Summary and recommendation
15Five includes SCIM provisioning on all plans starting at $4/user/month, with full support for creating, updating, and deactivating users across Okta, Entra ID, Google Workspace, and OneLogin. However, 15Five's SCIM implementation has a critical prerequisite: SSO must be configured first, and their documentation explicitly warns against using JIT provisioning alongside SCIM due to duplicate user creation risks.
This creates operational friction for IT teams managing performance management rollouts. The SSO-first requirement means you can't test SCIM provisioning in isolation, and the JIT conflict forces you to choose between automated onboarding convenience and reliable user lifecycle management. For HR-driven tools like 15Five that need to maintain accurate manager hierarchies and team structures, these provisioning gaps can disrupt performance review cycles and employee engagement tracking.
The strategic alternative
15Five has native SCIM. Provisioning is only one part of the job. Offboarding, access reviews, and license cleanup still break across the rest of the stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Free |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages 15Five accounts manually. Here's what that costs:
The 15Five pricing problem
15Five gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | $4/user/mo | ||
| Engage | $4/user/mo | ||
| Perform | $11/user/mo | ||
| Total Platform | $16/user/mo |
All plans billed annually. SCIM available at no additional cost.
What this means in practice
While 15Five doesn't gate SCIM behind expensive tiers, the implementation creates operational challenges:
Additional constraints
Summary of challenges
- 15Five supports SCIM but only at Free tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What 15Five actually offers for identity
15Five includes SCIM provisioning across all pricing tiers, making it unusually accessible compared to most SaaS apps. Here's what you get:
The catch: SSO must be configured before SCIM, and just-in-time (JIT) provisioning conflicts with SCIM automation. 15Five's documentation explicitly warns against using JIT when SCIM is active, as it can create duplicate user records.
While SCIM is technically available on the $4/user Standard plan, you'll need SSO working first. For organizations that want simple automated provisioning without SSO complexity, this prerequisite adds unnecessary friction to what should be a straightforward setup.
What IT admins are saying
Community sentiment on 15Five's SCIM implementation is mixed, with frustration centered around prerequisite requirements and integration conflicts. Common complaints:
- SSO being required before SCIM setup adds implementation complexity
- JIT provisioning conflicts with SCIM, creating duplicate user scenarios
- Limited attribute passing through SSO forces reliance on SCIM for complete profiles
- Manager hierarchy syncing issues during performance review cycles
The JIT and SCIM conflict is a real pain point - you have to choose one or the other, but then you lose flexibility.
Why does SSO need to be configured first? Most other apps let you set up SCIM independently.
The recurring theme
While SCIM is available on all plans (a positive), the implementation requirements and integration dependencies create unnecessary friction for IT teams trying to automate their performance management workflows.
The decision
| Your Situation | Recommendation |
|---|---|
| Any plan, want SCIM without SSO complexity | Use Stitchflow: skip the SSO prerequisite entirely |
| Using JIT provisioning, need SCIM too | Use Stitchflow: avoid the JIT/SCIM conflict that creates duplicates |
| Multiple IdPs or complex attribute mapping | Use Stitchflow: get unified provisioning across all identity providers |
| Already have SSO configured, comfortable with native setup | Use native SCIM: it's included in all plans |
| Small team with minimal user changes | Manual may work: but watch for manager hierarchy sync issues |
The bottom line
15Five has native SCIM, but the workflow still spans more than one system. Provisioning is only one part of the job.
Close the 15Five workflow gap
15Five has native SCIM, but the workflow still spans more than one system. Stitchflow builds and maintains the full workflow across the rest of your stack.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Free
Prerequisites
SSO must be configured first
Key limitations
- SSO should be configured before SCIM
- JIT not recommended when using SCIM (can create duplicates)
- SSO only passes Email and Name ID - other attributes via SCIM
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM creates new users when assigned in Okta. Sync is one-way (Okta to 15Five). Import existing users to make Okta aware of them.
15Five has native SCIM, but the workflow still spans more than one system. Provisioning is only one part of the job.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Initial sync takes ~40 minutes, then every ~20 minutes. Groups cannot remove access - must unassign individually. SCIM key is 30 chars (not 32-char API key).
15Five has native SCIM, but the workflow still spans more than one system. Provisioning is only one part of the job.
Close the workflow gap in
15Five
15Five has native SCIM, but the workflow still spans more than one system. Provisioning is only one part of the job.
Start with the free gap diagnostic
