Stitchflow
Argo CD logo

Argo CD SCIM guide

Connector Only

How to automate Argo CD user provisioning, and what it actually costs

Native SCIM requires Open Source (Free) plan

Summary and recommendation

Argo CD, the popular open-source GitOps continuous delivery tool, does not support SCIM provisioning at all. As an open-source project, Argo CD relies on SSO via the bundled Dex identity provider (supporting SAML, OIDC, and LDAP) for authentication, but user access management happens through manual ConfigMap edits. Platform teams must maintain RBAC policies in the argocd-rbac-cm ConfigMap, mapping IdP groups to Argo CD roles, while group information only refreshes at authentication time—not when group membership changes in your identity provider.

This creates significant operational overhead for platform teams managing Kubernetes deployments. When developers join or leave teams, or when project access needs change, administrators must manually update ConfigMaps and restart Argo CD components to reflect new permissions. For organizations with frequent team changes or complex namespace-based access patterns, this manual process becomes a bottleneck that contradicts the automation principles GitOps is meant to deliver. Even Akuity's enterprise managed service doesn't add SCIM support—it only provides hosting and support for the same underlying architecture.

The strategic alternative

Stitchflow provides managed provisioning automation for Argo CD, handling the ConfigMap updates and group synchronization automatically as your team structure changes. Works with any Argo CD deployment and any identity provider. Flat pricing under $5K/year, regardless of team size.

Quick SCIM facts

SCIM available?No
SCIM tier requiredN/A
SSO required first?No
SSO available?Yes
SSO protocolSAML 2.0, OIDC, LDAP (via Dex)
DocumentationNot available

Supported identity providers

IdPSSOSCIMNotes
OktaVia third-partyNo SCIM. Supports OIDC SSO direct integration (without Dex) or SAML via Dex. Configure via argocd-cm ConfigMap. RBAC managed via argocd-rbac-cm ConfigMap with group mappings.
Microsoft Entra IDVia third-partyNo SCIM. Supports native OIDC SSO with Entra ID (recommended) or SAML via Dex. Workload Identity Federation supported for AKS clusters. RBAC via ConfigMaps with Entra group IDs.
Google WorkspaceVia third-partyNo native support
OneLoginVia third-partyNo native support

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Argo CD accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees
Orphaned accounts (ex-employees with access)7
Unused licenses12
IT hours spent on manual management/year101 hours
Unused license cost/year$3,925
IT labor cost/year$6,088
Cost of compliance misses/year$1,741
Total annual financial impact$11,754

The Argo CD pricing problem

Argo CD gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

PlanPriceSSOSCIM
Open SourceFree
Akuity Platform$99/month per 10 apps
Akuity EnterpriseCustom pricing

Pricing structure

PlanPriceSSOSCIM
Open SourceFree
Akuity Platform$99/month per 10 apps
Akuity EnterpriseCustom pricing

What this means in practice

Without SCIM, Argo CD user provisioning requires a hybrid approach:

Initial setup burden

Configure Dex connector in argocd-cm ConfigMap for your IdP
Map IdP groups to Argo CD roles in argocd-rbac-cm ConfigMap
Ensure group claims are properly passed through SSO flow

Ongoing management friction

Group membership changes only take effect when users re-authenticate
New applications or namespaces require manual RBAC policy updates in ConfigMaps
No automated user deprovisioning
access persists until next login attempt

Example RBAC ConfigMap complexity

``yaml policy.csv: | p, role:admin, applications, , /, allow p, role:dev-team, applications, get, dev/, allow g, your-idp-group-id, role:dev-team ``

Additional constraints

Manual ConfigMap maintenance
Every RBAC change requires editing Kubernetes ConfigMaps and restarting Argo CD components
Group sync timing
User permissions only refresh at authentication time, not when IdP group membership changes
Namespace-application alignment
RBAC policies must be manually kept in sync with Kubernetes namespace structure and application deployment patterns
No audit trail
User access changes aren't logged through standard provisioning audit mechanisms
Platform team bottleneck
DevOps teams become the gatekeepers for all access changes since everything requires ConfigMap edits

Summary of challenges

  • Argo CD does not provide native SCIM at any price tier
  • Organizations must rely on third-party tools or manual provisioning
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What Argo CD actually offers for identity

SSO via Dex (Open Source)

Argo CD bundles the Dex identity proxy to handle authentication with third-party identity providers:

SettingDetails
ProtocolSAML 2.0, OIDC, LDAP
Supported IdPsOkta, Entra ID, Google Workspace, GitHub, GitLab, generic SAML/OIDC
ConfigurationEdit argocd-cm ConfigMap with Dex connector settings
User provisioningJust-in-time (JIT) only - no account pre-creation required

How RBAC works: User permissions are managed through the argocd-rbac-cm ConfigMap, where you map IdP groups to Argo CD roles (readonly, admin, or custom policies).

