Summary and recommendation
Docebo, the enterprise learning management system, does not support native SCIM provisioning on any plan. While Docebo offers SAML 2.0 SSO with Just-in-Time (JIT) provisioning for user creation, this approach has significant limitations for IT teams managing organizational learning programs. Most notably, the Direct Manager field—critical for manager-driven learning workflows and organizational hierarchy visibility—cannot be provisioned through any automated method. Additionally, third-party solutions like the Aquera connector for Okta or Docebo Connect for Entra ID may involve additional licensing costs and still don't address core field mapping limitations.
For organizations investing $25,000+ annually in Docebo (typical minimum enterprise contract), the inability to maintain accurate manager hierarchies creates operational friction. L&D teams lose visibility into reporting structures, automated course assignments by department become unreliable, and HR data synchronization requires manual intervention. With Docebo's pricing averaging $84-120 per user annually, these manual processes compound the total cost of ownership significantly.
The strategic alternative
Docebo gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OpenID Connect, ADFS 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Docebo accounts manually. Here's what that costs:
The Docebo pricing problem
Docebo gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Okta | Aquera connector (3rd party) | Enterprise plan, API keys | |
| Entra ID | Docebo Connect recipes | Account manager activation, potential costs | |
| Other IdPs | SAML JIT only | Manual fallback required |
Provisioning options by IdP
| IdP | Method | Reliability | Requirements |
|---|---|---|---|
| Okta | Aquera connector (3rd party) | Unknown | Enterprise plan, API keys |
| Entra ID | Docebo Connect recipes | Proprietary | Account manager activation, potential costs |
| Other IdPs | SAML JIT only | Limited | Manual fallback required |
Base pricing: Enterprise plans start around $25,000/year (~$7-10/user/month), with multi-year commitments required for cost reduction.
What this means in practice
For Okta users: You're dependent on Aquera's third-party connector, which adds another vendor relationship and potential failure point. The connector supports basic CRUD operations but introduces API key management overhead.
For Entra ID users: Docebo Connect recipes provide some automation, but require account manager involvement to activate and may carry additional costs beyond your base Enterprise subscription.
For everyone: Critical organizational data like manager hierarchies cannot be provisioned - the Direct Manager field simply isn't supported, forcing manual updates or leaving organizational structure incomplete in Docebo.
Additional constraints
Summary of challenges
- Docebo supports SCIM but only at Enterprise tier (Custom (based on users))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Docebo actually offers for identity
SAML SSO with JIT Provisioning
Docebo provides SAML 2.0 integration with just-in-time user creation:
| Feature | Details |
|---|---|
| Protocol | SAML 2.0, OpenID Connect, ADFS 2.0 |
| JIT Provisioning | ✓ Creates users on first login |
| Supported IdPs | Okta, Entra ID, OneLogin, PingIdentity, Salesforce, ADFS |
| Field Locking | ✓ Can prevent users from editing provisioned attributes |
| SP/IdP Initiated | Both supported |
Critical limitation: The Direct Manager field cannot be provisioned through any method. This is a documented restriction that breaks manager hierarchy synchronization.
Third-Party Provisioning Options
Since Docebo doesn't offer native SCIM, two vendor-specific solutions exist:
| Provider | Method | Notes |
|---|---|---|
| Okta | Aquera connector (OIN) | Third-party API connector, requires Enterprise tier |
| Microsoft | Docebo Connect | Proprietary integration, contact account manager to activate |
Why these fall short: Both solutions are vendor-specific workarounds that still can't provision the Direct Manager field. The Aquera connector adds another vendor relationship, while Docebo Connect may have additional licensing costs and limited IdP support.
What's Missing
For learning management systems, manager hierarchy is often critical for course assignments and reporting structures. Docebo's inability to sync this data creates ongoing manual overhead for L&D teams.
What IT admins are saying
Docebo's lack of SCIM provisioning creates manual overhead for IT teams managing learning environments:
- Direct Manager field cannot be provisioned, breaking organizational hierarchy sync
- No automated user lifecycle management - manual account creation required
- SCIM protocol not documented or available despite enterprise pricing
- Reliance on JIT provisioning means users must attempt login before accounts exist
Direct Manager field not provisionable
User accounts must be created manually or through JIT provisioning only
The recurring theme
At $25,000+ annual minimums, Docebo forces IT teams into manual provisioning workflows while competitors offer full SCIM automation. The missing Direct Manager sync is particularly problematic for L&D teams tracking reporting structures.
The decision
| Your Situation | Recommendation |
|---|---|
| Small L&D team (<20 learners) | Manual management with JIT provisioning via SAML |
| Stable workforce with low turnover | JIT provisioning acceptable, but consider automation for growth |
| Enterprise with complex org hierarchy | Use Stitchflow: Direct Manager sync essential for proper reporting |
| Multi-division learning programs | Use Stitchflow: automation essential for department-based course enrollment |
| Compliance-heavy industries | Use Stitchflow: audit trail and automated deprovisioning required |
The bottom line
Docebo offers JIT provisioning via SAML, but lacks SCIM support and can't sync critical fields like Direct Manager—a major limitation for enterprise learning programs that depend on organizational hierarchy. For companies that need proper manager relationships and automated provisioning workflows, Stitchflow delivers the automation Docebo can't provide natively.
Make Docebo workflows AI-native
Docebo gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
None
Key limitations
- SCIM not documented
- Direct Manager cannot be provisioned (relational field)
- JIT provisioning available for user creation
- Migrating to new SAML interface in Jan 2026
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Docs
Provisioning available via Aquera connector (third-party). Supports user create, update, deactivate, and delete. SSO via SAML.
Docebo gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
User provisioning via Docebo Connect recipes. Triggered by user create/update in Entra ID. Contact account manager to activate. May have associated costs.
Docebo gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Docebo
Docebo gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
