Buildkite SCIM guide

CircleCI, the popular CI/CD platform, does not offer native SCIM provisioning capabilities. While CircleCI supports SAML 2.0 SSO on their Scale plan ($300+/month), automated user provisioning is only available through Okta's CircleCI connector using SCIM 2.0. This creates a significant limitation: organizations using Azure Entra ID, Google Workspace, or OneLogin as their primary identity provider cannot automate CircleCI user lifecycle management, forcing IT teams to manually provision and deprovision developer accounts in a platform that handles sensitive source code and build secrets. The lack of universal SCIM support creates a compliance and security risk for DevOps teams. Manual provisioning means delayed access for new developers joining projects, and more critically, potential delays in deprovisioning when team members leave—leaving former employees with access to CI/CD pipelines, source code repositories, and build secrets. For organizations not using Okta, the choice becomes accepting manual user management overhead or switching identity providers solely to enable CircleCI automation.

Jenkins, the open-source CI/CD platform, does not support SCIM provisioning on any plan. While Jenkins offers SAML 2.0 SSO through plugins like the SAML plugin or miniOrange SAML SP, this only provides authentication with just-in-time (JIT) provisioning—meaning user accounts are created automatically on first login but there's no automated lifecycle management thereafter. For DevOps teams managing Jenkins across development, staging, and production environments, this creates a significant security gap when developers or contractors leave the organization. The lack of SCIM support means IT teams have no automated way to deprovision users, disable accounts, or update permissions when roles change. Unlike other enterprise tools that might have admin dashboards for manual user management, Jenkins relies heavily on configuration files and role-based authorization plugins, making manual deprovisioning both time-consuming and error-prone. This is particularly problematic for Jenkins given its access to critical CI/CD pipelines, deployment keys, and production infrastructure—exactly the type of access that needs immediate revocation during offboarding.

6sense, the B2B revenue intelligence platform, has paused SCIM provisioning for new customers until Q4 2026. While existing customers with SCIM enabled can continue using it, new implementations are limited to JIT (Just-In-Time) provisioning through SAML SSO. This creates a significant gap for IT teams managing revenue intelligence access, as JIT only creates users on first login and provides minimal attribute mapping (email, first name, last name only). For an enterprise platform with typical pricing of $55,000-$130,000 annually, the absence of automated user lifecycle management is a substantial limitation. The lack of SCIM until Q4 2026 forces IT teams into manual provisioning workflows for a platform handling sensitive revenue data. While SAML SSO handles authentication, it doesn't address user lifecycle events like role changes, department transfers, or offboarding. This creates compliance risks in revenue teams where access to prospect data and sales intelligence must be tightly controlled. The nearly two-year wait for SCIM restoration means organizations implementing 6sense today face manual user management for the foreseeable future.