Balsamiq SCIM Provisioning: Pricing & Limitations

Summary
At a glance
Identity providers
Hidden costs
Pricing analysis
Summary of challenges
Identity options
What admins say
Recommendation
Technical specs

Summary and recommendation

Balsamiq Cloud, the wireframing and UX design platform, does not support SCIM provisioning on any plan. While Balsamiq offers SAML 2.0 SSO integration (available on Enterprise plans at $599/month) with identity providers like Okta and Azure AD, this only handles authentication through Just-in-Time (JIT) provisioning. When SSO is enabled, all authenticated users automatically become Staff Members within the Space, creating a significant access control limitation. Manual user management and deprovisioning remain required, and there's no way to programmatically control project-level permissions or Space access.

This creates substantial operational overhead for design teams, particularly those working across multiple projects with varying stakeholder access requirements. IT administrators must manually remove users from Spaces when they leave the organization or change roles, creating compliance gaps and potential security exposure to sensitive design assets and project information.

The strategic alternative

Stitchflow provides managed provisioning automation for Balsamiq Cloud without requiring any custom development work. Works with any Balsamiq plan and integrates with Okta, Entra ID, Google Workspace, and other identity providers. Flat pricing under $5K/year, regardless of team size.

Quick SCIM facts

SCIM available?	No
SCIM tier required	N/A
SSO required first?	No
SSO available?	Yes
SSO protocol	SAML 2.0
Documentation	Not available

Supported identity providers

IdP	SSO	SCIM	Notes
Okta	✓	❌	No SCIM available
Microsoft Entra ID	✓	❌	No SCIM available
Google Workspace	Via third-party	❌	No native support
OneLogin	Via third-party	❌	No native support

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Balsamiq accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees

Orphaned accounts (ex-employees with access)7

Unused licenses12

IT hours spent on manual management/year101 hours

Unused license cost/year$3,925

IT labor cost/year$6,088

Cost of compliance misses/year$1,741

Total annual financial impact$11,754

The Balsamiq pricing problem

Balsamiq gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

Plan	Price	SSO	SCIM
2 Projects	$12/month
Business	$399/month (up to 400 projects)
Enterprise	$599/month

Pricing and provisioning options

Plan	Price	SSO	SCIM
2 Projects	$12/month
Business	$399/month (up to 400 projects)
Enterprise	$599/month

What this means in practice

Without SCIM provisioning, IT teams face these operational challenges:

User lifecycle management

New users can only be created through SAML JIT when they first log in

No automated user deprovisioning

accounts persist indefinitely until manually removed

No way to pre-provision accounts or set permissions before first login

Access control limitations

All SSO users automatically become "Staff Members" with elevated permissions

Space Owners must manually configure SSO settings for each workspace

No granular role assignment through your IdP

Audit and compliance gaps

No centralized view of user access across Balsamiq spaces

Manual tracking required for user status and permissions

Delayed access removal creates security exposure

Additional constraints

Space-based architecture

SSO must be configured separately for each Balsamiq space, creating management overhead for multi-team deployments

Manual permission management

Project sharing and access controls require individual configuration within each space

Limited role mapping

SAML authentication doesn't support attribute-based role assignment, forcing all SSO users into the same permission level

No API for user management

Balsamiq provides no documented API for automated user or permission management

Summary of challenges

Balsamiq does not provide native SCIM at any price tier
Organizations must rely on third-party tools or manual provisioning
Our research shows teams manually provisioning this app spend significant hidden costs annually

What Balsamiq actually offers for identity

SAML SSO (Enterprise plan - $599/month)

Balsamiq Cloud supports SAML 2.0 integration with identity providers:

Setting	Details
Protocol	SAML 2.0
Supported IdPs	Okta, Google Workspace, Azure AD, ADFS, generic SAML
Configuration	Per-Space configuration by Space Owner
User provisioning	Just-in-time (JIT) creation only
User roles	All SSO users become Staff Members

Critical limitation: When SSO is enabled, all authenticated users automatically become Staff Members with full access to the Space. There's no granular role assignment through SSO.

