Summary and recommendation
Red Hat Ansible Automation Platform (formerly Ansible Tower) does not support SCIM provisioning on any plan, despite enterprise subscription pricing ranging from $5,000 to $14,000 per year. Instead, Ansible relies on SAML attribute mapping or LDAP synchronization for user provisioning. While this approach can technically automate user creation through just-in-time (JIT) provisioning, it creates significant operational overhead—IT teams must carefully configure SAML attributes to map users to the correct teams and organizations within Ansible, and any changes to team structure or permissions require manual SAML configuration updates.
For DevOps teams managing automation credentials and playbook access, this limitation creates a compliance risk. Without true SCIM provisioning, there's no standardized way to automatically provision users with appropriate permissions or deprovision them when they leave teams. The SAML attribute mapping workaround means user access depends on maintaining complex attribute configurations across your identity provider, making it difficult to ensure least-privilege access to critical automation infrastructure.
The strategic alternative
Ansible Tower has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OAuth2/OIDC, LDAP |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | Via third-party | ❌ | Okta SSO via SAML is supported. Requires specific Okta configuration including attribute and group statements. No SCIM provisioning - uses SAML attributes for user/team mapping. |
| Microsoft Entra ID | Via third-party | ❌ | Microsoft Entra ID supported as SAML IdP or OAuth2/OIDC provider. AAP 2.5+ has direct Entra ID authentication type. JIT provisioning via SAML/OIDC attributes. No SCIM. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Ansible Tower accounts manually. Here's what that costs:
The Ansible Tower pricing problem
Ansible Tower gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| AWX (Open Source) | Free | ||
| Ansible Automation Platform Standard | $5,000 - $14,000 | ||
| Ansible Automation Platform Premium | Custom pricing |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| AWX (Open Source) | Free | ||
| Ansible Automation Platform Standard | $5,000 - $14,000 | ||
| Ansible Automation Platform Premium | Custom pricing |
Pricing notes
What this means in practice
Without SCIM, Ansible Tower provisioning becomes a manual workflow:
User onboarding requires
1. IT admin manually creates user account in Ansible Tower 2. Assigns appropriate teams and permissions based on role 3. User can then authenticate via SSO on subsequent logins
User offboarding gaps
Team management friction
Additional constraints
Summary of challenges
- Ansible Tower does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Ansible Tower actually offers for identity
SAML/LDAP Authentication (Red Hat Subscription)
Red Hat Ansible Automation Platform supports federated authentication through multiple protocols:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0, OAuth2/OIDC, LDAP |
| Supported IdPs | Okta, Microsoft Entra ID, generic SAML providers |
| JIT provisioning | ✓ Yes (via SAML attribute mapping) |
| Team mapping | ✓ Yes (via SAML groups or LDAP sync) |
| User provisioning | Manual or LDAP sync only |
Critical limitation: Ansible Tower has no native SCIM support. User lifecycle management relies entirely on SAML attribute mapping during login or periodic LDAP synchronization.
Okta Integration
The Ansible Tower + Okta integration provides:
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Yes |
| SCIM provisioning | ❌ No |
| JIT user creation | ✓ Yes (via SAML attributes) |
| Team assignment | ✓ Yes (via SAML group statements) |
| Automated deprovisioning | ❌ No |
Microsoft Entra ID Integration
AAP 2.5+ includes direct Entra ID support:
| Feature | Supported? |
|---|---|
| OAuth2/OIDC SSO | ✓ Yes |
| SAML SSO | ✓ Yes |
| SCIM provisioning | ❌ No |
| JIT user creation | ✓ Yes |
| Group sync | ✓ Yes (via token attributes) |
The real problem: Without SCIM, deprovisioning users requires manual action in Ansible Tower or depends on session timeouts. For DevOps teams managing automation credentials and playbook permissions, this creates security gaps when team members leave or change roles.
What IT admins are saying
Ansible Tower's lack of native SCIM provisioning frustrates IT teams managing DevOps automation platforms:
- Manual user provisioning despite enterprise pricing - no automated sync from identity providers
- Complex SAML attribute mapping required for team assignments and role-based access
- LDAP sync as the only semi-automated option, but requires additional infrastructure
- AWX (free version) offers no production support when provisioning issues arise
No SCIM means manual or LDAP-based provisioning
User provisioning via SAML attribute mapping or LDAP sync
The recurring theme
For a platform designed to automate everything else, Ansible Tower ironically requires manual intervention for user lifecycle management. IT teams must rely on SAML attributes or maintain separate LDAP infrastructure just to provision users into their automation platform.
The decision
| Your Situation | Recommendation |
|---|---|
| Small DevOps team (<10 users) with stable membership | Manual management is acceptable |
| AWX free version for development/testing | Manual user creation with SAML SSO |
| Enterprise with 50+ automation users | Use Stitchflow: LDAP sync is complex and brittle |
| Multi-team environment with frequent role changes | Use Stitchflow: SAML attribute mapping insufficient |
| Compliance requirements for access audit trails | Use Stitchflow: automation essential for SOC/SOX compliance |
The bottom line
Red Hat Ansible Automation Platform is enterprise-grade automation software, but it lacks SCIM provisioning entirely. Your only options are manual user management, complex LDAP synchronization, or unreliable SAML attribute mapping. For DevOps teams that need proper user lifecycle automation, Stitchflow delivers the missing SCIM layer without the operational overhead.
Make Ansible Tower workflows AI-native
Ansible Tower has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No native SCIM provisioning support
- User provisioning via SAML attribute mapping or LDAP sync
- AWX (free version) has no SLA or enterprise support
- Multiple SAML IdPs supported but require configuration
Documentation not available.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Where to enable
Microsoft Entra ID supported as SAML IdP or OAuth2/OIDC provider. AAP 2.5+ has direct Entra ID authentication type. JIT provisioning via SAML/OIDC attributes. No SCIM.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Ansible Tower
Ansible Tower has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
