Summary and recommendation
athenaOne, the cloud-based EHR platform used by healthcare organizations, does not support SCIM provisioning on any plan. While athenaOne offers SSO integration through federated identity with major providers like Okta and Entra ID, this only handles authentication, not user lifecycle management. Healthcare IT teams must manually create, modify, and deactivate user accounts within athenaOne's role-based access system, despite paying $140+ per provider monthly plus 4-7% of collections. This creates a significant operational burden for organizations managing dozens or hundreds of clinical users across multiple locations.
The lack of automated provisioning creates serious compliance and security risks in healthcare environments. Without SCIM, IT teams can't automatically enforce role changes when staff transitions between departments, or immediately revoke access when employees leave - both critical requirements under HIPAA. Manual user management also increases the likelihood of over-privileged accounts remaining active, creating potential audit findings and data exposure risks. Third-party solutions like Cerby have been suggested, but these add complexity and cost to an already expensive EHR investment.
The strategic alternative
athenaOne has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | athenahealth offers federated identity via org-to-org functionality. SSO only, no SCIM provisioning. |
| Microsoft Entra ID | ✓ | ❌ | Azure AD integration available for SSO. No native SCIM provisioning - third-party solutions like Cerby may be required. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages athenaOne accounts manually. Here's what that costs:
The athenaOne pricing problem
athenaOne gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Business | $140/provider/mo + 4-7% of collections | ||
| Enterprise | Custom pricing |
Pricing structure
| Plan | Pricing | SSO | SCIM |
|---|---|---|---|
| Business | $140/provider/mo + 4-7% of collections | ✓ Available | ❌ Not available |
| Enterprise | Custom pricing | ✓ Available | ❌ Not available |
What this means in practice
Without SCIM provisioning, IT teams must:
The percentage-of-collections pricing model (4-7% of revenue) creates additional budget complexity, as provisioning costs scale with your practice's financial performance rather than actual user count.
Additional constraints
Summary of challenges
- athenaOne does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What athenaOne actually offers for identity
SAML SSO (All Plans)
athenaOne provides federated identity through their org-to-org functionality:
| Feature | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, Azure AD, custom SAML providers |
| Configuration | Contact athenahealth support for setup |
| User requirement | Manual account creation required |
Key limitation: SSO only handles authentication. All user provisioning, role assignments, and access management must be handled manually within athenaOne's interface.
Okta Integration (via OIN)
The official Okta Integration Network listing confirms limited functionality:
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Yes |
| Create users | ❌ No |
| Update users | ❌ No |
| Deactivate users | ❌ No |
| Group sync | ❌ No |
| Role provisioning | ❌ No |
Azure AD Integration
Microsoft's marketplace listing shows similar constraints:
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Yes |
| User provisioning | ❌ No |
| Automated deprovisioning | ❌ No |
| Group assignments | ❌ No |
Reality check: athenaOne's documentation explicitly mentions that third-party solutions like Cerby may be required for automated provisioning workflows.
What's actually missing
The core problem: athenaOne handles patient data worth millions in collections (their 4-7% fee model), but leaves basic identity management as a manual process vulnerable to human error.
What IT admins are saying
Community sentiment on athenaOne's user provisioning reveals significant frustration with manual processes:
- Manual user creation required despite SSO implementation
- No automated deprovisioning when staff leave healthcare organizations
- High-stakes compliance requirements make manual processes risky
- Complex role-based access management handled entirely within athenaOne interface
athenahealth offers federated identity via org-to-org functionality. SSO only, no SCIM provisioning.
Azure AD integration available for SSO. No native SCIM provisioning - third-party solutions like Cerby may be required.
The recurring theme
Healthcare IT teams get SSO authentication but must still manually manage every user lifecycle event in athenaOne, creating compliance risks and administrative overhead in an industry where access control mistakes can have serious consequences.
The decision
| Your Situation | Recommendation |
|---|---|
| Small practice (<10 providers) | Manual management acceptable for stable teams |
| Healthcare organization with high provider turnover | Use Stitchflow: automation essential for compliance |
| Multi-location health system (20+ providers) | Use Stitchflow: manual management becomes unmanageable |
| Enterprise with audit/compliance requirements | Use Stitchflow: automated provisioning creates necessary audit trail |
| Healthcare IT team managing multiple EHR systems | Use Stitchflow: consistent provisioning across all applications |
The bottom line
athenaOne has no native SCIM. Stitchflow automates complete workflows across every app, including the ones without APIs.
Make athenaOne workflows AI-native
athenaOne has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No native SCIM provisioning support
- Pricing based on percentage of collections model (4-7%)
- User access management is role-based within athenaOne
- Identity verification required for Authorized Users (AL3 standards)
- Third-party solutions like Cerby needed for automated provisioning
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Where to enable
Docs
athenahealth offers federated identity via org-to-org functionality. SSO only, no SCIM provisioning.
Use Stitchflow for automated provisioning.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Where to enable
Azure AD integration available for SSO. No native SCIM provisioning - third-party solutions like Cerby may be required.
Use Stitchflow for automated provisioning.
Unlock SCIM for
athenaOne
athenaOne has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
