Summary and recommendation
Apache Superset, the open-source business intelligence platform, provides no native SCIM provisioning capabilities. While Superset supports various authentication methods including OAuth2, OIDC, and LDAP, SAML SSO requires custom development through a CustomSsoSecurityManager class implementation. Even with SSO configured, user provisioning must be handled manually or through Superset's beta User API, which isn't enabled by default and requires additional configuration in superset_config.py.
This creates a significant operational burden for IT teams managing data analysts, engineers, and business users who need access to dashboards and datasets. The lack of automated provisioning means manual account creation for every new hire, plus ongoing management of complex dashboard permissions and row-level security settings. For organizations running self-hosted Superset instances, this translates to custom development work just to achieve basic enterprise SSO integration, let alone automated user lifecycle management.
The strategic alternative
Apache Superset has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | OAuth2, OIDC, LDAP, SAML (custom) |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | Via third-party | ❌ | Preset (managed Superset) has Okta integration with SAML SSO and user provisioning. Open-source Superset requires custom OAuth2/OIDC configuration in superset_config.py. |
| Microsoft Entra ID | Via third-party | ❌ | No native Entra integration. Requires custom SAML security manager implementation. Azure ADFS/SAML possible with custom code. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Apache Superset accounts manually. Here's what that costs:
The Apache Superset pricing problem
Apache Superset gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Open Source | Free |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Open Source | Free |
Note: Preset offers a managed Superset service with easier SSO integration, but pricing is not publicly available.
What this means in practice
Without native SCIM or SSO support, every enterprise deployment requires:
The User API exists but is in beta status and disabled by default, making any automation unreliable.
Additional constraints
Summary of challenges
- Apache Superset does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Apache Superset actually offers for identity
Open Source Authentication Options
Apache Superset provides several authentication methods, but none include automated provisioning:
| Method | Details |
|---|---|
| Database | Built-in username/password authentication |
| LDAP | Connect to Active Directory or other LDAP servers |
| OAuth2/OIDC | Integration with Google, GitHub, or custom OAuth providers |
| SAML | Requires custom security manager implementation |
Critical limitation: All SSO methods require manual configuration in superset_config.py and custom Python code for SAML implementations.
What's Actually Missing
Preset's Managed Alternative
The commercial Preset Cloud offers easier identity integration:
| Feature | Open Source Superset | Preset Cloud |
|---|---|---|
| SAML SSO | Custom code required | Built-in support |
| Okta integration | Manual OAuth2 setup | Native connector |
| User provisioning | Manual/JIT only | SCIM-like API |
| Configuration | Code changes required | Web UI |
Translation: If you need enterprise SSO without custom development, Apache Superset's open-source nature means you'll either need internal engineering resources or should consider Preset's managed service.
For data teams that need automated provisioning, the lack of native SCIM support means every user onboarding and offboarding requires manual intervention or custom API development.
What IT admins are saying
Apache Superset's open-source nature creates significant integration challenges for enterprise IT teams:
- Custom development required for SAML SSO implementation
- No native SCIM provisioning capabilities
- Complex authentication setup requiring code changes
- Manual user management even after SSO configuration
"No out-of-box SAML support" and "Custom development required for enterprise SSO" are consistent complaints across community forums and implementation guides.
SAML requires custom CustomSsoSecurityManager class
Secure Apache Superset with SAML SSO custom integration with Azure ADFS or any SAML provider
The recurring theme
While Apache Superset is powerful for data visualization, its open-source architecture pushes authentication and provisioning complexity onto IT teams. Most organizations end up considering Preset (the managed version) or building custom solutions to handle enterprise identity requirements.
The decision
| Your Situation | Recommendation |
|---|---|
| Small data team (<10 users) with technical skills | Manual user management acceptable with custom SSO setup |
| Growing analytics team (10-50 users) | Use Stitchflow: eliminates custom development overhead |
| Enterprise deployment with compliance needs | Use Stitchflow: automation essential for audit trails |
| Multi-environment setup (dev/staging/prod) | Use Stitchflow: consistent provisioning across environments |
| Consider Preset (managed Superset) instead | Preset offers native Okta integration, but still lacks SCIM |
The bottom line
Apache Superset's open-source nature means you'll need custom development for enterprise SSO and zero native provisioning capabilities. For data teams that want to focus on analytics instead of authentication code, Stitchflow eliminates the technical overhead and provides automated user lifecycle management that Superset simply can't offer natively.
Make Apache Superset workflows AI-native
Apache Superset has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No native SCIM provisioning
- SAML requires custom security manager implementation
- User API is in beta and not enabled by default
- SSO configuration requires code changes to superset_config.py
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Docs
Preset (managed Superset) has Okta integration with SAML SSO and user provisioning. Open-source Superset requires custom OAuth2/OIDC configuration in superset_config.py.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Apache Superset
Apache Superset has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
