TL;DR
You assume "no SCIM" means obscure niche tools. It's also QuickBooks, Gusto, and Mailchimp.
We analyzed 721 SaaS apps. 411 (57%) have no SCIM at any price. The niche tools are painful - the legacy ERP, the industry-specific CRM, the vertical software nobody's heard of. But the surprise is how many household names are on the list:
- QuickBooks - most popular accounting software in America, no SAML or SCIM
- Gusto - #1 SMB payroll platform, creates users but never removes them
- Mailchimp - serves enterprises, no native provisioning
- Pipedrive - leading sales CRM, Okta connector only
The assumption vs. the reality
When IT teams hear "apps without SCIM," they picture:
- The legacy ERP from 2009
- The niche vertical tool for their specific industry
- The internal admin dashboard some developer built years ago
Those apps are painful. They're in the database. They're a huge source of provisioning hell.
But they're not the whole story.
We analyzed 721 SaaS apps across every category - CRM, HR, finance, DevOps, marketing, support. 411 of them have no SCIM at any price. And the list includes apps you use every day.
The surprisingly popular apps with no SCIM
Finance and accounting
QuickBooks - The most widely used accounting software in America doesn't support SAML or SCIM. Users authenticate with Google OAuth or email/password. No automated provisioning. No automated deprovisioning. The tool handling your company's finances has 2005-era identity management.
Xero - The other major cloud accounting platform. Their product ideas forum has SCIM requests going back over a decade. Hundreds of votes. Still waiting.
FreshBooks - Same story. Bill.com, Wave, Expensify (standard tier) - the pattern holds across the category.
The exception: Ramp includes SCIM on their free tier. They're one of 9 apps in our entire database that does it right.
HR and payroll
Gusto - The #1 HR/Payroll platform for SMBs has a particularly frustrating setup: Just-In-Time provisioning creates users when they first authenticate, but there's no automated deprovisioning. Employees get created automatically. They never get removed automatically. When someone leaves, their access to payroll data, benefits information, and PII persists until someone remembers to manually revoke it.
ADP - Serves 1 in 6 American workers. No SCIM. 52 orphaned accounts per 500 employees in our customer data - the highest in the database.
Lever - Popular ATS, but SCIM requires Enterprise tier plus a third-party connector (Aquera). The "Enterprise" tier doesn't actually include enterprise identity basics.
Sales and CRM
Pipedrive - Leading sales CRM with a fragmented story. Okta users get an Okta-specific connector. Everyone else - Entra, Google Workspace, other IdPs - gets nothing. Not open standards. Vendor lock-in disguised as integration.
Clay - The hot sales intelligence platform (Y Combinator, $50M+ raised). Enterprise tier costs $30K+/year. Still no SCIM. You pay enterprise pricing without enterprise identity.
Close, Copper, Nutshell - The pattern continues across SMB-focused CRMs.
Marketing
Mailchimp - Serving enterprise customers for years. No native SCIM. Third-party workarounds exist (Aquera), but the vendor never built it themselves.
Constant Contact - Email marketing since 1995. SSO is limited to partner integrations. Direct customers get nothing.
Buffer, Sprout Social - Social media management tools with no enterprise identity features. When a social media manager leaves, you're relying on someone remembering to revoke access to your brand accounts.
Project management
Basecamp - The project management icon, 20+ years in business. Proprietary Okta connector only. $299/month Business plan required. Still not standard SCIM.
Teamwork, Podio, Nifty - Popular PM tools with no SCIM at any price.
The categories where it's worst
Finance tools handle your money but can't handle identity
The tools managing your company's finances have the worst identity management:
- QuickBooks, Xero, FreshBooks - no SCIM
- Bill.com, Expensify, Wave - no SCIM
- Most spend management tools - no SCIM
These apps handle sensitive financial data, require compliance controls, and often appear in audits. Yet they force manual provisioning.
HR tools know when people leave but can't act on it
The irony is brutal. HR and payroll systems are the source of truth for employment status. They know the moment someone is terminated. But most can't automatically revoke access:
- Gusto - JIT only, no deprovisioning
- ADP - no SCIM, highest orphan account rate
- Paychex, TriNet, Justworks - no SCIM
The systems that should trigger offboarding can't even participate in it.
Sales tools have the highest turnover and no automation
Sales teams turn over at 25-35% annually. Sales tools contain customer lists, deal data, pricing information - exactly what a departing rep might take to a competitor. Yet:
The apps with the highest churn and most sensitive data have the least automation.
What the niche tools add
Our 721-app database focuses on common SaaS tools. It doesn't include:
- Every industry-specific ERP
- Church management software, legal practice tools, healthcare specialty apps
- Internal tools and custom-built admin dashboards
- Regional or country-specific vendors
The "no SCIM" problem extends far beyond our database. For every QuickBooks, there are dozens of vertical tools that never considered enterprise identity.
If 57% of common SaaS apps lack SCIM, the percentage across all software is likely higher.
Why this happens
It's not technical
SCIM has existed since 2011. The protocol is open, well-documented, supported by every major IdP. Building SCIM is straightforward.
It's business decisions
PLG tools chose users over admins. Product-led growth optimizes for individual adoption - easy signup, intuitive interface, viral spread. Nobody in the room said "what about the IT team managing 500 users?"
Legacy platforms chose not to update. QuickBooks Online launched in 2005. Mailchimp started in 2001. They built before cloud identity was standard and never modernized.
SMB-focused vendors chose simplicity. Enterprise features mean engineering cost, which means price increases, which means SMB churn. Easier to ignore the 5% who need SCIM.
These aren't technical constraints. They're strategic choices.
The cost
Whether it's a household-name app or a niche vertical tool, the math is the same:
| Metric | Value |
|---|---|
| IT hours per app per year | 101 hours |
| Annual cost per unautomated app | ~$12,000 |
| Orphaned accounts per app | 7-19 |
That's $12K in IT labor, orphaned licenses, and compliance gaps - per app, per year. Based on real data from 27 organizations.
A company with 20 unautomated apps: $240,000/year in hidden costs.
What to do about it
For the household names - QuickBooks, Gusto, Pipedrive - you're probably stuck with them. They're embedded in your workflows. Switching costs are real.
For the niche tools - the industry ERP, the vertical software - you're definitely stuck with them. That's why they don't have SCIM. They know you can't leave.
Stitchflow works for both.
We deliver SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop. We build the integration. We maintain it. <$5K/app/year.
QuickBooks with no SAML? We handle it. Gusto with JIT-only? We add deprovisioning. The legacy ERP with 340 permission flags? We map them once, you assign groups in Okta.
Frequently asked questions
In our 721-app database, 411 (57%) have no SCIM at any price. Another 301 (42%) have SCIM but paywall it behind enterprise tiers. Only 9 apps (1.2%) include SCIM on their base tier. The real number of apps without SCIM is likely much higher when you include niche, vertical, and industry-specific tools.
Jay has been serving modern IT teams for more than a decade. Prior to Stitchflow, he was the product lead for Okta IGA after Okta acquired his previous ITSM company, atSpoke.
