Summary and recommendation
CircleCI, the popular CI/CD platform, does not offer native SCIM provisioning capabilities. While CircleCI supports SAML 2.0 SSO on their Scale plan ($300+/month), automated user provisioning is only available through Okta's CircleCI connector using SCIM 2.0. This creates a significant limitation: organizations using Azure Entra ID, Google Workspace, or OneLogin as their primary identity provider cannot automate CircleCI user lifecycle management, forcing IT teams to manually provision and deprovision developer accounts in a platform that handles sensitive source code and build secrets.
The lack of universal SCIM support creates a compliance and security risk for DevOps teams. Manual provisioning means delayed access for new developers joining projects, and more critically, potential delays in deprovisioning when team members leave—leaving former employees with access to CI/CD pipelines, source code repositories, and build secrets. For organizations not using Okta, the choice becomes accepting manual user management overhead or switching identity providers solely to enable CircleCI automation.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for CircleCI that works with any identity provider—Okta, Azure Entra ID, Google Workspace, or OneLogin. No dependency on specific IdP connectors or Scale plan requirements. Flat pricing under $5K/year, regardless of team size.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | No SCIM available |
| Microsoft Entra ID | ✓ | ❌ | No SCIM available |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages CircleCI accounts manually. Here's what that costs:
The CircleCI pricing problem
CircleCI gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 (30,000 credits, 5 users) | ||
| Performance | $30/month (2,500 build minutes) | ||
| Scale | $300-$1,000+/month (25,000+ build minutes) | ||
| Server | ~$93,000/year (on-prem, 50 licenses) |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 (30,000 credits, 5 users) | ||
| Performance | $30/month (2,500 build minutes) | ||
| Scale | $300-$1,000+/month (25,000+ build minutes) | ||
| Server | ~$93,000/year (on-prem, 50 licenses) |
What this means in practice
For teams on Performance plans: Moving from $30/month to $300+/month represents a 10x cost increase just to enable user provisioning. Many development teams can't justify this jump for SSO alone.
For multi-IdP environments: CircleCI's SCIM integration only works through Okta's connector. Organizations using Entra ID, Google Workspace, or OneLogin must either switch to Okta or manage CircleCI users manually.
Scale plan requirement creates budget friction: Development teams often start with Performance plans for the build minutes, then hit an expensive wall when they need centralized user management.
Additional constraints
Summary of challenges
- CircleCI does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What CircleCI actually offers for identity
SAML SSO (Scale plan required)
CircleCI supports SAML 2.0 integration for single sign-on:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, Azure AD, OneLogin, custom SAML providers |
| Plan requirement | Scale plan ($300+/month minimum) |
| User provisioning | JIT (Just-in-Time) supported |
| Configuration | Contact CircleCI for Scale/Server setup |
Critical limitation: Personal API tokens require SSO authentication when SSO is enabled, which can complicate CI/CD automation workflows.
SCIM Provisioning (Okta only)
CircleCI doesn't offer native SCIM - provisioning only works through Okta's integration:
| Feature | Support |
|---|---|
| Native SCIM API | ❌ No |
| Okta SCIM connector | ✓ Yes (Scale plan) |
| Azure AD provisioning | ❌ No |
| Google Workspace | ❌ No SSO support |
| OneLogin provisioning | ❌ No |
The Okta integration provides:
Real-world impact: If you're using Azure AD, Google Workspace, or OneLogin as your primary IdP, you have no automated provisioning options. You're stuck with manual user management or need to implement a complex Okta passthrough setup.
What's missing for most teams
The Scale plan requirement means you're paying $3,600+/year minimum just to get basic identity management. Most of that cost goes toward build credits you may not need - there's no identity-only pricing tier.
For DevOps teams managing CI/CD access across multiple repositories and environments, the Okta-only SCIM limitation creates significant operational overhead if you're standardized on a different IdP.
What IT admins are saying
Community sentiment on CircleCI's provisioning reveals frustration with limited automation options and scaling costs:
- No native SCIM support - Must use Okta's connector for any automated provisioning
- Scale plan requirement - SSO and SCIM features locked behind expensive tier ($300-1,000+/month)
- API token complications - Personal tokens require SSO authentication when SSO is enabled
- GitHub SSO conflicts - OAuth token invalidation issues when GitHub SSO is also configured
Personal API tokens require SSO auth when SSO enabled
GitHub SSO conflicts can invalidate OAuth tokens
The recurring theme
CircleCI forces IT teams into expensive Scale plans for basic provisioning automation, while lacking native SCIM means you're dependent on third-party connectors like Okta's integration just to automate user lifecycle management.
The decision
| Your Situation | Recommendation |
|---|---|
| Small dev team (<10 developers) on Free/Performance plans | Manual management is acceptable |
| Growing development team on Scale plan with Okta | Use native Okta SCIM connector |
| Development team using Entra ID or Google Workspace | Use Stitchflow: no native SCIM support for these IdPs |
| Enterprise with multiple CI/CD tools and compliance needs | Use Stitchflow: centralized automation across DevOps stack |
| Teams frequently onboarding/offboarding contractors | Use Stitchflow: automation essential for access control |
The bottom line
CircleCI offers SCIM provisioning only through Okta on expensive Scale plans ($300+/month), leaving teams using Entra ID or Google Workspace without automation options. For organizations that need consistent provisioning across their entire DevOps toolchain, Stitchflow provides universal automation regardless of your IdP or CircleCI plan.
Automate CircleCI without third-party complexity
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for CircleCI at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- Native SCIM not documented - SCIM via Okta
- Scale plan required for SSO/SCIM
- Personal API tokens require SSO auth when SSO enabled
- GitHub SSO conflicts can invalidate OAuth tokens
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Where to enable
Docs
Enterprise required for SCIM
Use Stitchflow for automated provisioning.
Unlock SCIM for
CircleCI
CircleCI doesn't offer SCIM. Get an enterprise-grade SCIM endpoint in your IdP, even without native support.
See how it works
