Stitchflow
Back to directory
Backstage logo

Backstage SCIM guide

Connector Only

How to automate Backstage user provisioning, and what it actually costs

Summary and recommendation

Backstage, the open-source developer portal framework created by Spotify, does not include native SCIM provisioning capabilities. As an open-source platform designed for self-hosting, Backstage requires organizations to implement their own user management solutions. While Backstage supports SSO authentication through SAML and OIDC with providers like Okta and Entra ID, this only handles login - not the automated provisioning and deprovisioning of user accounts. Any SCIM integration would require custom development work or third-party plugins, adding significant complexity to what's already an infrastructure-heavy platform.

This creates a substantial operational burden for IT teams managing Backstage deployments. Without automated provisioning, onboarding new developers requires manual account creation, permission assignment, and catalog access configuration. When engineers leave or change teams, IT must manually deprovision access across Backstage's various integrations and services. For organizations running Backstage at scale - where the true cost of ownership often exceeds $150K annually when factoring in infrastructure, maintenance, and development resources - manual user management becomes both a security risk and operational bottleneck.

The strategic alternative

Backstage has no native SCIM. That leaves a workflow gap in offboarding, access reviews, and license cleanup unless your team handles the app another way. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.

Quick SCIM facts

SCIM available?No
SCIM tier requiredN/A
SSO required first?No
SSO available?Yes
SSO protocolSAML 2.0
DocumentationNot available

Supported identity providers

IdPSSOSCIMNotes
OktaNo official OIN listing. SSO configured via SAML/OIDC in self-hosted Backstage.
Microsoft Entra IDBackstage supports Microsoft Entra ID authentication via OAuth/OIDC. No native SCIM.
Google WorkspaceVia third-partyNo native support
OneLoginVia third-partyNo native support

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Backstage accounts manually. Here's what that costs:

Source: Stitchflow research, normalized to 500 employees:
Orphaned accounts (ex-employees with access)5
Unused licenses12
IT hours spent on manual management/year85 hours
Unused license cost/year$3,500
IT labor cost/year$5,100
Cost of compliance misses/year$890
Total annual financial impact$9,490

The Backstage pricing problem

Backstage gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

PlanPriceSSOSCIM
Open Source$0 (self-hosted)
Spotify PortalCustom quote
Roadie (hosted)Custom quote

Pricing structure

PlanPriceSSOSCIM
Open Source$0 (self-hosted)
Spotify PortalCustom quote
Roadie (hosted)Custom quote

Real enterprise costs for self-hosted Backstage

DevOps engineering
$80,000-120,000/year
Infrastructure (AWS/GCP)
$15,000-30,000/year
Custom SCIM development
$50,000-80,000 initial
Total first-year cost
$150,000-230,000

What this means in practice

The "free" open source model becomes expensive quickly when you factor in the engineering resources needed for enterprise deployment:

Development requirements

Custom authentication plugins for your IdP
Database schema design for user/group management
SCIM endpoint implementation from scratch
Ongoing maintenance and security updates

Operational overhead

Manual user onboarding until SCIM is built
No standardized provisioning workflows
Custom troubleshooting for auth issues
Platform maintenance competing with product development

Additional constraints

No native SCIM framework
Must build provisioning logic from ground up using Backstage's plugin architecture
Self-hosted complexity
Requires dedicated platform team to manage infrastructure, updates, and scaling
Plugin ecosystem gaps
Limited third-party SCIM plugins, most are proof-of-concept quality
Documentation fragmentation
Auth setup varies significantly between deployment methods and IdP combinations
Vendor lock-in risk
Heavy customization makes migration to managed alternatives (Spotify Portal, Roadie) difficult

Summary of challenges

  • Backstage does not provide native SCIM at any price tier
  • Organizations must rely on third-party tools or manual provisioning
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What Backstage actually offers for identity

Authentication Support (Self-Hosted)

Backstage is an open source developer portal framework that you deploy and manage yourself. Identity features depend entirely on your implementation:

FeatureAvailability
SAML SSO✓ Configurable (via auth plugins)
OIDC/OAuth✓ Configurable (Microsoft, Google, GitHub, etc.)
LDAP✓ Via community plugins
Local accounts✓ Built-in database auth
User provisioning❌ Manual configuration required
Group sync❌ Custom development needed

Microsoft Entra ID Integration

Backstage's official documentation covers Microsoft authentication:

Protocol
OAuth 2.0/OpenID Connect
Setup
Configure app registration in Entra ID, add provider config to Backstage
User creation
Manual - users must be added to Backstage catalog before authentication
Group mapping
Requires custom resolver development

The SCIM Reality

No native SCIM endpoint exists. Backstage's catalog system expects users to be defined in YAML files or imported via custom processors. True SCIM provisioning requires:

Custom API development to handle SCIM requests
Database schema modifications for user lifecycle management
Integration with Backstage's catalog and permission systems
Ongoing maintenance as Backstage core evolves

Real cost of ownership: While Backstage itself is free, enterprise deployments typically cost $150K+ annually when factoring in:

Infrastructure hosting and scaling
Custom development for integrations
Ongoing maintenance and security updates
Internal team time for administration

The "free" open source label masks significant implementation complexity for automated user provisioning.

What IT admins are saying

Community sentiment reveals significant frustration with Backstage's lack of automated user management:

  • Manual user provisioning required despite being an "enterprise" developer portal
  • No SCIM endpoint means custom development needed for any automation
  • SSO authentication works, but user accounts must still be manually created first
  • True operational costs far exceed the "free" open source label

Backstage is open source but the total cost of ownership for enterprise deployments can easily exceed $150K when you factor in development, maintenance, and operational overhead.

