Summary and recommendation
Delinea Secret Server supports full SCIM 2.0 provisioning with PAM-specific extensions for privileged access management. However, SCIM functionality is restricted to Enterprise plans, which carry custom enterprise pricing with a median cost of $19,705/year according to Vendr data. For organizations on Standard plans seeking automated privileged user provisioning, upgrading to Enterprise represents a significant cost increase primarily driven by advanced PAM features they may not need.
The privileged access use case makes manual provisioning particularly problematic. Security teams need rapid provisioning and deprovisioning of privileged accounts to maintain zero-trust principles and comply with SOC 2 or similar frameworks. Manual processes create delays in granting just-in-time privileged access and increase the risk of orphaned privileged accounts—a critical security vulnerability that auditors flag immediately.
The strategic alternative
Delinea gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Delinea accounts manually. Here's what that costs:
The Delinea pricing problem
Delinea gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Essentials | Custom pricing | ||
| Standard | Custom pricing | ||
| Enterprise | $19,705/year median | Full SCIM 2.0 + PAM |
Note: Enterprise includes full SCIM 2.0 with PAM extensions for privileged account lifecycle management, plus SAML/OIDC SSO integration.
What this means in practice
Based on Vendr pricing data showing a median annual cost of $19,705 for Enterprise:
The price range of $3,226-$44,501/year suggests significant variation based on user count and deployment type (cloud vs. on-premise).
Additional constraints
Summary of challenges
- Delinea supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Delinea doesn't sell SCIM separately. It's bundled with Enterprise tier PAM features:
At $19,705/year median pricing, you're paying for a full PAM solution when you might only need identity automation. Delinea's SCIM is specifically designed for privileged access scenarios with PAM-specific extensions - if your team doesn't manage privileged accounts or secrets, roughly 80% of the Enterprise features are irrelevant for basic user provisioning needs.
What IT admins are saying
Community sentiment on Delinea's SCIM implementation is generally positive among PAM users, though the Enterprise pricing requirement creates barriers for smaller security teams.
- Enterprise tier requirement locks out teams who need basic PAM automation
- SCIM connector configuration requires technical expertise with HTTP header tokens
- Complex mapping requirements between IdP attributes and Delinea's PAM-specific fields
- Limited community documentation compared to mainstream SaaS apps
The SCIM setup works well once configured, but getting the attribute mapping right for privileged accounts took longer than expected.
Delinea's PAM extensions are powerful but the Enterprise requirement is steep for smaller teams just wanting basic user provisioning.
The recurring theme
While Delinea's SCIM works well for privileged access management, the Enterprise pricing gate and technical complexity create friction for teams seeking straightforward identity automation.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but not ready for Enterprise pricing | Use Stitchflow: avoid the $19K+ tier requirement |
| Small security team managing privileged access | Use Stitchflow: get PAM provisioning without enterprise overhead |
| Already on Enterprise tier with SCIM | Use native SCIM: you're paying for PAM extensions |
| Need Enterprise features beyond SCIM | Evaluate Enterprise: SCIM comes with advanced PAM capabilities |
| Managing <50 privileged users with low churn | Manual may work: but privileged accounts demand stricter lifecycle control |
The bottom line
Delinea's Enterprise-only SCIM requirement puts automated privileged user provisioning behind a significant price barrier. For security teams that need PAM automation without the enterprise tier commitment, Stitchflow delivers the same provisioning outcomes at a fraction of the cost.
Make Delinea workflows AI-native
Delinea gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM 2.0 PAM extensions for privileged access
- SCIM connector requires HTTP header token
- Duo SCIM provisioning also available
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Delinea Secret Server available in OIN. Supports Group Linking, Schema Discovery, Attribute Writeback. SCIM connector requires mapping Username/Last name to Display Name field.
Delinea gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM integration with Entra ID for on-prem Secret Server. Supports OIDC and SAML. Requires Global Administrative rights for Microsoft AD setup.
Delinea gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Delinea
Delinea gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
