Summary and recommendation
Braintree supports native SCIM 2.0 provisioning, but only for Enterprise merchants who complete a complex multi-step onboarding process. You must first configure SSO, onboard through their sandbox environment, convert all existing non-SSO users, and then request SCIM enablement. Once enabled, you lose the ability to manage SSO users through Braintree's UI entirely—everything must go through your IdP.
The rigid prerequisites create significant friction for payment teams. The sandbox requirement alone adds weeks to deployment timelines, and the all-or-nothing approach to user management means you can't gradually roll out automated provisioning. For organizations processing payments across multiple merchant accounts with complex role hierarchies, this inflexibility becomes a major operational constraint.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Braintree without the complex prerequisites or sandbox requirements. Works with any Braintree plan and supports gradual rollout strategies. Flat pricing under $5K/year with 24/7 human-in-the-loop support for payment-critical access management.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Braintree accounts manually. Here's what that costs:
The Braintree pricing problem
Braintree gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | 2.59% + $0.49/transaction | ||
| Gateway Only | $49/mo + $0.10/transaction | ||
| Enterprise | Custom rates (typically $80k+/mo volume) |
Note: SCIM is only available to "SSO merchants" on enterprise contracts. Transaction-based pricing means costs scale with payment volume, not user count.
What this means in practice
Unlike seat-based SaaS apps, Braintree's barrier isn't a simple tier upgrade. The prerequisite chain creates significant implementation friction:
Required sequence
1. Negotiate enterprise contract with custom transaction rates 2. Complete full SSO implementation and testing 3. Convert all existing non-SSO users to SSO 4. Set up sandbox environment for SCIM testing 5. Complete sandbox SCIM onboarding 6. Enable production SCIM
Timeline impact: Most implementations take 4-8 weeks due to the mandatory sandbox phase and user conversion requirements.
Additional constraints
Summary of challenges
- Braintree supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Braintree doesn't sell SCIM separately. It's bundled with their Enterprise payment processing features, but requires existing SSO setup first:
The catch: you must already be an "SSO merchant" before SCIM can be enabled, and all existing non-SSO users must be converted first. Plus, you're required to complete sandbox onboarding before production setup.
Stitchflow Insight
If you're already using Braintree Enterprise with SSO configured, adding SCIM makes sense. But if you just want automated user provisioning without the complex prerequisites and sandbox requirements, you're dealing with significant implementation friction. We estimate the SSO prerequisite and mandatory sandbox phase adds 4-6 weeks to most SCIM deployments.
What IT admins are saying
Community sentiment on Braintree's SCIM prerequisites is mixed, with admins appreciating the functionality but frustrated by implementation barriers. Common complaints:
- Mandatory sandbox onboarding adds weeks to deployment timelines
- SSO prerequisite creates chicken-and-egg scenarios for new implementations
- Converting existing non-SSO users before SCIM enablement is tedious
- Group management limitations force manual role assignments in the UI
The sandbox requirement seems excessive for something as standard as SCIM provisioning. We're already managing production payment systems - we don't need training wheels.
Once SCIM is enabled, you lose the ability to manage SSO users in the Braintree UI entirely. Hope your IdP integration is bulletproof.
The recurring theme
Braintree's SCIM works well but the onboarding process is overly complex, with strict prerequisites that slow enterprise rollouts and create operational dependencies on perfect IdP configuration.
The decision
| Your Situation | Recommendation |
|---|---|
| Not Enterprise, need SCIM | Use Stitchflow: avoid the Enterprise tier requirement and complex prerequisites |
| Enterprise tier but complex SSO/sandbox setup feels overwhelming | Use Stitchflow: skip the sandbox onboarding and SSO conversion requirements |
| Already Enterprise with SSO configured | Use native SCIM: you're paying for it and meet the prerequisites |
| Need payment processing beyond Braintree | Evaluate competitors: consider if SCIM access is worth the Enterprise commitment |
| Small payment team, low user churn | Manual may work: but monitor for security gaps in financial access |
The bottom line
Braintree's SCIM requires Enterprise tier plus a complex prerequisite chain (SSO setup, sandbox onboarding, user conversion). For payment teams that need provisioning automation without the tier upgrade and setup complexity, Stitchflow eliminates the friction.
Automate Braintree without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Braintree at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SSO must be configured before SCIM
- Sandbox onboarding REQUIRED before production
- All non-SSO users must be converted before SCIM enablement
- Cannot create/delete groups via SCIM (roles/merchant accounts managed in UI)
- Once SCIM enabled, cannot create/edit SSO users in Braintree UI
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Enterprise required for SCIM
Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
Braintree
Braintree gates automation behind Enterprise plan. Stitchflow delivers the same SCIM outcomes for a flat fee.
See how it works
