Summary and recommendation
15Five includes SCIM provisioning on all plans starting at $4/user/month, with full support for creating, updating, and deactivating users across Okta, Entra ID, Google Workspace, and OneLogin. However, 15Five's SCIM implementation has a critical prerequisite: SSO must be configured first, and their documentation explicitly warns against using JIT provisioning alongside SCIM due to duplicate user creation risks.
This creates operational friction for IT teams managing performance management rollouts. The SSO-first requirement means you can't test SCIM provisioning in isolation, and the JIT conflict forces you to choose between automated onboarding convenience and reliable user lifecycle management. For HR-driven tools like 15Five that need to maintain accurate manager hierarchies and team structures, these provisioning gaps can disrupt performance review cycles and employee engagement tracking.
The strategic alternative
15Five has native SCIM. Native SCIM is a start, but critical offboarding and access review workflows still break across systems. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Free |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages 15Five accounts manually. Here's what that costs:
The 15Five pricing problem
15Five gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | $4/user/mo | ||
| Engage | $4/user/mo | ||
| Perform | $11/user/mo | ||
| Total Platform | $16/user/mo |
All plans billed annually. SCIM available at no additional cost.
What this means in practice
While 15Five doesn't gate SCIM behind expensive tiers, the implementation creates operational challenges:
Additional constraints
Summary of challenges
- 15Five supports SCIM but only at Free tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What 15Five actually offers for identity
15Five includes SCIM provisioning across all pricing tiers, making it unusually accessible compared to most SaaS apps. Here's what you get:
The catch: SSO must be configured before SCIM, and just-in-time (JIT) provisioning conflicts with SCIM automation. 15Five's documentation explicitly warns against using JIT when SCIM is active, as it can create duplicate user records.
While SCIM is technically available on the $4/user Standard plan, you'll need SSO working first. For organizations that want simple automated provisioning without SSO complexity, this prerequisite adds unnecessary friction to what should be a straightforward setup.
What IT admins are saying
Community sentiment on 15Five's SCIM implementation is mixed, with frustration centered around prerequisite requirements and integration conflicts. Common complaints:
- SSO being required before SCIM setup adds implementation complexity
- JIT provisioning conflicts with SCIM, creating duplicate user scenarios
- Limited attribute passing through SSO forces reliance on SCIM for complete profiles
- Manager hierarchy syncing issues during performance review cycles
The JIT and SCIM conflict is a real pain point - you have to choose one or the other, but then you lose flexibility.
Why does SSO need to be configured first? Most other apps let you set up SCIM independently.
The recurring theme
While SCIM is available on all plans (a positive), the implementation requirements and integration dependencies create unnecessary friction for IT teams trying to automate their performance management workflows.
The decision
| Your Situation | Recommendation |
|---|---|
| Any plan, want SCIM without SSO complexity | Use Stitchflow: skip the SSO prerequisite entirely |
| Using JIT provisioning, need SCIM too | Use Stitchflow: avoid the JIT/SCIM conflict that creates duplicates |
| Multiple IdPs or complex attribute mapping | Use Stitchflow: get unified provisioning across all identity providers |
| Already have SSO configured, comfortable with native setup | Use native SCIM: it's included in all plans |
| Small team with minimal user changes | Manual may work: but watch for manager hierarchy sync issues |
The bottom line
While 15Five includes SCIM in all plans, the SSO prerequisite and JIT conflicts create unnecessary complexity for many IT teams. Stitchflow eliminates these dependencies, delivering clean provisioning automation without the setup headaches.
Make 15Five workflows AI-native
15Five has native SCIM, but critical workflows still break across systems. We build the full end-to-end workflow in your environment.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Free
Prerequisites
SSO must be configured first
Key limitations
- SSO should be configured before SCIM
- JIT not recommended when using SCIM (can create duplicates)
- SSO only passes Email and Name ID - other attributes via SCIM
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM creates new users when assigned in Okta. Sync is one-way (Okta to 15Five). Import existing users to make Okta aware of them.
15Five has native SCIM, but critical workflows still break across systems. Stitchflow builds complete end-to-end outcomes with your team.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Initial sync takes ~40 minutes, then every ~20 minutes. Groups cannot remove access - must unassign individually. SCIM key is 30 chars (not 32-char API key).
15Five has native SCIM, but critical workflows still break across systems. Stitchflow builds complete end-to-end outcomes with your team.
Unlock SCIM for
15Five
15Five has native SCIM, but complete workflows still span more than one tool. We build the full flow with your team so you can extend it to anything else in the company.
See how it works
