Summary and recommendation
Brandwatch, the social media analytics platform, does not support SCIM provisioning despite offering enterprise-grade SSO through SAML 2.0 and JWT. While Brandwatch integrates with Okta for authentication, it lacks automatic user provisioning—meaning IT admins must manually create each Brandwatch account before users can authenticate via SSO. This creates a significant operational bottleneck for marketing teams that need quick access to social listening tools, especially during campaign launches or crisis monitoring situations.
The manual provisioning requirement becomes particularly problematic given Brandwatch's strict user limits and custom enterprise pricing model starting at $10,000-$18,000 annually. Each manually created user counts against your account limit, making user lifecycle management a costly exercise in seat optimization. Without automated deprovisioning, former employees may retain access to sensitive brand monitoring data, creating compliance risks for organizations managing multiple social media accounts and confidential competitive intelligence.
The strategic alternative
Brandwatch has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, JWT |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | No SCIM available |
| Microsoft Entra ID | ✓ | ❌ | No SCIM available |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Brandwatch accounts manually. Here's what that costs:
The Brandwatch pricing problem
Brandwatch gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Enterprise | $10,000-$18,000/year |
Pricing structure
| Plan | Pricing | SSO | SCIM Provisioning |
|---|---|---|---|
| Enterprise | $10,000-$18,000/year | ✓ SAML/JWT | ❌ Manual only |
Important: Brandwatch requires custom enterprise pricing (typically $10K-$18K annually) for any SSO functionality. There are no standard published plans.
What this means in practice
Even with enterprise SSO enabled, Brandwatch administrators must:
1. Manually create each user account in the Brandwatch platform before they can authenticate 2. Configure subdomain setup for SAML (JWT is easier but less secure) 3. Manage user limits - every user counts against your account's seat allocation 4. Handle offboarding manually when employees leave
This creates a significant administrative burden, especially for marketing teams with frequent contractor or seasonal staff changes.
Additional constraints
Summary of challenges
- Brandwatch does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Brandwatch actually offers for identity
SSO Authentication (Enterprise required)
Brandwatch supports single sign-on through multiple protocols:
| Setting | Details |
|---|---|
| Protocols | SAML 2.0, JWT |
| Supported IdPs | Okta, Entra ID, generic SAML providers |
| SAML setup | Requires dedicated subdomain configuration |
| JWT setup | Simpler configuration, less secure |
| JIT provisioning | ❌ Not supported |
Critical limitation: Brandwatch's SSO only handles authentication. Each user account must still be manually created by an admin before SSO login works.
Okta Integration (via OIN)
The official Okta Integration Network listing shows surprising SCIM support:
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Yes |
| SCIM provisioning | ✓ Yes |
| Create users | ✓ Yes |
| Update users | ✓ Yes |
| Deactivate users | ✓ Yes |
| Group linking | ✓ Yes |
Reality check: Despite the Okta listing claiming SCIM support, Brandwatch's own documentation makes no mention of automatic user provisioning. Community feedback consistently reports manual user creation requirements, even with Okta.
What's actually included with Enterprise
The Enterprise tier bundles SSO with social media analytics features most IT teams don't need:
For teams that just need user provisioning automation, you're paying $18,000+/year for social media analytics capabilities you'll never use, while still manually creating user accounts.
What IT admins are saying
Brandwatch's lack of automated provisioning creates ongoing friction for IT teams managing social media analytics access:
- No automatic user provisioning - admins must manually create each Brandwatch account even with SSO enabled
- Users count against account limits, creating capacity management headaches
- SAML setup requires dedicated subdomain configuration
- Manual user lifecycle management increases security risks and administrative overhead
Does NOT automatically provision new user accounts - admin must create Brandwatch account for each user
Each user counts against account user limit
The recurring theme
Even with enterprise-grade SSO, Brandwatch treats authentication and provisioning as separate processes. When marketing teams scale up or down, IT admins must manually manage user accounts in addition to identity provider changes, creating double work and potential security gaps.
The decision
| Your Situation | Recommendation |
|---|---|
| Small marketing team (<10 users) with stable roster | Manual user creation with SSO is manageable |
| Marketing team using Okta with SCIM requirements | Consider native Okta integration, but expect manual account creation |
| Growing social media team (20+ users) | Use Stitchflow: automation essential for scaling |
| Enterprise with compliance and audit requirements | Use Stitchflow: automated provisioning provides proper audit trail |
| Multi-brand organization with frequent team changes | Use Stitchflow: manual provisioning becomes unworkable at scale |
The bottom line
Brandwatch offers powerful social listening capabilities but lacks true automated user provisioning—even with Okta integration, admins must manually create each account. For marketing teams that need seamless onboarding and offboarding without manual overhead, Stitchflow provides the automation that Brandwatch's native tools simply don't deliver.
Make Brandwatch workflows AI-native
Brandwatch has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- Does NOT automatically provision new user accounts
- Admin must create Brandwatch account for each user
- Each user counts against account user limit
- SAML requires dedicated subdomain setup
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Where to enable
Docs
Enterprise required for SCIM
Use Stitchflow for automated provisioning.
Unlock SCIM for
Brandwatch
Brandwatch has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
