Summary and recommendation
Atlassian Jira supports SCIM 2.0 for automated user provisioning, but only with an Atlassian Guard subscription—an additional $3-4/user/month on top of your base Jira plan. For a 100-person team on Standard ($9.05/user/month), adding Guard means a 33-44% cost increase just to unlock basic provisioning automation. Enterprise customers get Guard included, but that's $155/user/year with an 801-user minimum—$124,355 upfront commitment.
The Guard subscription requirement creates a frustrating gap for growing teams. You're paying for Jira licenses but still manually managing user accounts, group assignments, and project access. SSO with JIT provisioning helps with login, but doesn't handle deprovisioning when employees leave or group sync for project permissions. For development teams where access delays impact sprint velocity, manual provisioning becomes a bottleneck.
The strategic alternative
Atlassian Jira gates SCIM behind Atlassian Access/Guard subscription. Skip the Atlassian Access/Guard subscription plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Custom |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | ✓ | Full SCIM support |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Atlassian Jira accounts manually. Here's what that costs:
The Atlassian Jira pricing problem
Atlassian Jira gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure (Billed Annually)
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | $9.05/user/mo | ||
| Premium | $18.30/user/mo | ||
| Enterprise | $155/user/year (801+ users) | ||
| Any plan + Guard Standard | Base price + $3-4/user/mo |
Note: Enterprise plans include Guard Standard. For teams under 801 users, Guard Standard subscription is required for SCIM access regardless of your Jira plan tier.
What this means in practice
Adding Guard Standard to existing Jira plans:
| Team Size | Standard + Guard | Premium + Guard | Annual Guard Cost |
|---|---|---|---|
| 50 users | ~$13/user/mo | ~$22/user/mo | +$1,800-2,400/year |
| 100 users | ~$13/user/mo | ~$22/user/mo | +$3,600-4,800/year |
| 200 users | ~$13/user/mo | ~$22/user/mo | +$7,200-9,600/year |
Calculation: Guard Standard adds approximately 30-40% to your existing Jira costs solely for provisioning capabilities.
Additional constraints
Summary of challenges
- Atlassian Jira supports SCIM but only at Custom tier ($155/user/year (min 801 users))
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Atlassian doesn't sell SCIM directly through Jira plans. It requires an Atlassian Guard subscription (formerly Access) that bundles identity features:
Guard Standard costs $3-4/user/month on top of your Jira plan. Enterprise customers ($155/user/year minimum) get Guard included, but that's an 801-user minimum commitment.
Stitchflow Insight
If you just want SCIM for a smaller team, you're paying for cross-product administration features you likely don't need. The Guard subscription applies to your entire Atlassian organization, not just Jira users. We estimate ~60% of Guard features are irrelevant for teams that only want Jira user provisioning.
What IT admins are saying
Community sentiment on Atlassian Jira's SCIM implementation centers around the additional subscription requirement. Common complaints:
- Having to purchase Atlassian Guard/Access subscription just for SCIM provisioning
- Annual API key expiration creating ongoing maintenance overhead
- Group sync limitations across different Atlassian products
- Feeling forced into higher-tier subscriptions for basic identity automation
The extra Access subscription cost feels like a tax on security - we already pay per user, why can't SCIM just be included?
Managing API key expiration every year is just another thing on the todo list that shouldn't be there in 2025.
The recurring theme
Organizations feel penalized for wanting automated provisioning, with SCIM treated as an expensive add-on rather than a standard security feature included in base Jira pricing.
The decision
| Your Situation | Recommendation |
|---|---|
| On Standard/Premium, need SCIM | Use Stitchflow: avoid the $36K-124K/year Access subscription |
| On Enterprise without Access/Guard | Use Stitchflow: add automation without Guard complexity |
| Already have Atlassian Access/Guard | Use native SCIM: you're paying for it |
| Need Enterprise features + SSO + SCIM | Evaluate Enterprise plan: Guard Standard is included |
| Small dev team, low turnover | Manual may work: but developer onboarding delays cost more |
The bottom line
Atlassian's SCIM requires an Access/Guard subscription that can cost $36K-124K annually on top of your Jira plan. For development teams that need automated provisioning without the Access overhead, Stitchflow delivers the same automation at a fraction of the cost.
Make Atlassian Jira workflows AI-native
Atlassian Jira gates SCIM behind Atlassian Access/Guard subscription. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Custom
Prerequisites
SSO must be configured first
Key limitations
- Requires Atlassian Access/Guard subscription
- Group sync not available for Bitbucket
- API key expiration requires management
- JSM portal SCIM expected Q2 2025
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM 2.0 support via Atlassian Cloud app in OIN. Supports user create/update/deactivate and group sync. SCIM API keys expire after 1 year (as of Jan 2025).
Atlassian Jira gates SCIM behind Atlassian Access/Guard subscription. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 provisioning with attribute sync (job title, department). Initial sync takes longer, subsequent syncs every 40 minutes.
Atlassian Jira gates SCIM behind Atlassian Access/Guard subscription. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Atlassian Jira
Atlassian Jira gates SCIM behind Atlassian Access/Guard subscription plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
