Summary and recommendation
Cofense supports native SCIM 2.0 provisioning through its "Recipient Sync" feature, but only on Enterprise plans with custom pricing. This creates a significant barrier for security teams who need to deploy phishing awareness training across their entire organization but are stuck on lower-tier plans where manual user management becomes operationally expensive.
The challenge is particularly acute for security awareness training platforms like Cofense, where successful programs require enrolling all employees—not just a subset of power users. Manual provisioning means delayed training rollouts when employees join, potential security gaps when users aren't properly deprovisioned, and ongoing administrative overhead that scales poorly. For compliance-focused organizations, inconsistent user lifecycle management in security training platforms represents a measurable risk.
The strategic alternative
Cofense gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, AD/LDAP |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Cofense accounts manually. Here's what that costs:
The Cofense pricing problem
Cofense gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Starter | ~$10/user/year (estimated) | ||
| Enterprise | Custom pricing |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Starter | ~$10/user/year (estimated) | ❌ |
| Enterprise | Custom pricing | ✓ |
Note: Cofense doesn't publish standard pricing. Enterprise pricing requires direct sales engagement for custom quotes.
What this means in practice
The lack of transparent pricing creates several challenges:
For security awareness training that typically needs organization-wide deployment, the Enterprise requirement means:
Additional constraints
Summary of challenges
- Cofense supports SCIM but only at Enterprise tier (Custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Cofense doesn't sell SCIM à la carte. It's bundled with their Enterprise security platform:
The challenge: Cofense pricing isn't publicly disclosed, requiring custom quotes that can drag procurement cycles. Many organizations find they need the full platform to justify the investment, not just the SCIM provisioning component.
Stitchflow Insight
If your organization needs comprehensive phishing defense and security training, the Enterprise upgrade delivers value. If you just want automated user provisioning for basic security awareness, you're paying for an extensive security platform you may not fully utilize. We estimate ~60% of Enterprise features focus on advanced threat detection and simulation rather than core identity management.
What IT admins are saying
Community sentiment on Cofense's SCIM implementation reveals frustration with enterprise gatekeeping and support dependencies. Common complaints:
- SCIM provisioning locked behind Enterprise tier with undisclosed pricing
- Must contact support for SSO setup instead of self-service configuration
- Limited transparency on pricing forces lengthy sales conversations
- Security training platforms shouldn't require enterprise contracts for basic automation
The recurring theme
Cofense treats SCIM as an enterprise-only feature, forcing IT teams through custom pricing negotiations and support tickets for what should be standard identity automation in security awareness platforms.
The decision
| Your Situation | Recommendation |
|---|---|
| Not on Enterprise tier, need SCIM | Use Stitchflow: avoid the custom enterprise pricing jump |
| Security team wants automated user sync for training campaigns | Use Stitchflow: get provisioning without enterprise procurement |
| Already on Enterprise with SCIM access | Use native SCIM: you're paying for the feature |
| Need Enterprise security features beyond SCIM | Evaluate Enterprise: SCIM comes bundled with advanced features |
| Small organization with minimal user changes | Manual may work: but consider gaps in training coverage |
The bottom line
Cofense requires Enterprise tier for SCIM provisioning, which means custom pricing negotiations and lengthy procurement cycles. For security teams that need automated user sync for phishing training without the enterprise upgrade, Stitchflow delivers managed provisioning at transparent flat-rate pricing.
Make Cofense workflows AI-native
Cofense gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
None
Key limitations
- SCIM requires Enterprise tier
- SSO may require contacting Cofense support for setup
- AD/LDAP for on-premise deployments only
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM provisioning via Cofense Recipient Sync. Supports user create, update, and deactivate.
Cofense gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Native SCIM provisioning tutorial available for Microsoft Entra ID.
Cofense gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Cofense
Cofense gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
