Summary and recommendation
CyberArk Identity supports SCIM 2.0 for both inbound provisioning (receiving users from Azure AD/Entra ID) and outbound provisioning (sending users to downstream applications). However, SCIM functionality is limited to Enterprise pricing, which starts at custom enterprise rates with a median annual cost of $19,705 according to Vendr data. The platform restricts SCIM provisioning to SAML-enabled applications only and requires role-based filtering, creating configuration complexity for multi-app provisioning scenarios.
This limitation means IT teams managing CyberArk Identity deployments face a significant cost barrier to automate user lifecycle management. While CyberArk excels as a privileged access management platform, the enterprise-only SCIM requirement forces organizations to either accept manual user provisioning workflows or commit to substantial licensing costs that may exceed their identity management budget—especially problematic given CyberArk's positioning as a premium PAM solution rather than a general-purpose identity provider.
The strategic alternative
CyberArk gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages CyberArk accounts manually. Here's what that costs:
The CyberArk pricing problem
CyberArk gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard Editions | $2-5/user/mo | ||
| Enterprise | Custom pricing |
Note: CyberArk offers 5 workforce identity editions at $2-5/user/month, but SCIM provisioning is restricted to Enterprise customers only. Median annual spend is $19,705 based on Vendr data.
What this means in practice
Based on reported pricing ranges ($3,226-$44,501 annually):
| Scenario | Estimated Annual Cost | SCIM Access |
|---|---|---|
| Small deployment | $3,226-$10,000 | Likely requires Enterprise upgrade |
| Mid-market | $10,000-$25,000 | Enterprise negotiation required |
| Large enterprise | $25,000-$44,501 | Full SCIM included |
CyberArk's custom pricing model makes it difficult to predict exact upgrade costs, but most organizations need to move from standard workforce identity licensing to full Enterprise to unlock SCIM.
Additional constraints
Summary of challenges
- CyberArk supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
CyberArk Identity doesn't sell SCIM à la carte. It's part of their enterprise identity platform that includes:
Stitchflow Insight
CyberArk positions itself as a comprehensive PAM and identity solution, not just a user provisioning tool. If you need privileged access controls and enterprise identity governance, the platform delivers significant value. However, if you simply want SCIM provisioning without the privileged access overhead, you're paying enterprise PAM prices (median $19,705/year) for basic user lifecycle automation. We estimate ~80% of CyberArk's feature set is irrelevant for teams that only need streamlined SCIM provisioning to business applications.
What IT admins are saying
Community sentiment on CyberArk's SCIM implementation reveals mixed experiences with complexity being the primary concern. Common complaints:
- Complex multi-app provisioning configuration requiring specialized expertise
- SCIM limited to SAML-enabled applications only
- Enterprise-tier pricing barriers for smaller organizations
- Professional services often required for proper setup and configuration
Complex configuration for multi-app provisioning
The role-based filtering sounds good in theory but becomes a nightmare when you're trying to manage access across 20+ applications
The recurring theme
CyberArk's SCIM works well once configured, but the setup complexity and enterprise pricing create significant barriers for teams without dedicated PAM expertise.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but don't want enterprise PAM costs | Use Stitchflow: avoid the $19K+ annual CyberArk commitment |
| Already using CyberArk Identity for PAM | Use native SCIM: you're paying enterprise rates already |
| Simple identity needs, don't need privileged access features | Use Stitchflow: CyberArk is overkill for basic provisioning |
| Need to provision FROM another IdP to CyberArk | Evaluate both: CyberArk has good inbound SCIM from Entra/Okta |
| Complex multi-app provisioning requirements | Consider Stitchflow: simpler than CyberArk's role-based filtering setup |
The bottom line
CyberArk gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the CyberArk workflow gap
CyberArk gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM for SAML-enabled apps only
- Role-based filtering for provisioning
- Incremental sync with optional daily full sync
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
CyberArk SCIM Server available in OIN. Supports Group Linking, Schema Discovery, and Attribute Writeback. Can provision Okta users to CyberArk Cloud Directory.
CyberArk gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 support for provisioning Entra ID users to CyberArk Cloud Directory. Supports RBAC through Entra group access. B2B collaboration supported.
CyberArk gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
CyberArk
CyberArk gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
