Summary and recommendation
Backstage, the open-source developer portal framework created by Spotify, does not include native SCIM provisioning capabilities. As an open-source platform designed for self-hosting, Backstage requires organizations to implement their own user management solutions. While Backstage supports SSO authentication through SAML and OIDC with providers like Okta and Entra ID, this only handles login - not the automated provisioning and deprovisioning of user accounts. Any SCIM integration would require custom development work or third-party plugins, adding significant complexity to what's already an infrastructure-heavy platform.
This creates a substantial operational burden for IT teams managing Backstage deployments. Without automated provisioning, onboarding new developers requires manual account creation, permission assignment, and catalog access configuration. When engineers leave or change teams, IT must manually deprovision access across Backstage's various integrations and services. For organizations running Backstage at scale - where the true cost of ownership often exceeds $150K annually when factoring in infrastructure, maintenance, and development resources - manual user management becomes both a security risk and operational bottleneck.
The strategic alternative
Backstage has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | No official OIN listing. SSO configured via SAML/OIDC in self-hosted Backstage. |
| Microsoft Entra ID | ✓ | ❌ | Backstage supports Microsoft Entra ID authentication via OAuth/OIDC. No native SCIM. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Backstage accounts manually. Here's what that costs:
The Backstage pricing problem
Backstage gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Open Source | $0 (self-hosted) | ||
| Spotify Portal | Custom quote | ||
| Roadie (hosted) | Custom quote |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Open Source | $0 (self-hosted) | ||
| Spotify Portal | Custom quote | ||
| Roadie (hosted) | Custom quote |
Real enterprise costs for self-hosted Backstage
What this means in practice
The "free" open source model becomes expensive quickly when you factor in the engineering resources needed for enterprise deployment:
Development requirements
Operational overhead
Additional constraints
Summary of challenges
- Backstage does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Backstage actually offers for identity
Authentication Support (Self-Hosted)
Backstage is an open source developer portal framework that you deploy and manage yourself. Identity features depend entirely on your implementation:
| Feature | Availability |
|---|---|
| SAML SSO | ✓ Configurable (via auth plugins) |
| OIDC/OAuth | ✓ Configurable (Microsoft, Google, GitHub, etc.) |
| LDAP | ✓ Via community plugins |
| Local accounts | ✓ Built-in database auth |
| User provisioning | ❌ Manual configuration required |
| Group sync | ❌ Custom development needed |
Microsoft Entra ID Integration
Backstage's official documentation covers Microsoft authentication:
The SCIM Reality
No native SCIM endpoint exists. Backstage's catalog system expects users to be defined in YAML files or imported via custom processors. True SCIM provisioning requires:
Real cost of ownership: While Backstage itself is free, enterprise deployments typically cost $150K+ annually when factoring in:
The "free" open source label masks significant implementation complexity for automated user provisioning.
What IT admins are saying
Community sentiment reveals significant frustration with Backstage's lack of automated user management:
- Manual user provisioning required despite being an "enterprise" developer portal
- No SCIM endpoint means custom development needed for any automation
- SSO authentication works, but user accounts must still be manually created first
- True operational costs far exceed the "free" open source label
Backstage is open source but the total cost of ownership for enterprise deployments can easily exceed $150K when you factor in development, maintenance, and operational overhead.
We have SSO working with Entra ID but still need to manually add every developer to Backstage before they can actually use it. Kind of defeats the purpose of having identity management.
The documentation makes it sound simple but there's no native SCIM support. You're looking at custom plugin development or third-party solutions to get real provisioning working.
The recurring theme
Backstage's open source nature creates a false economy - while the software is free, the operational burden of manual user management and custom SCIM development makes it expensive to run at enterprise scale.
The decision
| Your Situation | Recommendation |
|---|---|
| Small development team (<10 users) | Manual management acceptable for simple setups |
| Self-hosted Backstage with stable team | SSO-only configuration may suffice |
| Enterprise with 50+ developers | Use Stitchflow: automation essential for scale |
| Multi-environment deployments | Use Stitchflow: consistent provisioning across instances |
| Compliance-driven organization | Use Stitchflow: audit trails and governance required |
The bottom line
Backstage is a powerful developer portal, but as an open-source framework, it has no native SCIM capabilities. Building custom provisioning adds significant complexity to your deployment. For organizations that need automated user lifecycle management without the engineering overhead, Stitchflow delivers SCIM-level provisioning that works with any Backstage deployment.
Make Backstage workflows AI-native
Backstage has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- Open source framework - no native SCIM endpoint
- User provisioning depends on self-hosted implementation
- SCIM integration requires custom development or third-party plugins
- True cost of ownership estimated at $150K+ for enterprise deployments
Documentation not available.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Where to enable
Backstage supports Microsoft Entra ID authentication via OAuth/OIDC. No native SCIM.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Backstage
Backstage has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