Native OIDC Support (Alternative)

Argo CD also supports direct OIDC integration without Dex:

Okta
Direct OIDC integration using Okta as authorization server
Entra ID
Native integration with Microsoft identity platform
Google
Direct Google OIDC connector

This bypasses Dex but still requires manual ConfigMap management for RBAC policies.

Core Limitation: No User Provisioning

Both approaches provide SSO authentication but zero provisioning capabilities:

No SCIM support
Users can't be created, updated, or deactivated programmatically
Manual RBAC management
All role assignments require editing Kubernetes ConfigMaps
Group sync only at login
Group membership changes don't update until user re-authenticates
No lifecycle management
Departing employees retain access until ConfigMaps are manually updated

For platform teams managing hundreds of developers across multiple Kubernetes namespaces and applications, this creates significant operational overhead and security gaps.

What IT admins are saying

Argo CD's lack of native SCIM creates ongoing operational overhead for platform teams managing GitOps at scale:

  • RBAC policies must be manually maintained via ConfigMaps whenever team structures change
  • Group membership updates only sync when users authenticate, not in real-time
  • Complex SSO setup through Dex adds another configuration layer to maintain
  • No automated user lifecycle management means manual cleanup when employees leave

Group info only refreshed at authentication time

Argo CD community documentation

No SCIM means RBAC managed via ConfigMaps

Platform engineering teams consistently report this limitation

Manual ConfigMap edits for RBAC changes

DevOps engineers note the operational burden of keeping permissions current

The recurring theme

Even with SSO working, platform teams spend significant time manually syncing identity provider changes to RBAC ConfigMaps, and stale group memberships persist until users next authenticate.

The decision

Your SituationRecommendation
Small DevOps team (<10 engineers)Manual RBAC ConfigMap management is workable
Single Kubernetes cluster with stable teamSSO + manual group mappings acceptable
Platform team managing 20+ apps/namespacesUse Stitchflow: RBAC complexity demands automation
Multi-cluster enterprise with compliance needsUse Stitchflow: audit trails and consistent access essential
Frequent developer onboarding/offboardingUse Stitchflow: manual ConfigMap updates don't scale

The bottom line

Argo CD is an excellent GitOps tool, but it lacks SCIM entirely—forcing you to manage access through IdP groups and manual RBAC ConfigMaps. For platform teams managing complex Kubernetes environments where access changes frequently, Stitchflow eliminates the operational overhead of ConfigMap management while maintaining the security controls you need.

Automate Argo CD without third-party complexity

Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Argo CD at <$5K/year, flat, regardless of team size.

Works alongside or instead of native SCIM
Syncs with your existing IdP (Okta, Entra ID, Google Workspace)
Automates onboarding and offboarding
SOC 2 Type II certified
24/7 human-in-the-loop monitoring
Book a Demo

Technical specifications

SCIM Version

Not specified

Supported Operations

Not specified

Supported Attributes

No native SCIM provisioningUser/group management via IdP and RBAC ConfigMapsGroup info only refreshed at authentication timeManual ConfigMap edits for RBAC changes

Plan requirement

Not specified

Prerequisites

Not specified

Key limitations

  • No native SCIM provisioning
  • User/group management via IdP and RBAC ConfigMaps
  • Group info only refreshed at authentication time
  • Manual ConfigMap edits for RBAC changes

Documentation not available.

Configuration for Entra ID

Integration type

Microsoft Entra Gallery app

Where to enable

Entra admin center → Enterprise applications → Argo CD → Single sign-on

Docs

Microsoft Entra integration

No SCIM. Supports native OIDC SSO with Entra ID (recommended) or SAML via Dex. Workload Identity Federation supported for AKS clusters. RBAC via ConfigMaps with Entra group IDs.

Use Stitchflow for automated provisioning.

Unlock SCIM for
Argo CD

Argo CD doesn't offer SCIM. Get an enterprise-grade SCIM endpoint in your IdP, even without native support.

See how it works
Admin Console
Directory
Applications
Argo CD logo
Argo CD
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.