What percentage of SaaS apps support SCIM?

Based on our analysis of 721 applications, only 45% support SCIM or IdP connector provisioning at all. Of those, 98% require a tier upgrade. Only 9 apps offer SCIM on their base tier. Effectively, 98.8% of SaaS apps don't have accessible SCIM provisioning for mid-market companies.

How many apps require a tier upgrade for SCIM?

301 apps in our analysis - 43% of the total - offer SCIM or IdP connector provisioning only on upgraded tiers. This includes both native SCIM paywalls and apps like Zendesk where IdP connectors work but require a tier upgrade. Combined with the 57% that have no SCIM at all, 98.8% of apps require either manual management or an expensive upgrade.

What is the SCIM coverage gap?

The SCIM coverage gap refers to the percentage of SaaS applications that don't support automated user provisioning on standard pricing tiers. Our data shows this gap is 98.8% - meaning only 1.2% of apps (9 out of 721) offer accessible SCIM. This creates significant operational burden for IT teams who must manage most apps manually.

Do most SaaS apps support automated provisioning?

No. 57% of SaaS apps have no SCIM support at any price. Another 42% lock SCIM behind tier upgrades that cost 2-3x standard pricing. Automated provisioning remains a premium feature that most mid-market companies can't access across their full SaaS stack.

What's the difference between native SCIM and IdP connectors?

Native SCIM means the SaaS app has built-in support for the SCIM 2.0 protocol, allowing direct integration with identity providers like Okta or Entra ID. IdP connectors are pre-built integrations in your IdP's catalog - but many only support SSO (authentication), not provisioning. An app can appear in Okta's catalog for SSO while still requiring manual user management.

Why don't more SaaS apps support SCIM?

SCIM support is often a deliberate business decision, not a technical limitation. Vendors use SCIM as a feature gate to push customers toward expensive Enterprise tiers. The protocol has existed since 2011 and is well-documented - building SCIM support is straightforward for any modern SaaS platform.

We Analyzed 721 SaaS Apps. Only 9 Offer SCIM Without Upgrade

TL;DR

We analyzed 721 SaaS apps. Only 9 offer SCIM without a tier upgrade.

Status	Apps	Percentage
No SCIM at all	411	57%
SCIM paywalled	301	42%
SCIM on base tier	9	1.2%

That's 98.8% of apps where you're either paying enterprise prices or managing users manually.

Your IdP isn't failing you. Vendors are. They've turned automated provisioning into an upsell, not a feature.

SCIM has existed since 2011. They could build it. They chose to sell it.

The data nobody wants to publish

Every IdP vendor promises the same thing: "Connect your apps. Automate provisioning. Secure your organization."

Then you try to connect your actual apps.

We analyzed 721 SaaS applications across every major category - HR, sales, marketing, finance, DevOps, collaboration, security. We looked at one thing: can you automate user provisioning without paying enterprise prices?

The answer, for 98.8% of apps, is no.

The numbers

SCIM Status	Apps	Percentage
No SCIM (no provisioning option)	411	57%
SCIM paywalled (requires tier upgrade)	301	43%
SCIM on base tier	9	1.2%

Read that last row again. Out of 721 applications, only nine offer SCIM provisioning without requiring a tier upgrade.

Everyone else either doesn't support SCIM at all, or makes you pay 2-3x more for it.

The 98.8% problem

When you bought Okta (or Entra ID, or OneLogin), you were sold a vision: employees join, they get access to everything automatically. Employees leave, access revoked instantly. No tickets. No spreadsheets. No security gaps.

That vision works for about 1.2% of your SaaS stack.

For the other 98.8%, you're either:

Managing users manually (because the app has no SCIM)
Paying enterprise prices for every app that does support SCIM
Living with security gaps you hope auditors don't notice

Your IdP isn't broken. The ecosystem is.

Which categories are worst?

We broke down SCIM support by vertical. The gaps are consistent across industries, but some categories are worse than others.

Category	Total Apps	No SCIM	Gap
Finance/Accounting	9	8	89%
Marketing Tools	16	13	81%
Password Managers	138	103	75%
CRM/Sales	29	21	72%
HR/Payroll	94	67	71%
Developer Tools	10	6	60%
Project Management	14	7	50%
Communication	59	28	47%

Finance and accounting tools have an 89% SCIM gap. The apps that manage your money can't manage their own users.

Password managers - the tools meant to secure access - have a 75% gap. The irony writes itself.

Why this happens

SCIM isn't technically difficult. The protocol has existed since 2011. Every major IdP supports it. The specification is open and well-documented.

Vendors don't withhold SCIM because they can't build it. They withhold it because it's profitable.

