Summary and recommendation
AWS IAM Identity Center supports SCIM 2.0 provisioning and is completely free—no additional licensing costs beyond your AWS account. However, the implementation has significant operational limitations that create ongoing management overhead for IT teams.
The core issues: SCIM sync runs every 20-40 minutes (not real-time), multivalue attributes aren't supported, and once SCIM is enabled, you lose the ability to manually manage users through the AWS console. More problematic, Azure AD users face nested group limitations and attribute removal sync issues, while all IdPs must work around the requirement for specific mandatory fields (First name, Last name, Username, Display name). For organizations managing complex AWS multi-account environments with varying permission sets, these constraints force manual workarounds that undermine automation benefits.
While IAM Identity Center's free pricing is attractive, the operational friction from sync delays, attribute limitations, and console lockout creates hidden administrative costs—especially when managing hundreds of users across multiple AWS accounts with different access requirements.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for AWS IAM Identity Center that addresses these operational challenges with real-time sync, flexible attribute handling, and expert configuration management. Flat pricing under $5K/year, regardless of user count or AWS account complexity.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Free |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages AWS IAM Identity Center accounts manually. Here's what that costs:
The AWS IAM Identity Center pricing problem
AWS IAM Identity Center gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| AWS IAM Identity Center | Free (included with AWS) |
What this means in practice
While the pricing appears attractive, the SCIM implementation's technical constraints create real operational burden:
Attribute limitations: Single-value attributes only - no support for multivalue fields that many organizations use for roles, departments, or project assignments. Custom attributes aren't supported in the SCIM implementation.
Sync frequency: Changes sync every 20-40 minutes, not real-time. For organizations with frequent role changes or emergency access needs, this delay creates security and operational risks.
Management lockout: Once SCIM is enabled, you cannot add or edit users through the IAM Identity Center console. All user management must flow through your IdP, eliminating backup management options.
Additional constraints
Summary of challenges
- AWS IAM Identity Center supports SCIM but only at Free tier ($0)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What AWS IAM Identity Center actually offers for identity
AWS IAM Identity Center is Amazon's free centralized identity service that comes with every AWS account. The SCIM provisioning is included at no charge, but the real value is in how it integrates with your broader AWS infrastructure:
The challenge isn't cost—it's complexity. While SCIM provisioning works reliably for basic user lifecycle management, the real operational burden comes from managing permission sets, account assignments, and the intricate relationships between users, groups, and AWS resources across potentially dozens of accounts.
Many organizations find themselves spending more time configuring and maintaining IAM Identity Center's permission architecture than they save from automated provisioning, especially when users need different access levels across development, staging, and production environments.
What IT admins are saying
Community sentiment on AWS IAM Identity Center's SCIM implementation is mixed, with specific technical frustrations outweighing pricing concerns. Common complaints:
- Sync delays of 20-40 minutes create security gaps during offboarding
- Azure AD integration drops nested groups and doesn't sync attribute removals
- Console lockout after SCIM setup prevents manual user management
- Complex multi-account permission set mapping across AWS organizations
After enabling SCIM, you lose the ability to add or edit users directly in the IAM Identity Center console. Everything has to flow through your IdP, which can be limiting for one-off situations.
The nested group limitation with Azure AD is a real pain. We had to flatten our entire group structure just to get provisioning working.
The recurring theme
While AWS IAM Identity Center's SCIM is free, the technical limitations and sync delays create operational headaches that force admins to work around the platform rather than with it.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM with multivalue attributes or custom fields | Use Stitchflow: native SCIM doesn't support these features |
| Using nested groups in Azure AD | Use Stitchflow: AWS doesn't sync nested group structures |
| Need real-time provisioning for security | Use Stitchflow: avoid 20-40 minute sync delays |
| Happy with basic SCIM, have AWS expertise | Use native SCIM: it's free and covers standard use cases |
| Small team with minimal AWS complexity | Manual may work: but monitor for multi-account sprawl |
The bottom line
While AWS IAM Identity Center offers free native SCIM, it comes with significant limitations around attribute handling, sync timing, and complex group structures. For organizations that need robust provisioning automation across multiple AWS accounts, Stitchflow delivers full-featured SCIM without the constraints.
Automate AWS IAM Identity Center without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for AWS IAM Identity Center at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Free
Prerequisites
SSO must be configured first
Key limitations
- Multivalue attributes not supported (single value per attribute)
- Users must have First name, Last name, Username, and Display name
- After SCIM setup, cannot add/edit users in IAM Identity Center console
- Azure AD: removed attributes not synced back, nested groups not supported
- Sync every 20-40 minutes (not real-time)
- Custom attributes not yet supported in SCIM implementation
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM 2.0 support. Create users, update attributes, push groups. Requires paid Okta license with lifecycle management. Rotate token every 90 days recommended.
Native SCIM is available on Free. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 support. Sync every 40 minutes by default. Nested groups not supported. PowerShell script available for on-demand sync.
Native SCIM is available on Free. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
AWS IAM Identity Center
Stop paying the SCIM Tax for AWS IAM Identity Center. Get enterprise-grade SCIM at a fraction of the enterprise plan cost.
See how it works
