Summary and recommendation
Cloudflare supports SCIM for automated user provisioning, but only on Enterprise plans with custom pricing. The integration works with just two identity providers (Okta and Microsoft Entra ID), leaving Google Workspace and OneLogin users without native provisioning options. Even more problematic: SCIM Virtual Groups are being discontinued in December 2025, forcing teams to rebuild their group-based access policies using alternative methods.
For security teams, this creates a significant gap. Cloudflare's Zero Trust platform (Access and Gateway) is designed to protect network access and web traffic based on user identity - but without reliable provisioning from other IdPs, you're stuck with manual user management or risky workarounds. SSO alone doesn't solve this: users may authenticate successfully but lack proper group memberships for policy enforcement, or worse, remain active in Cloudflare after being deactivated in your IdP.
The strategic alternative
Cloudflare gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Cloudflare accounts manually. Here's what that costs:
The Cloudflare pricing problem
Cloudflare gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0/mo (up to 50 Zero Trust users) | ||
| Zero Trust Standard | $7/user/mo | ||
| Access Only | $3/user/mo | ||
| Gateway Only | $5/user/mo | ||
| Enterprise | Custom pricing |
Note: CDN and website security services are priced separately per domain. SCIM is exclusively available on Enterprise plans.
What this means in practice
Without transparent Enterprise pricing, teams face uncertainty when budgeting for SCIM access:
Known challenges
Upgrade impact estimate for Zero Trust Standard → Enterprise
| Team Size | Est. Annual Premium |
|---|---|
| 50 users | $10,000 - $25,000+ |
| 100 users | $20,000 - $50,000+ |
| 200 users | $40,000 - $100,000+ |
Additional constraints
Summary of challenges
- Cloudflare supports SCIM but only at Enterprise tier (Custom pricing (includes SCIM))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Cloudflare doesn't sell SCIM separately. It's exclusively bundled with Enterprise plans that include extensive security and networking features:
The reality: if you're primarily using Cloudflare for CDN and basic security, roughly 80% of Enterprise features are overkill for teams that simply need user provisioning. You're paying enterprise rates for network infrastructure capabilities when you just want to sync users from your IdP.
The bigger limitation: SCIM only works with two identity providers (Okta and Microsoft Entra). Teams using Google Workspace, OneLogin, or other IdPs are locked out entirely, regardless of what they're willing to pay.
What IT admins are saying
Community sentiment on Cloudflare's SCIM implementation is mixed, with frustration centered on pricing barriers and IdP limitations. Common complaints:
- Being locked into Enterprise pricing just for basic user provisioning
- Limited to only Okta and Microsoft Entra ID (no Google Workspace support)
- Lack of nested group support for complex organizational structures
- SCIM Virtual Groups being discontinued in December 2025
The Enterprise requirement is frustrating when you just need basic SCIM for a small security team. We're paying for features we don't use.
Only supporting two IdPs in 2024 feels really limiting. We're stuck because we use Google Workspace.
The recurring theme
Essential security automation is gated behind enterprise pricing, while IdP support limitations force infrastructure decisions around Cloudflare's constraints rather than organizational needs.
The decision
| Your Situation | Recommendation |
|---|---|
| Not on Enterprise, need SCIM | Use Stitchflow: avoid the Enterprise upgrade costs |
| Already on Enterprise | Use native SCIM: you're paying for it |
| Only using Okta or Entra ID | Native SCIM works: but watch for nested group limitations |
| Need Google Workspace or OneLogin support | Use Stitchflow: native SCIM only supports two IdPs |
| Complex group structures with nesting | Use Stitchflow: native doesn't support nested groups |
The bottom line
Cloudflare's Enterprise-only SCIM requirement creates a significant cost barrier for teams on lower tiers, while the two-IdP limitation excludes Google Workspace and OneLogin users entirely. For organizations needing provisioning automation without the Enterprise upgrade or broader IdP support, Stitchflow delivers the same outcomes at a fraction of the cost.
Make Cloudflare workflows AI-native
Cloudflare gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Enterprise only
- Only Okta and Microsoft Entra supported
- Nested groups not supported
- SCIM Virtual Groups end-of-life Dec 2025
- Super Administrator required for initial setup
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM provisioning for Cloudflare One (Access/Gateway). Supports user and group sync. Only Okta and Microsoft Entra ID are supported for SCIM.
Cloudflare gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Native SCIM integration for Microsoft Entra ID. Auto-deprovision when users deactivated in IdP.
Cloudflare gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Cloudflare
Cloudflare gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