Okta Integration (via OIN)

The official Okta Integration Network listing for Balsamiq shows:

Feature	Supported?
SAML SSO	✓ Yes
OIDC SSO	❌ No
Create users	✓ JIT only
Update users	❌ No
Deactivate users	❌ No
Group push	❌ No
SCIM provisioning	❌ No

What's missing

No SCIM provisioning

User lifecycle management must be handled manually

No automated deprovisioning

Offboarded users remain active until manually removed

No role granularity

SSO users all receive the same Staff Member permissions

Space-level SSO only

Each Space requires separate SSO configuration

For UX design teams that need to manage access across multiple projects and ensure proper offboarding, the lack of automated provisioning creates significant administrative overhead.

What IT admins are saying

Balsamiq's lack of SCIM provisioning forces IT teams into manual user management workflows:

No automated user provisioning - all users must be managed manually
SAML JIT provisioning automatically makes all users "Staff Members" regardless of intended role
Space Owners (not IT admins) must configure SSO settings for each Space
Manual deprovisioning required when employees leave

“

"No SCIM for automated provisioning" and "Manual user management required" are consistent complaints from the community about Balsamiq's limited identity management capabilities.

“

When SSO enabled, all users become Staff Members

Balsamiq official documentation

The recurring theme

Even at the Enterprise tier ($599/month), Balsamiq relies entirely on SAML JIT provisioning with no granular role assignment or automated deprovisioning. IT teams must coordinate with Space Owners for SSO configuration and handle all user lifecycle management manually.

The decision

Your Situation	Recommendation
Small UX team (<10 users) with stable membership	Manual management with SAML SSO is workable
Design team using multiple wireframing tools	Consider alternatives with native SCIM support
Growing product organization (20+ users)	Use Stitchflow: automated provisioning essential
Enterprise with compliance requirements	Use Stitchflow: manual deprovisioning creates audit gaps
Multi-project teams with frequent access changes	Use Stitchflow: Space-based permissions need automation

The bottom line

Balsamiq Cloud offers solid wireframing capabilities but completely lacks SCIM provisioning—you're stuck with manual user management even on the $599/month Enterprise plan. For design teams that need automated provisioning without the operational overhead, Stitchflow delivers the automation Balsamiq should have built natively.

Automate Balsamiq without third-party complexity

Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Balsamiq at <$5K/year, flat, regardless of team size.

Works alongside or instead of native SCIM

Syncs with your existing IdP (Okta, Entra ID, Google Workspace)

Automates onboarding and offboarding

SOC 2 Type II certified

24/7 human-in-the-loop monitoring

Book a Demo

Technical specifications

SCIM Version

Not specified

Supported Operations

Not specified

Supported Attributes

No native SCIM provisioning documentedWhen SSO enabled, all users become Staff MembersSpace Owner must configure SSOSAML-based authentication only

Plan requirement

Not specified

Prerequisites

Not specified

Key limitations

No native SCIM provisioning documented
When SSO enabled, all users become Staff Members
Space Owner must configure SSO
SAML-based authentication only

Documentation not available.

Configuration for Okta

Integration type

Okta Integration Network (OIN) app

Where to enable

Okta Admin Console → Applications → Balsamiq → Sign On

Docs

Okta integration

Custom required for SCIM

Use Stitchflow for automated provisioning.

Unlock SCIM for
Balsamiq

Balsamiq doesn't offer SCIM. Get an enterprise-grade SCIM endpoint in your IdP, even without native support.

See how it works

Admin Console

Summary and recommendation

The strategic alternative

Quick SCIM facts

Supported identity providers

The cost of not automating

The Balsamiq pricing problem

Tier comparison

Pricing and provisioning options

What this means in practice

User lifecycle management

Access control limitations

Audit and compliance gaps

Additional constraints

Summary of challenges

What Balsamiq actually offers for identity

SAML SSO (Enterprise plan - $599/month)

Okta Integration (via OIN)

What's missing

What IT admins are saying

The decision

Automate Balsamiq without third-party complexity

Technical specifications

Configuration for Okta

Unlock SCIM for Balsamiq

Unlock SCIM for
Balsamiq