Reddit, r/devops

We have SSO working with Entra ID but still need to manually add every developer to Backstage before they can actually use it. Kind of defeats the purpose of having identity management.

DevOps Engineer, Hacker News

The documentation makes it sound simple but there's no native SCIM support. You're looking at custom plugin development or third-party solutions to get real provisioning working.

Platform Team Lead, DevOps community forum

The recurring theme

Backstage's open source nature creates a false economy - while the software is free, the operational burden of manual user management and custom SCIM development makes it expensive to run at enterprise scale.

The decision

Your SituationRecommendation
Small development team (<10 users)Manual management acceptable for simple setups
Self-hosted Backstage with stable teamSSO-only configuration may suffice
Enterprise with 50+ developersUse Stitchflow: automation essential for scale
Multi-environment deploymentsUse Stitchflow: consistent provisioning across instances
Compliance-driven organizationUse Stitchflow: audit trails and governance required

The bottom line

Backstage has no native SCIM. That means one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.

Close the Backstage workflow gap

Backstage is one gap in a broader workflow. Stitchflow builds and maintains the offboarding, access review, or license workflow across every app in your environment.

Across every app in the workflow, including the ones without APIs
Built in less than a week, with roughly 2 hours from your team
You review the exceptions. Stitchflow maintains the workflow underneath
Start with the free gap diagnostic

Technical specifications

SCIM Version

Not specified

Supported Operations

Not specified

Supported Attributes

Open source framework - no native SCIM endpointUser provisioning depends on self-hosted implementationSCIM integration requires custom development or third-party pluginsTrue cost of ownership estimated at $150K+ for enterprise deployments

Plan requirement

Not specified

Prerequisites

Not specified

Key limitations

  • Open source framework - no native SCIM endpoint
  • User provisioning depends on self-hosted implementation
  • SCIM integration requires custom development or third-party plugins
  • True cost of ownership estimated at $150K+ for enterprise deployments

Documentation not available.

Configuration for Entra ID

Integration type

Microsoft Entra Gallery app

Where to enable

Entra admin center → Enterprise applications → Backstage → Single sign-on

Docs

Microsoft Entra integration

Backstage supports Microsoft Entra ID authentication via OAuth/OIDC. No native SCIM.

Use Stitchflow for automated provisioning.

Close the workflow gap in
Backstage

Backstage has no native SCIM. That leaves one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.

Start with the free gap diagnostic
Admin Console
Directory
Applications
Backstage logo
Backstage
via Stitchflow

Last updated: 2026-01-20

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

Abnormal Security logo

Abnormal Security

No SCIM

Security / Email Security

ProvisioningNot Supported
Manual Cost$9,490/yr

Abnormal Security, the AI-powered email security platform protecting against BEC and phishing attacks, does not offer SCIM provisioning on any plan. While the platform supports SAML 2.0 SSO integration with identity providers like Okta and Entra ID, this only handles authentication—not automated user lifecycle management. Security teams must manually provision and deprovision analyst access through Abnormal's portal, creating operational overhead and potential security gaps in a platform specifically designed to protect against email-based threats. This manual provisioning model creates significant challenges for security operations. When new SOC analysts join or existing team members change roles, IT admins must coordinate manual account creation and permission updates in Abnormal Security. For a platform that's critical to threat detection and incident response, delays in provisioning can leave security gaps, while delayed deprovisioning creates compliance risks. The irony is stark: a security platform designed to prevent account takeover and credential abuse lacks the automated provisioning controls that prevent exactly these risks.

View full guide
Airwallex logo

Airwallex

No SCIM
ProvisioningNot Supported
Manual Cost$9,490/yr

Airwallex, the global payments and treasury platform, offers no SCIM provisioning support on any plan, including their custom Accelerate enterprise tier. Despite being positioned for enterprise use with features like multi-entity management and advanced treasury controls, Airwallex lacks any official identity provider integrations—no SSO, no provisioning, and no presence in major IdP galleries like Okta's OIN or Microsoft Entra. This creates a significant operational burden for IT teams managing financial access across growing organizations, where manual user provisioning and deprovisioning in a payments platform presents both efficiency and security risks. The absence of identity management capabilities means IT administrators must manually create, update, and remove user accounts in Airwallex—a particularly concerning gap given that this platform handles sensitive financial operations, cross-border payments, and treasury management. Without automated deprovisioning, former employees could retain access to financial systems, creating compliance risks and potential security vulnerabilities that most finance and IT teams cannot afford to overlook.

View full guide
Alkami logo

Alkami

No SCIM
ProvisioningNot Supported
Manual Cost$9,490/yr

Alkami, the digital banking platform used by banks and credit unions, does not offer SCIM provisioning or public SSO integrations. As an enterprise-only platform with custom pricing, Alkami appears to handle user management through direct account administration rather than standardized identity protocols. This creates significant challenges for financial institutions that need to integrate Alkami with their existing identity infrastructure—particularly problematic given the compliance requirements and security standards that banks must maintain. The lack of automated provisioning means IT teams at financial institutions must manually create, update, and deprovision user accounts in Alkami. For a platform handling sensitive financial data and customer information, this manual approach introduces compliance risks and operational overhead. Banks typically require seamless integration between their core identity systems and all applications accessing customer data.

View full guide