Summary and recommendation
Cloudflare supports SCIM for automated user provisioning, but only on Enterprise plans with custom pricing. The integration works with just two identity providers (Okta and Microsoft Entra ID), leaving Google Workspace and OneLogin users without native provisioning options. Even more problematic: SCIM Virtual Groups are being discontinued in December 2025, forcing teams to rebuild their group-based access policies using alternative methods.
For security teams, this creates a significant gap. Cloudflare's Zero Trust platform (Access and Gateway) is designed to protect network access and web traffic based on user identity - but without reliable provisioning from other IdPs, you're stuck with manual user management or risky workarounds. SSO alone doesn't solve this: users may authenticate successfully but lack proper group memberships for policy enforcement, or worse, remain active in Cloudflare after being deactivated in your IdP.
The strategic alternative
Cloudflare gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Cloudflare accounts manually. Here's what that costs:
The Cloudflare pricing problem
Cloudflare gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0/mo (up to 50 Zero Trust users) | ||
| Zero Trust Standard | $7/user/mo | ||
| Access Only | $3/user/mo | ||
| Gateway Only | $5/user/mo | ||
| Enterprise | Custom pricing |
Note: CDN and website security services are priced separately per domain. SCIM is exclusively available on Enterprise plans.
What this means in practice
Without transparent Enterprise pricing, teams face uncertainty when budgeting for SCIM access:
Known challenges
Upgrade impact estimate for Zero Trust Standard → Enterprise
| Team Size | Est. Annual Premium |
|---|---|
| 50 users | $10,000 - $25,000+ |
| 100 users | $20,000 - $50,000+ |
| 200 users | $40,000 - $100,000+ |
Additional constraints
Summary of challenges
- Cloudflare supports SCIM but only at Enterprise tier (Custom pricing (includes SCIM))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Cloudflare doesn't sell SCIM separately. It's exclusively bundled with Enterprise plans that include extensive security and networking features:
The reality: if you're primarily using Cloudflare for CDN and basic security, roughly 80% of Enterprise features are overkill for teams that simply need user provisioning. You're paying enterprise rates for network infrastructure capabilities when you just want to sync users from your IdP.
The bigger limitation: SCIM only works with two identity providers (Okta and Microsoft Entra). Teams using Google Workspace, OneLogin, or other IdPs are locked out entirely, regardless of what they're willing to pay.
What IT admins are saying
Community sentiment on Cloudflare's SCIM implementation is mixed, with frustration centered on pricing barriers and IdP limitations. Common complaints:
- Being locked into Enterprise pricing just for basic user provisioning
- Limited to only Okta and Microsoft Entra ID (no Google Workspace support)
- Lack of nested group support for complex organizational structures
- SCIM Virtual Groups being discontinued in December 2025
The Enterprise requirement is frustrating when you just need basic SCIM for a small security team. We're paying for features we don't use.
Only supporting two IdPs in 2024 feels really limiting. We're stuck because we use Google Workspace.
The recurring theme
Essential security automation is gated behind enterprise pricing, while IdP support limitations force infrastructure decisions around Cloudflare's constraints rather than organizational needs.
The decision
| Your Situation | Recommendation |
|---|---|
| Not on Enterprise, need SCIM | Use Stitchflow: avoid the Enterprise upgrade costs |
| Already on Enterprise | Use native SCIM: you're paying for it |
| Only using Okta or Entra ID | Native SCIM works: but watch for nested group limitations |
| Need Google Workspace or OneLogin support | Use Stitchflow: native SCIM only supports two IdPs |
| Complex group structures with nesting | Use Stitchflow: native doesn't support nested groups |
The bottom line
Cloudflare gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Cloudflare workflow gap
Cloudflare gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Enterprise only
- Only Okta and Microsoft Entra supported
- Nested groups not supported
- SCIM Virtual Groups end-of-life Dec 2025
- Super Administrator required for initial setup
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM provisioning for Cloudflare One (Access/Gateway). Supports user and group sync. Only Okta and Microsoft Entra ID are supported for SCIM.
Cloudflare gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Native SCIM integration for Microsoft Entra ID. Auto-deprovision when users deactivated in IdP.
Cloudflare gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Cloudflare
Cloudflare gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
