Summary and recommendation
Cofense supports native SCIM 2.0 provisioning through its "Recipient Sync" feature, but only on Enterprise plans with custom pricing. This creates a significant barrier for security teams who need to deploy phishing awareness training across their entire organization but are stuck on lower-tier plans where manual user management becomes operationally expensive.
The challenge is particularly acute for security awareness training platforms like Cofense, where successful programs require enrolling all employees—not just a subset of power users. Manual provisioning means delayed training rollouts when employees join, potential security gaps when users aren't properly deprovisioned, and ongoing administrative overhead that scales poorly. For compliance-focused organizations, inconsistent user lifecycle management in security training platforms represents a measurable risk.
The strategic alternative
Cofense gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, AD/LDAP |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Cofense accounts manually. Here's what that costs:
The Cofense pricing problem
Cofense gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Starter | ~$10/user/year (estimated) | ||
| Enterprise | Custom pricing |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Starter | ~$10/user/year (estimated) | ❌ |
| Enterprise | Custom pricing | ✓ |
Note: Cofense doesn't publish standard pricing. Enterprise pricing requires direct sales engagement for custom quotes.
What this means in practice
The lack of transparent pricing creates several challenges:
For security awareness training that typically needs organization-wide deployment, the Enterprise requirement means:
Additional constraints
Summary of challenges
- Cofense supports SCIM but only at Enterprise tier (Custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Cofense doesn't sell SCIM à la carte. It's bundled with their Enterprise security platform:
The challenge: Cofense pricing isn't publicly disclosed, requiring custom quotes that can drag procurement cycles. Many organizations find they need the full platform to justify the investment, not just the SCIM provisioning component.
Stitchflow Insight
If your organization needs comprehensive phishing defense and security training, the Enterprise upgrade delivers value. If you just want automated user provisioning for basic security awareness, you're paying for an extensive security platform you may not fully utilize. We estimate ~60% of Enterprise features focus on advanced threat detection and simulation rather than core identity management.
What IT admins are saying
Community sentiment on Cofense's SCIM implementation reveals frustration with enterprise gatekeeping and support dependencies. Common complaints:
- SCIM provisioning locked behind Enterprise tier with undisclosed pricing
- Must contact support for SSO setup instead of self-service configuration
- Limited transparency on pricing forces lengthy sales conversations
- Security training platforms shouldn't require enterprise contracts for basic automation
The recurring theme
Cofense treats SCIM as an enterprise-only feature, forcing IT teams through custom pricing negotiations and support tickets for what should be standard identity automation in security awareness platforms.
The decision
| Your Situation | Recommendation |
|---|---|
| Not on Enterprise tier, need SCIM | Use Stitchflow: avoid the custom enterprise pricing jump |
| Security team wants automated user sync for training campaigns | Use Stitchflow: get provisioning without enterprise procurement |
| Already on Enterprise with SCIM access | Use native SCIM: you're paying for the feature |
| Need Enterprise security features beyond SCIM | Evaluate Enterprise: SCIM comes bundled with advanced features |
| Small organization with minimal user changes | Manual may work: but consider gaps in training coverage |
The bottom line
Cofense gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Cofense workflow gap
Cofense gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
None
Key limitations
- SCIM requires Enterprise tier
- SSO may require contacting Cofense support for setup
- AD/LDAP for on-premise deployments only
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM provisioning via Cofense Recipient Sync. Supports user create, update, and deactivate.
Cofense gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Native SCIM provisioning tutorial available for Microsoft Entra ID.
Cofense gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Cofense
Cofense gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
