Summary and recommendation
Atlassian Bitbucket supports SCIM 2.0 for user provisioning, but requires an additional Atlassian Guard subscription on top of your existing Bitbucket plan. More critically, Bitbucket's SCIM implementation only provisions users—group sync is completely unavailable. This means while your IdP can create and deactivate user accounts, all repository permissions and team memberships must be managed manually within Bitbucket itself.
For development teams handling sensitive source code, this creates a significant security and operational gap. Repository access controls are critical for IP protection, but without group sync, IT admins must rely on developers to manually assign the correct permissions in Bitbucket after SCIM provisions the accounts. This manual step defeats the purpose of automated provisioning and creates compliance risks when developers leave or change roles.
The strategic alternative
Atlassian Bitbucket gates SCIM behind Atlassian Guard subscription. Skip the Atlassian Guard subscription plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Atlassian Bitbucket accounts manually. Here's what that costs:
The Atlassian Bitbucket pricing problem
Atlassian Bitbucket gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | Free (5 users) | ||
| Standard | $3.30/user/mo | Requires Guard | |
| Premium | $6.60/user/mo | Requires Guard |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Free | Free (5 users) | ❌ |
| Standard | $3.30/user/mo | Requires Guard |
| Premium | $6.60/user/mo | Requires Guard |
Note: SCIM requires a separate Atlassian Guard subscription on top of your Bitbucket plan. Guard pricing varies but adds significant cost to your monthly spend.
What this means in practice
The core limitation: SCIM only provisions user accounts - not repository access. Development teams still need to:
Cost impact: Adding Atlassian Guard to enable basic (incomplete) SCIM:
| Team Size | Base Bitbucket Cost | + Guard Subscription | Total Impact |
|---|---|---|---|
| 25 developers | $990/year | + Guard fees | Significant increase |
| 50 developers | $1,980/year | + Guard fees | Doubles overall cost |
| 100 developers | $3,960/year | + Guard fees | Major budget impact |
Additional constraints
Summary of challenges
- Atlassian Bitbucket supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Bitbucket doesn't sell SCIM à la carte. It requires an Atlassian Guard subscription on top of your existing plan:
If you need organization-wide security controls across multiple Atlassian products, Guard may justify the cost. But if you just want automated provisioning for Bitbucket specifically, you're paying for a security bundle while still handling the most critical part (repository access) manually. We estimate ~60% of Guard features are irrelevant for teams that only need Bitbucket user provisioning with proper group sync.
Stitchflow Insight
Bitbucket's SCIM only provisions users, not groups. Repository permissions and team assignments must still be managed manually in Bitbucket, or through third-party marketplace apps that add complexity and cost.
What IT admins are saying
Community sentiment on Atlassian Bitbucket's SCIM implementation is mixed, with significant frustration around core limitations. Common complaints:
- No group sync for Bitbucket - users provision but repository permissions require manual management
- Requiring separate Atlassian Guard subscription adds complexity and cost
- Need to purchase third-party marketplace apps for full functionality
- API keys expiring annually creates maintenance overhead
"GROUP SYNC NOT AVAILABLE for Bitbucket - users only" is the most cited limitation across forums and documentation.
Group sync requires third-party marketplace apps
The recurring theme
Bitbucket's SCIM provisions users but stops short of the group sync that makes automated access management truly valuable for development teams managing sensitive code repositories.
The decision
| Your Situation | Recommendation |
|---|---|
| Need group sync for repository permissions | Use Stitchflow: Bitbucket's native SCIM can't sync groups |
| Want to avoid Atlassian Guard subscription costs | Use Stitchflow: no additional Guard licensing required |
| On Standard/Premium, don't need other Guard features | Use Stitchflow: avoid paying for unused Guard capabilities |
| Already have Guard, only need basic user provisioning | Use native SCIM: you're paying for Guard anyway |
| Small dev team with simple access needs | Manual may work: but consider security risks for code access |
The bottom line
Bitbucket's native SCIM requires an Atlassian Guard subscription and crucially lacks group sync—forcing you to manage repository permissions manually even with provisioning enabled. For development teams where code access security matters, Stitchflow provides complete provisioning automation including the group sync that Bitbucket's native implementation can't deliver.
Make Atlassian Bitbucket workflows AI-native
Atlassian Bitbucket gates SCIM behind Atlassian Guard subscription. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- GROUP SYNC NOT AVAILABLE for Bitbucket
- Requires Atlassian Guard subscription
- Group sync requires third-party marketplace apps
- API keys expire after 1 year
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Atlassian Cloud app in OIN. Requires Atlassian Guard Standard subscription. Copy SCIM base URL and API key from admin.atlassian.com. Store credentials - not shown again. Group sync only for Jira/Confluence, NOT Bitbucket.
Atlassian Bitbucket gates SCIM behind Atlassian Guard subscription. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full provisioning tutorial. Set Provisioning Mode to Automatic. Syncs every ~40 minutes. Group sync only for Jira/Confluence - NOT for Bitbucket. Third-party solutions (miniOrange) available for extended Bitbucket SCIM features.
Atlassian Bitbucket gates SCIM behind Atlassian Guard subscription. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Atlassian Bitbucket
Atlassian Bitbucket gates SCIM behind Atlassian Guard subscription plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
