Summary and recommendation
Bitwarden supports SCIM 2.0 provisioning, but only on Teams ($4/user/month) and Enterprise ($6/user/month) plans. While this pricing is reasonable compared to other password managers, the real challenge lies in Bitwarden's zero-knowledge architecture: SCIM can provision user accounts, but users still need to manually accept vault invitations and set up their encryption keys before gaining access to shared passwords.
This creates a critical security gap. Your identity provider shows users as "provisioned," but they can't actually access company passwords until they complete manual setup steps. When employees leave, SCIM deprovisioning removes their account, but any locally cached vault data remains accessible until they next sync. For security teams managing hundreds of shared credentials, this manual friction undermines the entire purpose of automated provisioning.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Bitwarden that works with any plan, including the free tier. Our automation handles the complete user lifecycle, including vault invitation acceptance and proper deprovisioning verification. Flat pricing under $5K/year, regardless of team size.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Bitwarden accounts manually. Here's what that costs:
The Bitwarden pricing problem
Bitwarden gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure (Billed Monthly)
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 | ||
| Teams | $4/user/mo | ||
| Enterprise | $6/user/mo |
Note: Both Teams and Enterprise include full SCIM support. Enterprise adds policy enforcement, event logs, and advanced compliance features.
What this means in practice
Using current list prices (Free → Teams for SCIM access):
| Team Size | Upgrade to Teams | Upgrade to Enterprise |
|---|---|---|
| 50 users | $2,400/year | $3,600/year |
| 100 users | $4,800/year | $7,200/year |
| 200 users | $9,600/year | $14,400/year |
Calculation: Teams ($4 × users × 12) or Enterprise ($6 × users × 12)
Additional constraints
Summary of challenges
- Bitwarden supports SCIM but only at Enterprise tier ($6/user/month)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Bitwarden doesn't sell SCIM standalone. Starting at Teams tier ($4/user/month), it's bundled with enterprise password management features:
Enterprise tier ($6/user/month) adds:
Most organizations need these security controls anyway, making the Teams upgrade logical. However, if you're evaluating purely on provisioning capability, roughly 60% of the bundled features are administrative conveniences rather than core identity automation. The real value is SCIM + SSO working together for immediate vault access revocation when employees leave.
What IT admins are saying
Community sentiment on Bitwarden's SCIM implementation is generally positive, but admins highlight specific configuration challenges. Common concerns:
- SSO setup complexity for maintaining zero-knowledge architecture
- Key Connector implementation requires significant IT resources for self-hosted deployments
- Directory Connector as fallback adds another system to maintain
- Trusted device configuration needed for optimal passwordless experience
The Key Connector setup is more involved than expected - you really need to understand the cryptographic implications before implementing it in production.
SSO with Bitwarden works well once configured, but the zero-knowledge setup isn't as straightforward as other password managers.
The recurring theme
While Bitwarden's SCIM works reliably and pricing is reasonable, the security-first architecture creates configuration complexity that requires careful planning and technical expertise.
The decision
| Your Situation | Recommendation |
|---|---|
| On Free tier, need SCIM | Use Stitchflow: avoid the $4-6/user/month upgrade |
| Already on Teams/Enterprise | Use native SCIM: you're paying for it |
| Need password management for contractors/temps | Use Stitchflow: flexible provisioning without seat commitments |
| Security team requires instant deprovisioning | Either works: both provide immediate vault access revocation |
| Small team with low turnover | Manual may work: but password vault access is high-stakes |
The bottom line
Bitwarden includes SCIM starting at $4/user/month on Teams, but many organizations start on the free tier and want provisioning automation before upgrading. For teams that need SCIM without the seat-based commitment, Stitchflow provides managed automation at flat pricing.
Automate Bitwarden without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Bitwarden at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Teams or Enterprise tier required
- SSO with trusted devices is advanced feature
- Key Connector requires significant IT resources
- Directory Connector as SCIM alternative for legacy systems
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Enterprise required for SCIM
Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Enterprise required for SCIM
Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
Bitwarden
Bitwarden gates automation behind Teams/Enterprise plan. Stitchflow delivers the same SCIM outcomes for a flat fee.
See how it works
