Summary and recommendation
CyberArk Identity supports SCIM 2.0 for both inbound provisioning (receiving users from Azure AD/Entra ID) and outbound provisioning (sending users to downstream applications). However, SCIM functionality is limited to Enterprise pricing, which starts at custom enterprise rates with a median annual cost of $19,705 according to Vendr data. The platform restricts SCIM provisioning to SAML-enabled applications only and requires role-based filtering, creating configuration complexity for multi-app provisioning scenarios.
This limitation means IT teams managing CyberArk Identity deployments face a significant cost barrier to automate user lifecycle management. While CyberArk excels as a privileged access management platform, the enterprise-only SCIM requirement forces organizations to either accept manual user provisioning workflows or commit to substantial licensing costs that may exceed their identity management budget—especially problematic given CyberArk's positioning as a premium PAM solution rather than a general-purpose identity provider.
The strategic alternative
CyberArk gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages CyberArk accounts manually. Here's what that costs:
The CyberArk pricing problem
CyberArk gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard Editions | $2-5/user/mo | ||
| Enterprise | Custom pricing |
Note: CyberArk offers 5 workforce identity editions at $2-5/user/month, but SCIM provisioning is restricted to Enterprise customers only. Median annual spend is $19,705 based on Vendr data.
What this means in practice
Based on reported pricing ranges ($3,226-$44,501 annually):
| Scenario | Estimated Annual Cost | SCIM Access |
|---|---|---|
| Small deployment | $3,226-$10,000 | Likely requires Enterprise upgrade |
| Mid-market | $10,000-$25,000 | Enterprise negotiation required |
| Large enterprise | $25,000-$44,501 | Full SCIM included |
CyberArk's custom pricing model makes it difficult to predict exact upgrade costs, but most organizations need to move from standard workforce identity licensing to full Enterprise to unlock SCIM.
Additional constraints
Summary of challenges
- CyberArk supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
CyberArk Identity doesn't sell SCIM à la carte. It's part of their enterprise identity platform that includes:
Stitchflow Insight
CyberArk positions itself as a comprehensive PAM and identity solution, not just a user provisioning tool. If you need privileged access controls and enterprise identity governance, the platform delivers significant value. However, if you simply want SCIM provisioning without the privileged access overhead, you're paying enterprise PAM prices (median $19,705/year) for basic user lifecycle automation. We estimate ~80% of CyberArk's feature set is irrelevant for teams that only need streamlined SCIM provisioning to business applications.
What IT admins are saying
Community sentiment on CyberArk's SCIM implementation reveals mixed experiences with complexity being the primary concern. Common complaints:
- Complex multi-app provisioning configuration requiring specialized expertise
- SCIM limited to SAML-enabled applications only
- Enterprise-tier pricing barriers for smaller organizations
- Professional services often required for proper setup and configuration
Complex configuration for multi-app provisioning
The role-based filtering sounds good in theory but becomes a nightmare when you're trying to manage access across 20+ applications
The recurring theme
CyberArk's SCIM works well once configured, but the setup complexity and enterprise pricing create significant barriers for teams without dedicated PAM expertise.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but don't want enterprise PAM costs | Use Stitchflow: avoid the $19K+ annual CyberArk commitment |
| Already using CyberArk Identity for PAM | Use native SCIM: you're paying enterprise rates already |
| Simple identity needs, don't need privileged access features | Use Stitchflow: CyberArk is overkill for basic provisioning |
| Need to provision FROM another IdP to CyberArk | Evaluate both: CyberArk has good inbound SCIM from Entra/Okta |
| Complex multi-app provisioning requirements | Consider Stitchflow: simpler than CyberArk's role-based filtering setup |
The bottom line
CyberArk Identity is a premium PAM solution with enterprise pricing that happens to include SCIM provisioning. Unless you need privileged access management features, you're paying significantly more than necessary for basic user provisioning automation.
Make CyberArk workflows AI-native
CyberArk gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM for SAML-enabled apps only
- Role-based filtering for provisioning
- Incremental sync with optional daily full sync
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
CyberArk SCIM Server available in OIN. Supports Group Linking, Schema Discovery, and Attribute Writeback. Can provision Okta users to CyberArk Cloud Directory.
CyberArk gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 support for provisioning Entra ID users to CyberArk Cloud Directory. Supports RBAC through Entra group access. B2B collaboration supported.
CyberArk gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
CyberArk
CyberArk gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
