Summary and recommendation
Docebo, the enterprise learning management system, does not support native SCIM provisioning on any plan. While Docebo offers SAML 2.0 SSO with Just-in-Time (JIT) provisioning for user creation, this approach has significant limitations for IT teams managing organizational learning programs. Most notably, the Direct Manager field—critical for manager-driven learning workflows and organizational hierarchy visibility—cannot be provisioned through any automated method. Additionally, third-party solutions like the Aquera connector for Okta or Docebo Connect for Entra ID may involve additional licensing costs and still don't address core field mapping limitations.
For organizations investing $25,000+ annually in Docebo (typical minimum enterprise contract), the inability to maintain accurate manager hierarchies creates operational friction. L&D teams lose visibility into reporting structures, automated course assignments by department become unreliable, and HR data synchronization requires manual intervention. With Docebo's pricing averaging $84-120 per user annually, these manual processes compound the total cost of ownership significantly.
The strategic alternative
Docebo gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OpenID Connect, ADFS 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Docebo accounts manually. Here's what that costs:
The Docebo pricing problem
Docebo gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Okta | Aquera connector (3rd party) | Enterprise plan, API keys | |
| Entra ID | Docebo Connect recipes | Account manager activation, potential costs | |
| Other IdPs | SAML JIT only | Manual fallback required |
Provisioning options by IdP
| IdP | Method | Reliability | Requirements |
|---|---|---|---|
| Okta | Aquera connector (3rd party) | Unknown | Enterprise plan, API keys |
| Entra ID | Docebo Connect recipes | Proprietary | Account manager activation, potential costs |
| Other IdPs | SAML JIT only | Limited | Manual fallback required |
Base pricing: Enterprise plans start around $25,000/year (~$7-10/user/month), with multi-year commitments required for cost reduction.
What this means in practice
For Okta users: You're dependent on Aquera's third-party connector, which adds another vendor relationship and potential failure point. The connector supports basic CRUD operations but introduces API key management overhead.
For Entra ID users: Docebo Connect recipes provide some automation, but require account manager involvement to activate and may carry additional costs beyond your base Enterprise subscription.
For everyone: Critical organizational data like manager hierarchies cannot be provisioned - the Direct Manager field simply isn't supported, forcing manual updates or leaving organizational structure incomplete in Docebo.
Additional constraints
Summary of challenges
- Docebo supports SCIM but only at Enterprise tier (Custom (based on users))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Docebo actually offers for identity
SAML SSO with JIT Provisioning
Docebo provides SAML 2.0 integration with just-in-time user creation:
| Feature | Details |
|---|---|
| Protocol | SAML 2.0, OpenID Connect, ADFS 2.0 |
| JIT Provisioning | ✓ Creates users on first login |
| Supported IdPs | Okta, Entra ID, OneLogin, PingIdentity, Salesforce, ADFS |
| Field Locking | ✓ Can prevent users from editing provisioned attributes |
| SP/IdP Initiated | Both supported |
Critical limitation: The Direct Manager field cannot be provisioned through any method. This is a documented restriction that breaks manager hierarchy synchronization.
Third-Party Provisioning Options
Since Docebo doesn't offer native SCIM, two vendor-specific solutions exist:
| Provider | Method | Notes |
|---|---|---|
| Okta | Aquera connector (OIN) | Third-party API connector, requires Enterprise tier |
| Microsoft | Docebo Connect | Proprietary integration, contact account manager to activate |
Why these fall short: Both solutions are vendor-specific workarounds that still can't provision the Direct Manager field. The Aquera connector adds another vendor relationship, while Docebo Connect may have additional licensing costs and limited IdP support.
What's Missing
For learning management systems, manager hierarchy is often critical for course assignments and reporting structures. Docebo's inability to sync this data creates ongoing manual overhead for L&D teams.
What IT admins are saying
Docebo's lack of SCIM provisioning creates manual overhead for IT teams managing learning environments:
- Direct Manager field cannot be provisioned, breaking organizational hierarchy sync
- No automated user lifecycle management - manual account creation required
- SCIM protocol not documented or available despite enterprise pricing
- Reliance on JIT provisioning means users must attempt login before accounts exist
Direct Manager field not provisionable
User accounts must be created manually or through JIT provisioning only
The recurring theme
At $25,000+ annual minimums, Docebo forces IT teams into manual provisioning workflows while competitors offer full SCIM automation. The missing Direct Manager sync is particularly problematic for L&D teams tracking reporting structures.
The decision
| Your Situation | Recommendation |
|---|---|
| Small L&D team (<20 learners) | Manual management with JIT provisioning via SAML |
| Stable workforce with low turnover | JIT provisioning acceptable, but consider automation for growth |
| Enterprise with complex org hierarchy | Use Stitchflow: Direct Manager sync essential for proper reporting |
| Multi-division learning programs | Use Stitchflow: automation essential for department-based course enrollment |
| Compliance-heavy industries | Use Stitchflow: audit trail and automated deprovisioning required |
The bottom line
Docebo gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Docebo workflow gap
Docebo gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
None
Key limitations
- SCIM not documented
- Direct Manager cannot be provisioned (relational field)
- JIT provisioning available for user creation
- Migrating to new SAML interface in Jan 2026
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Docs
Provisioning available via Aquera connector (third-party). Supports user create, update, deactivate, and delete. SSO via SAML.
Docebo gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
User provisioning via Docebo Connect recipes. Triggered by user create/update in Entra ID. Contact account manager to activate. May have associated costs.
Docebo gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Docebo
Docebo gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
