has no native SCIM, but Okta and Entra can provision it via custom API connectors - however, this still requires upgrading to Professional tier ($115/agent vs $55 on Team). Either way, your Okta deployment can't automate these without intervention.
Why SSO isn't enough
SSO solves authentication. It doesn't solve:
Onboarding delays
New employee starts Monday. They're in Okta. But their Zendesk account? Someone has to manually create it. Their HubSpot seat? Same. Their QuickBooks access? You get the idea.
Offboarding gaps
Employee leaves Friday. You disable them in Okta instantly. But their accounts in non-SCIM apps? Still active until someone remembers to check.
License waste
The contractor who finished 6 months ago is still consuming a Gusto seat because nobody flagged the cleanup. The seasonal worker still has an ADP account. You're paying for ghosts.
Audit failures
"Show me everyone who can access customer data." You can pull Okta logs. But what about the 30% of apps where access isn't controlled by Okta at all?
The promise was "disable in Okta, disabled everywhere." The reality is "disable in Okta, then open 15 browser tabs."
The real Okta provisioning coverage
Based on our analysis of 721 apps, here's what Okta actually automates:
| App status | Percentage | What happens |
|---|---|---|
| No SCIM exists | 57% | Manual forever, regardless of IdP |
| SCIM paywalled | 42% | Pay 2-3x more or stay manual |
| SCIM on base tier | 1.2% | True automation without upsell |
Even with Okta fully deployed, 98.8% of apps either have no SCIM or paywall it behind tier upgrades.
The apps that do support SCIM through Okta work beautifully. Slack Enterprise Grid. Salesforce Enterprise. GitHub Enterprise. But those are the apps already costing you six figures. For everything else, Okta is a very expensive SSO portal.
The SCIM tax: why this isn't an accident
This isn't a technical limitation. SCIM has existed since 2011. The protocol is open, well-documented, and supported by every major IdP. Building SCIM support is straightforward for any modern SaaS platform.
Vendors withhold SCIM because it's profitable.
The playbook
- Offer a cheap or free tier to land new customers
- Let usage grow across the organization
- When IT asks about provisioning, point to the Enterprise tier
- Bundle SCIM with features nobody asked for (audit logs, advanced analytics, "premium support")
- Charge 2-3x the standard price
This is ransom economics. Vendors hold your security posture hostage until you pay the tax.
The math is intentional: A 500-person company using HubSpot's Professional plan pays ~$800/month. Enterprise with SCIM? Starts at $3,600/month. Slack Pro is $8.75/user. Enterprise Grid with SCIM? "Contact sales" - typically 3-4x more. The SCIM feature itself costs vendors almost nothing to maintain. The price difference is pure extraction.
It's not Okta's fault. Okta built the infrastructure. They support SCIM. They're ready to automate. But they can't provision to apps that deliberately refuse to expose the endpoint. Your IdP isn't broken. Vendors broke the ecosystem on purpose.
Switching IdPs doesn't fix this
Thinking Entra ID would be better? The coverage gap is nearly identical.
Both Okta and Entra face the same problem: they can only provision to apps that expose SCIM endpoints (or have IdP-specific connectors). Since 57% of apps have no SCIM and 42% paywall it, switching IdPs changes nothing. The bottleneck isn't your identity provider - it's the SaaS vendors refusing to support the standard.
Some apps work better with one IdP than the other for specific features. But the coverage gap is nearly identical across Okta and Entra. Box's proprietary API works with both, but isn't SCIM-compliant with either. The inconsistency adds complexity without adding provisioning coverage.
What this costs you
Without automated provisioning, IT teams absorb the burden manually. Based on Stitchflow customer data across 500-person companies:
Per app without provisioning
- 7 orphaned accounts (ex-employees with active access)
- 12 unused licenses (paying for seats nobody uses)
- 101 IT hours per year on manual user management
- $12,000+ per year in IT labor, orphaned licenses, and compliance gaps
Across a typical 50-app SaaS stack
- 30+ apps require manual management
- $360,000+ in annual operational overhead
- Hundreds of orphaned accounts creating security exposure
Your Okta investment stops working at the provisioning layer. That's where the cost accumulates.
Sample stack: What's automated vs. what's not
Here's what a typical mid-market Okta deployment actually looks like:
| Layer | Apps | Okta SSO | Provisioning Status |
|---|---|---|---|
| Collaboration | Slack, Notion, Asana | Yes | Paywalled (Enterprise only) |
| Design | Figma, Canva | Yes | Paywalled (Enterprise only) |
| DevOps | GitHub, Datadog | Yes | Paywalled (Enterprise only) |
| Sales/CRM | Salesforce, HubSpot | Yes | Paywalled (Enterprise only) |
| HR/Payroll | Gusto, ADP, BambooHR | Yes | No SCIM exists |
| Finance | QuickBooks, Bill.com, Xero | Yes | No SCIM exists |
| Support | Intercom, Zendesk | Yes | Paywalled (Enterprise only) |
| Recruiting | Lever, LinkedIn Recruiter | Yes | No SCIM exists |
| Marketing | Mailchimp, Marketo | Yes | No SCIM exists |
The pattern: The top half of your stack has SCIM - locked behind Enterprise pricing. The bottom half has no SCIM at any price. Either way, your Okta deployment can't automate provisioning without paying the tax or accepting manual work.
Stop paying the SCIM tax
Stitchflow bypasses the ransom economics entirely.
For the 57% with no SCIM: We build the automation that vendors won't. Users provision and deprovision through Okta, just like native SCIM apps. No waiting for vendors to "add it to the roadmap."
For the 43% holding SCIM hostage: We deliver the same automation without the tier upgrade shakedown. Stay on your current plan. Keep your current pricing. Get provisioning anyway.
How it works: You configure it in Okta like any other SCIM app. Assign users and groups. We handle the browser automation, the edge cases, the 2am failures. 24/7 human-in-the-loop operations.
Less than $5K/year per app. Flat pricing regardless of team size. That's less than most vendors charge for the Enterprise "upgrade" - and you get provisioning for apps that don't offer it at any price.
Your Okta deployment finally works the way it was supposed to. Without the tax.
Frequently asked questions
Okta can only provision users to apps that support SCIM (or have custom Okta connectors). If an app doesn't expose a SCIM API or have an Okta connector, Okta has nothing to connect to. 57% of SaaS apps have no SCIM support at all. Another 42% deliberately lock it behind tier upgrades to extract more revenue. Okta isn't the limitation - vendors choosing profit over interoperability is.
Jay has been serving modern IT teams for more than a decade. Prior to Stitchflow, he was the product lead for Okta IGA after Okta acquired his previous ITSM company, atSpoke.
