Summary and recommendation
Bitwarden supports SCIM 2.0 provisioning, but only on Teams ($4/user/month) and Enterprise ($6/user/month) plans. While this pricing is reasonable compared to other password managers, the real challenge lies in Bitwarden's zero-knowledge architecture: SCIM can provision user accounts, but users still need to manually accept vault invitations and set up their encryption keys before gaining access to shared passwords.
This creates a critical security gap. Your identity provider shows users as "provisioned," but they can't actually access company passwords until they complete manual setup steps. When employees leave, SCIM deprovisioning removes their account, but any locally cached vault data remains accessible until they next sync. For security teams managing hundreds of shared credentials, this manual friction undermines the entire purpose of automated provisioning.
The strategic alternative
Bitwarden gates SCIM behind Teams/Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Bitwarden accounts manually. Here's what that costs:
The Bitwarden pricing problem
Bitwarden gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure (Billed Monthly)
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 | ||
| Teams | $4/user/mo | ||
| Enterprise | $6/user/mo |
Note: Both Teams and Enterprise include full SCIM support. Enterprise adds policy enforcement, event logs, and advanced compliance features.
What this means in practice
Using current list prices (Free → Teams for SCIM access):
| Team Size | Upgrade to Teams | Upgrade to Enterprise |
|---|---|---|
| 50 users | $2,400/year | $3,600/year |
| 100 users | $4,800/year | $7,200/year |
| 200 users | $9,600/year | $14,400/year |
Calculation: Teams ($4 × users × 12) or Enterprise ($6 × users × 12)
Additional constraints
Summary of challenges
- Bitwarden supports SCIM but only at Enterprise tier ($6/user/month)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Bitwarden doesn't sell SCIM standalone. Starting at Teams tier ($4/user/month), it's bundled with enterprise password management features:
Enterprise tier ($6/user/month) adds:
Most organizations need these security controls anyway, making the Teams upgrade logical. However, if you're evaluating purely on provisioning capability, roughly 60% of the bundled features are administrative conveniences rather than core identity automation. The real value is SCIM + SSO working together for immediate vault access revocation when employees leave.
What IT admins are saying
Community sentiment on Bitwarden's SCIM implementation is generally positive, but admins highlight specific configuration challenges. Common concerns:
- SSO setup complexity for maintaining zero-knowledge architecture
- Key Connector implementation requires significant IT resources for self-hosted deployments
- Directory Connector as fallback adds another system to maintain
- Trusted device configuration needed for optimal passwordless experience
The Key Connector setup is more involved than expected - you really need to understand the cryptographic implications before implementing it in production.
SSO with Bitwarden works well once configured, but the zero-knowledge setup isn't as straightforward as other password managers.
The recurring theme
While Bitwarden's SCIM works reliably and pricing is reasonable, the security-first architecture creates configuration complexity that requires careful planning and technical expertise.
The decision
| Your Situation | Recommendation |
|---|---|
| On Free tier, need SCIM | Use Stitchflow: avoid the $4-6/user/month upgrade |
| Already on Teams/Enterprise | Use native SCIM: you're paying for it |
| Need password management for contractors/temps | Use Stitchflow: flexible provisioning without seat commitments |
| Security team requires instant deprovisioning | Either works: both provide immediate vault access revocation |
| Small team with low turnover | Manual may work: but password vault access is high-stakes |
The bottom line
Bitwarden gates SCIM behind Teams/Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Bitwarden workflow gap
Bitwarden gates SCIM behind Teams/Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Teams or Enterprise tier required
- SSO with trusted devices is advanced feature
- Key Connector requires significant IT resources
- Directory Connector as SCIM alternative for legacy systems
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Enterprise required for SCIM
Bitwarden gates SCIM behind Teams/Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Enterprise required for SCIM
Bitwarden gates SCIM behind Teams/Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Bitwarden
Bitwarden gates SCIM behind Teams/Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
