Summary and recommendation
1Password supports SCIM provisioning on its Business plan ($7.99/user/month), but requires deploying and managing the 1Password SCIM Bridge on your own infrastructure. This self-hosted approach means you're responsible for maintaining servers, handling updates, and troubleshooting connectivity issues between your identity provider and 1Password's systems. The SCIM Bridge also operates separately from SSO (which uses OIDC only), requiring you to configure and maintain two distinct integrations.
This architecture creates operational overhead that many IT teams don't want to manage. Unlike cloud-native SCIM implementations, you're essentially running 1Password's provisioning infrastructure for them. When the SCIM Bridge goes down, provisioning stops working. When 1Password updates their API, you need to update your Bridge deployment. For teams that just want automated user lifecycle management, this becomes an ongoing maintenance burden.
The strategic alternative
Stitchflow provides managed provisioning automation for 1Password without requiring you to deploy or maintain any infrastructure. Works with any 1Password plan and any identity provider. Flat pricing under $5K/year with 24/7 human-in-the-loop support.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Business |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | OIDC |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages 1Password accounts manually. Here's what that costs:
The 1Password pricing problem
1Password gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Business | $7.99/user/mo | ||
| Enterprise | Custom pricing |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Business | $7.99/user/mo | ✓ (via SCIM Bridge) |
| Enterprise | Custom pricing | ✓ (via SCIM Bridge) |
Note: Both tiers require deploying 1Password's SCIM Bridge application on your infrastructure (GCP, DigitalOcean, or custom servers).
What this means in practice
Unlike cloud-native SCIM integrations, 1Password's approach requires:
This creates operational burden that scales with your team - every environment change, security patch, or troubleshooting session requires internal resources.
Additional constraints
Summary of challenges
- 1Password supports SCIM but only at Business tier (Custom)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
1Password doesn't sell SCIM à la carte. It's bundled with their Business plan features:
The catch: 1Password's SCIM requires deploying their SCIM Bridge on your own infrastructure (Google Cloud, DigitalOcean, or custom servers). You're not just paying for the Business plan—you're signing up to maintain additional infrastructure.
Stitchflow Insight
If you need advanced password management features anyway, the upgrade makes sense. If you just want automated user provisioning, you're paying $7.99/user/month plus infrastructure costs for features you won't use. We estimate ~60% of Business plan features are irrelevant for teams that only need basic SCIM provisioning.
What IT admins are saying
Community sentiment on 1Password's SCIM implementation centers around infrastructure complexity rather than pricing. Common complaints:
- Having to deploy and maintain the SCIM Bridge on your own infrastructure instead of cloud-native SCIM
- Managing separate integrations for SSO (OIDC) and SCIM provisioning
- Operational overhead of keeping the SCIM Bridge updated and running
- Additional security surface area from self-hosted components
The SCIM Bridge requirement means we're essentially running 1Password infrastructure for them. It's not terrible, but it's definitely more work than other vendors.
Why can't this just be cloud-native like everyone else? Having to spin up containers just for user provisioning feels unnecessarily complex.
The recurring theme
While 1Password's Business plan pricing is reasonable at $7.99/user/month, the self-hosted SCIM Bridge architecture creates operational burden that many IT teams would prefer to avoid.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but want to avoid infrastructure management | Use Stitchflow: skip SCIM Bridge deployment and maintenance |
| Small IT team, no GCP/DigitalOcean expertise | Use Stitchflow: avoid the operational overhead of self-hosted bridge |
| Already on Business plan with dedicated DevOps resources | Use native SCIM: you have the pricing tier and technical capability |
| Need Enterprise features beyond SCIM | Evaluate Enterprise: custom pricing may include managed solutions |
| Minimal user changes, comfortable with manual processes | Manual may work: but monitor for security gaps and scaling issues |
The bottom line
1Password's SCIM Bridge requires you to deploy and maintain infrastructure, adding operational complexity that many IT teams want to avoid. Stitchflow eliminates this burden with fully managed provisioning automation at flat-rate pricing, letting you focus on security instead of server management.
Automate 1Password without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for 1Password at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Business
Prerequisites
SSO must be configured first
Key limitations
- Requires deploying 1Password SCIM Bridge on your own infrastructure (GCP, DigitalOcean, or custom)
- SSO uses OIDC protocol only - SCIM and SSO are separate integrations
- Nested groups not fully supported
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Business required for SCIM
Native SCIM is available on Business. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Business required for SCIM
Native SCIM is available on Business. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
1Password
1Password gates automation behind Business plan. Stitchflow delivers the same SCIM outcomes for a flat fee.
See how it works