Summary and recommendation
Contentful supports SCIM 2.0 for automated user provisioning, but only on Premium or Enterprise plans with High Availability/Scale add-ons. This means you're looking at $60,000-$140,000+ annually just to unlock SCIM functionality. The implementation also has a critical operational risk: SCIM authorization is tied to a specific admin user account, so if that admin leaves the organization, your IdP loses provisioning access entirely.
For content teams managing multiple spaces with different access requirements, manual user provisioning creates significant delays. New developers and content editors can't access the spaces they need for days, while IT teams struggle to maintain proper team assignments across complex content workflows. SSO with JIT provisioning helps with authentication but doesn't solve the core problem of getting users into the right teams and spaces from day one.
The strategic alternative
Contentful gates SCIM behind Premium/Enterprise (High Availability/Scale). Skip the Premium/Enterprise (High Availability/Scale) plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Contentful accounts manually. Here's what that costs:
The Contentful pricing problem
Contentful gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0/month | ||
| Lite | $300/month | ||
| Premium (HA/Scale) | ~$37,620/year+ | ||
| Enterprise (HA/Scale) | ~$86,240/year+ |
Note: SCIM requires Premium or Enterprise plans specifically on High Availability or Scale infrastructure tiers. Base Premium plans without HA/Scale do not include SCIM functionality.
What this means in practice
The jump from Lite to Premium with HA/Scale represents a significant cost increase:
| Current Plan | Upgrade Cost | Annual Impact |
|---|---|---|
| Free → Premium HA | $37,620+ | $37,620+ |
| Lite → Premium HA | $34,020+ | $34,020+ |
| Premium Base → Premium HA | Variable | $10,000-20,000+ |
These are starting prices before space add-ons (Medium spaces ~$8,000, Large ~$19,000, XL ~$35,000) and user overages.
Additional constraints
Summary of challenges
- Contentful supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Contentful doesn't sell SCIM separately. It's bundled with Premium/Enterprise features on High Availability or Scale infrastructure plans:
The catch: you need both Premium/Enterprise AND the HA/Scale infrastructure add-on, which significantly increases costs. Plus, there's the administrative burden of managing a Service User account with Owner role for SCIM—if that admin leaves, your IdP loses authorization until you create a new one.
Stitchflow Insight
If you just need automated user provisioning for your content teams, you're paying for enterprise CMS features and premium infrastructure that most organizations don't need. We estimate ~60% of Premium/Enterprise features are irrelevant for teams that only want streamlined user onboarding to Contentful spaces.
What IT admins are saying
Community sentiment on Contentful's SCIM requirements is mixed, with most frustration centered on the high barrier to entry and admin management complexity.
- Premium/Enterprise with HA/Scale plan requirement creates a steep cost jump for basic provisioning
- SCIM authorization tied to individual admin accounts creates operational risk
- Complex plan structure makes it unclear when SCIM is actually available
- Admin departure can break entire provisioning integration
If the admin user who set up SCIM leaves the organization, the IdP loses its authorization to manage users. You'll need to reconfigure everything with a new admin.
The recurring theme
Contentful gates essential identity automation behind expensive enterprise tiers and creates single points of failure through admin-dependent authorization.
The decision
| Your Situation | Recommendation |
|---|---|
| Not on Premium/Enterprise HA/Scale plans | Use Stitchflow: avoid the $37K-86K+ annual commitment for SCIM access |
| On qualifying plan, but SCIM admin left | Use Stitchflow: eliminate the single point of failure risk |
| Already on Premium/Enterprise HA/Scale | Use native SCIM: you're paying for it already |
| Need Enterprise features beyond SCIM | Evaluate Premium/Enterprise: SCIM comes bundled with the plan |
| Small content team, rare role changes | Manual may work: but monitor for content access gaps |
The bottom line
Contentful gates SCIM behind Premium/Enterprise (High Availability/Scale). Stitchflow automates complete workflows without that SCIM Tax upgrade.
Make Contentful workflows AI-native
Contentful gates SCIM behind Premium/Enterprise (High Availability/Scale). We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Premium/Enterprise on HA/Scale plans required
- Create admin user with Organization Owner role for SCIM setup
- If SCIM admin leaves, IdP loses authorization
- May have overage charges above user allowance
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM provisioning enables auto-provisioning of users to Contentful org. Groups can be pushed to Contentful as teams. Requires Service User with Owner role for SCIM setup.
Contentful gates SCIM behind Premium/Enterprise (High Availability/Scale). Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM provisioning supported. Requires Service User account in Contentful with Owner role. Configure SCIM URL and secret token in Entra admin center.
Contentful gates SCIM behind Premium/Enterprise (High Availability/Scale). Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Contentful
Contentful gates SCIM behind Premium/Enterprise (High Availability/Scale) plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
