Summary and recommendation
BambooHR does not support inbound SCIM provisioning on any plan. While BambooHR integrates with identity providers like Okta and Entra ID, it functions as the HR source of truth that provisions users TO other systems, not the other way around. This means your IdP cannot automatically create, update, or deactivate user accounts in BambooHR based on HR events or group membership changes. BambooHR offers SAML 2.0 SSO with JIT provisioning, but this only handles authentication for users who already exist in the system.
This creates a significant operational gap for IT teams managing employee lifecycle automation. While BambooHR can push employee data to your IdP when HR makes changes, there's no way to automate the reverse flow - provisioning new users into BambooHR itself still requires manual account creation or CSV imports. For organizations where BambooHR isn't the primary HR system of record, this means maintaining dual data entry processes and accepting the compliance risks that come with manual provisioning workflows.
The strategic alternative
Stitchflow provides managed provisioning automation for BambooHR, enabling true bidirectional sync regardless of your BambooHR plan or IdP choice. Our SOC 2 Type II certified platform handles the technical complexity while maintaining 24/7 human oversight. Flat pricing under $5K/year, regardless of team size.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | No SCIM available |
| Microsoft Entra ID | ✓ | ❌ | No SCIM available |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages BambooHR accounts manually. Here's what that costs:
The BambooHR pricing problem
BambooHR gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Core | ~$10/employee/month | ||
| Pro | ~$15-22/employee/month | ||
| Custom | Quote-based |
Pricing structure
| Plan | Pricing | SCIM Inbound |
|---|---|---|
| Core | ~$10/employee/month | ❌ Not available |
| Pro | ~$15-22/employee/month | ❌ Not available |
| Custom | Quote-based | ❌ Not available |
Additional costs
What this means in practice
BambooHR's architecture creates a fundamental provisioning gap. While it can push employee data to your IdP (outbound SCIM), it cannot receive user provisioning commands from your IdP (inbound SCIM). This means:
Additional constraints
Summary of challenges
- BambooHR does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What BambooHR actually offers for identity
SAML SSO (Available on all plans)
BambooHR supports SAML 2.0 integration with identity providers:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, Entra ID, OneLogin, JumpCloud, PingIdentity |
| Configuration | IdP and SP initiated SSO |
| JIT Provisioning | ✓ Yes |
| Certificate requirement | Signed certificate required |
Outbound SCIM (IdP-dependent)
BambooHR's SCIM story is backwards from most apps—it sends employee data to your IdP, not the other way around:
| Feature | Support |
|---|---|
| Inbound SCIM (from IdP to BambooHR) | ❌ No |
| Outbound SCIM (from BambooHR to IdP) | ✓ Via IdP integrations |
| Create users in BambooHR | ❌ Manual only |
| Update users in BambooHR | ❌ Manual only |
| Deactivate users in BambooHR | ❌ Manual only |
The fundamental limitation: BambooHR positions itself as your HR system of record. When employees join, change roles, or leave, BambooHR pushes those changes to your IdP—but your IdP can't push user lifecycle changes back to BambooHR.
Real-world implications
This creates a manual bottleneck: HR must create every new employee account directly in BambooHR before automated provisioning can kick in downstream. There's no way to bulk import users from your IdP or automate the initial account creation process.
For teams expecting standard SCIM (where your IdP manages BambooHR users), this model requires process changes and manual intervention that defeats the purpose of automated provisioning.
What IT admins are saying
Community sentiment on BambooHR's provisioning model reveals confusion about data flow direction:
- IT teams expect to provision users TO BambooHR from their IdP, but BambooHR works the opposite way
- One-way sync from BambooHR means all employee changes must originate in the HR system
- Integration quality varies significantly depending on which IdP you're using
- The "HR-centric" approach conflicts with IT-managed identity workflows
BambooHR-centric provisioning model can be confusing
One-way sync means changes must originate in BambooHR
The recurring theme
BambooHR's role as an HR system of record creates an inverted provisioning model that catches IT teams off guard. Instead of pushing users into BambooHR, you're pulling employee data out of it to feed other systems.
The decision
| Your Situation | Recommendation |
|---|---|
| Small HR team managing <25 employees | Manual user management is acceptable for this scale |
| BambooHR as your primary identity source | Use native SCIM integrations where available (Okta, JumpCloud) |
| Need inbound provisioning TO BambooHR | Use Stitchflow: BambooHR doesn't support inbound SCIM |
| Mixed IdP environment or using Entra ID | Use Stitchflow: native support varies significantly by IdP |
| Enterprise with complex HR-driven workflows | Use Stitchflow: automation essential for reliable onboarding/offboarding |
The bottom line
BambooHR excels at outbound provisioning to IdPs but has zero support for inbound SCIM—meaning you can't automatically provision users into BambooHR from your directory. For organizations that need true bidirectional provisioning or use IdPs with limited BambooHR integration, Stitchflow provides the missing automation layer.
Automate BambooHR without third-party complexity
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for BambooHR at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Not specifiedPlan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- SCIM is typically one-way FROM BambooHR (HR source) TO IdPs
- BambooHR is usually the identity source, not destination
- Signed certificate required for SAML
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Custom required for SCIM
Use Stitchflow for automated provisioning.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Custom required for SCIM
Use Stitchflow for automated provisioning.
Unlock SCIM for
BambooHR
BambooHR doesn't offer SCIM. Get an enterprise-grade SCIM endpoint in your IdP, even without native support.
See how it works