Summary and recommendation
Docker supports SCIM 2.0 provisioning, but only on Business plans at $24/user/month with a 25-seat minimum ($600/month minimum). More importantly, SCIM requires enabling SSO first—you can't provision users without the SAML prerequisite. This creates an awkward two-step deployment where IT teams must configure SSO, then separately enable SCIM provisioning.
For development teams, this SSO-first requirement creates operational friction. Developers need immediate access to container registries and build pipelines when they join, but the multi-step setup process can delay onboarding. The Business plan requirement also forces smaller teams into enterprise pricing just to automate what should be basic user lifecycle management. When developers leave, manual deprovisioning becomes a security risk—former employees retaining access to private container registries poses real threats to your software supply chain.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Docker without the SSO prerequisite or Business plan requirement. Works with any Docker plan and any IdP. Flat pricing under $5K/year, regardless of team size.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Business |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Docker accounts manually. Here's what that costs:
The Docker pricing problem
Docker gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure (Billed Monthly)
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | $9/user/mo | ||
| Team | $15/user/mo | ||
| Business | $24/user/mo |
Note: SCIM requires SSO to be enabled first. Business includes 1 million Docker Hub pulls/month, 1,500 Build Cloud minutes, unlimited Scout repos, and 1,500 Testcontainers Cloud minutes.
What this means in practice
Using current list prices (upgrading from Team to Business for SCIM):
| Team Size | Annual Upgrade Cost |
|---|---|
| 25 users | +$2,700/year |
| 50 users | +$5,400/year |
| 100 users | +$10,800/year |
| 200 users | +$21,600/year |
Calculation: ($24 - $15) × users × 12 months
Additional constraints
Summary of challenges
- Docker supports SCIM but only at Business tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Docker doesn't sell SCIM à la carte. It's bundled with Business plan features at $24/user/month:
The catch: you must enable SSO first, then configure SCIM. This two-step process adds complexity most teams don't want.
Stitchflow Insight
If you just need automated Docker provisioning for your development team, you're paying for Build Cloud minutes and Testcontainers you may never use. We estimate ~60% of Business plan features are irrelevant for teams that only need user lifecycle automation for container registry access.
What IT admins are saying
Community sentiment on Docker's SCIM requirements centers around the mandatory SSO prerequisite and pricing barriers. Common complaints:
- Must enable SAML SSO before SCIM can be configured
- Business plan requirement locks out smaller development teams
- Complex team/organization mapping for multi-project environments
- $24/user/month feels steep for container registry access
You have to set up SSO first before you can even think about SCIM - it's an extra hoop that other tools don't require.
The Business plan pricing is tough to justify for a 10-person dev team when we really just need automated user provisioning for our container workflows.
The recurring theme
Docker forces a specific implementation order (SSO-first) and pricing tier that creates unnecessary barriers for teams who just want automated user lifecycle management for their development workflows.
The decision
| Your Situation | Recommendation |
|---|---|
| On Pro/Team plans, need SCIM | Use Stitchflow: avoid the $15-18/user/month tier jump to Business |
| Already on Business with SSO configured | Use native SCIM: you're paying for it and prerequisites are met |
| Business plan but SSO not enabled | Use Stitchflow: skip the SSO prerequisite complexity |
| Complex team/org structure mapping needs | Use Stitchflow: simpler group management without Docker's team constraints |
| Small dev team, infrequent changes | Manual may work: but container registry security risks grow with scale |
The bottom line
Docker requires both Business tier ($24/user/month) and SSO configuration before SCIM works, creating a steep entry barrier for teams on lower plans. For development teams that need provisioning automation without the tier upgrade and SSO complexity, Stitchflow delivers Docker provisioning at under $5K/year flat rate.
Automate Docker without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Docker at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Business
Prerequisites
SSO must be configured first
Key limitations
- SSO must be enabled before SCIM
- Group provisioning has team mapping requirements
- Seat-based licensing affects provisioning
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM 2.0 provisioning supported. Can optionally map dockerRole, dockerOrg, or dockerTeam attributes. SSO must be enabled before SCIM.
Native SCIM is available on Business. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 support. Configure in Azure Portal > Enterprise Applications > Provisioning. Supports user and group provisioning. Can use SCIM alongside JIT or on its own.
Native SCIM is available on Business. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
Docker
Docker gates automation behind Business plan. Stitchflow delivers the same SCIM outcomes for a flat fee, saving you 167%.
See how it works