The playbook

Offer a cheap or free tier to land new customers
Let usage grow across the organization
When IT asks about provisioning, point to the Enterprise tier
Bundle SCIM with features nobody asked for (audit logs, compliance reports, advanced analytics)
Charge 2-3x the standard price

This isn't a technical limitation. It's a business model. SCIM is the feature gate that forces mid-market companies into enterprise contracts.

The real cost of the SCIM gap

Without automated provisioning, IT teams absorb the operational burden manually. Based on Stitchflow customer data across 500-person companies:

Per app without SCIM

7 orphaned accounts (ex-employees with active access)
12 unused licenses (paying for seats nobody uses)
101 IT hours per year on manual user management
$12,000+ per year in IT labor, orphaned licenses, and compliance gaps

Across a typical 50-app SaaS stack

27+ apps require manual management (57% with no SCIM)
$360,000+ in annual operational overhead
Hundreds of orphaned accounts creating security exposure

The vendors who won't give you SCIM are costing you six figures a year in manual work.

The apps that do it right

Credit where it's due. Only nine apps in our entire analysis offer SCIM without requiring a tier upgrade:

15Five - Performance management. SCIM on all plans starting at $4/user/mo.
HiBob - HR platform. SCIM included on all plans.
Ramp - Corporate cards and spend management. SCIM included even on free tier.
AWS IAM Identity Center - Identity federation for AWS. SCIM included free.
Tableau Cloud - Analytics. SCIM on all tiers.
Netskope - Security platform. SCIM on Standard tier.
Klaviyo - Marketing automation. SCIM on all paid plans.
Sentry - Error tracking. SCIM on Business tier (reasonable).
Brex - Spend management. SCIM included.

That's the complete list. Nine apps out of 721 - just 1.2%.

The apps that paywall it

301 apps offer SCIM or IdP connector provisioning - but only if you upgrade. The usual suspects:

Salesforce - SCIM on Enterprise only
Slack - SCIM on Enterprise Grid only
GitHub - SCIM on Enterprise Cloud only (requires EMU)
Figma - SCIM on Enterprise only
Notion - SCIM on Enterprise only
Monday.com - SCIM on Enterprise only
Asana - SCIM on Enterprise only
DocuSign - SCIM on Enterprise only
ClickUp - SCIM on Enterprise only
Canva - SCIM on Enterprise only
ChatGPT/OpenAI - SCIM on Enterprise only
Cursor - SCIM on Enterprise only
Datadog - SCIM on Enterprise only
Zendesk - No native SCIM, but IdP connectors work on Professional tier (2.1x upgrade)

And 225 more.

The pattern is consistent: mass-market SaaS tools land cheap and monetize through enterprise feature gates. SCIM is almost always behind the gate.

The apps with no SCIM at all

411 apps - 57% of our analysis - offer no provisioning automation at any price:

QuickBooks - No SCIM
ADP - No SCIM
Gusto - No SCIM
Lever - No SCIM
LinkedIn Recruiter - No SCIM
Basecamp - No SCIM
Buffer - No SCIM
Clay - No SCIM
Mailchimp - No SCIM
Pipedrive - No SCIM

These aren't obscure tools. They're category leaders with millions of users. They've decided automated provisioning isn't worth building - or they're waiting to monetize it later.

Note: Some apps like Zendesk have no native SCIM but CAN be provisioned via Okta/Entra IdP connectors - however, this still requires a tier upgrade, so we count them under "SCIM paywalled" not here.

What this means for IT teams

If you manage identity for a mid-market company (500-5,000 employees), here's your reality:

Your IdP can reach about 1.2% of apps natively. The other 98.8% require either manual management or expensive tier upgrades.

The "identity automation gap" isn't your fault. You didn't misconfigure Okta. Vendors chose not to support the protocol.

Enterprise upgrades don't scale. Upgrading 30+ apps to Enterprise tiers to get SCIM would cost more than your entire IT budget.

Manual management creates risk. Every app without automated deprovisioning is a security exposure waiting to be discovered by auditors - or attackers.

The alternative

Stitchflow provides SCIM-equivalent provisioning for apps that don't support it natively.

For the 57% with no SCIM: We build the integration that doesn't exist. Users provision and deprovision through your IdP, just like native SCIM.

For the 43% that paywall SCIM: We deliver the same automation without the tier upgrade. Stay on your current plan.

How it works: You configure it in Okta like any other SCIM app. Assign users and groups. We handle the browser automation, the edge cases, the 2am failures. 24/7 human-in-the-loop operations.

Less than $5K/year per app. Flat pricing regardless of team size.

Your IdP finally works the way it was supposed to.

Book a Demo →