Summary and recommendation
Docker supports SCIM 2.0 provisioning, but only on Business plans at $24/user/month with a 25-seat minimum ($600/month minimum). More importantly, SCIM requires enabling SSO first—you can't provision users without the SAML prerequisite. This creates an awkward two-step deployment where IT teams must configure SSO, then separately enable SCIM provisioning.
For development teams, this SSO-first requirement creates operational friction. Developers need immediate access to container registries and build pipelines when they join, but the multi-step setup process can delay onboarding. The Business plan requirement also forces smaller teams into enterprise pricing just to automate what should be basic user lifecycle management. When developers leave, manual deprovisioning becomes a security risk—former employees retaining access to private container registries poses real threats to your software supply chain.
The strategic alternative
Docker gates SCIM behind Business. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Business |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Docker accounts manually. Here's what that costs:
The Docker pricing problem
Docker gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure (Billed Monthly)
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | $9/user/mo | ||
| Team | $15/user/mo | ||
| Business | $24/user/mo |
Note: SCIM requires SSO to be enabled first. Business includes 1 million Docker Hub pulls/month, 1,500 Build Cloud minutes, unlimited Scout repos, and 1,500 Testcontainers Cloud minutes.
What this means in practice
Using current list prices (upgrading from Team to Business for SCIM):
| Team Size | Annual Upgrade Cost |
|---|---|
| 25 users | +$2,700/year |
| 50 users | +$5,400/year |
| 100 users | +$10,800/year |
| 200 users | +$21,600/year |
Calculation: ($24 - $15) × users × 12 months
Additional constraints
Summary of challenges
- Docker supports SCIM but only at Business tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Docker doesn't sell SCIM à la carte. It's bundled with Business plan features at $24/user/month:
The catch: you must enable SSO first, then configure SCIM. This two-step process adds complexity most teams don't want.
Stitchflow Insight
If you just need automated Docker provisioning for your development team, you're paying for Build Cloud minutes and Testcontainers you may never use. We estimate ~60% of Business plan features are irrelevant for teams that only need user lifecycle automation for container registry access.
What IT admins are saying
Community sentiment on Docker's SCIM requirements centers around the mandatory SSO prerequisite and pricing barriers. Common complaints:
- Must enable SAML SSO before SCIM can be configured
- Business plan requirement locks out smaller development teams
- Complex team/organization mapping for multi-project environments
- $24/user/month feels steep for container registry access
You have to set up SSO first before you can even think about SCIM - it's an extra hoop that other tools don't require.
The Business plan pricing is tough to justify for a 10-person dev team when we really just need automated user provisioning for our container workflows.
The recurring theme
Docker forces a specific implementation order (SSO-first) and pricing tier that creates unnecessary barriers for teams who just want automated user lifecycle management for their development workflows.
The decision
| Your Situation | Recommendation |
|---|---|
| On Pro/Team plans, need SCIM | Use Stitchflow: avoid the $15-18/user/month tier jump to Business |
| Already on Business with SSO configured | Use native SCIM: you're paying for it and prerequisites are met |
| Business plan but SSO not enabled | Use Stitchflow: skip the SSO prerequisite complexity |
| Complex team/org structure mapping needs | Use Stitchflow: simpler group management without Docker's team constraints |
| Small dev team, infrequent changes | Manual may work: but container registry security risks grow with scale |
The bottom line
Docker gates SCIM behind Business. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Docker workflow gap
Docker gates SCIM behind Business, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Business
Prerequisites
SSO must be configured first
Key limitations
- SSO must be enabled before SCIM
- Group provisioning has team mapping requirements
- Seat-based licensing affects provisioning
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM 2.0 provisioning supported. Can optionally map dockerRole, dockerOrg, or dockerTeam attributes. SSO must be enabled before SCIM.
Docker gates SCIM behind Business. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 support. Configure in Azure Portal > Enterprise Applications > Provisioning. Supports user and group provisioning. Can use SCIM alongside JIT or on its own.
Docker gates SCIM behind Business. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Docker
Docker gates SCIM behind Business plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack, and it can add a 167% markup just to get there.
Start with the free gap diagnostic
