Summary and recommendation
Fivetran supports SCIM (the protocol that lets your identity provider automatically create, update, and remove user accounts). But Fivetran restricts SCIM to its Enterprise or Business Critical plans, which start at $12K/year minimum commitment—a substantial jump from their Standard plan that offers unlimited users with usage-based pricing.
The gap is significant. While SSO/SAML works on all Fivetran plans, new users joining via just-in-time provisioning arrive with zero permissions. Without SCIM automation, IT teams must manually assign roles for every data engineer, analyst, and BI user—a tedious process that scales poorly as data teams grow. Given Fivetran's role as a central data integration hub, this manual overhead creates bottlenecks for data access and increases security risk from over-provisioned accounts.
The strategic alternative
Fivetran gates SCIM behind Enterprise / Business Critical. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Fivetran accounts manually. Here's what that costs:
The Fivetran pricing problem
Fivetran gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure (Usage-Based + Features)
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | Usage-based, unlimited users | ||
| Enterprise | Usage-based + advanced features | ||
| Business Critical | $12K/year minimum commitment |
Note: March 2025 pricing change switches to per-connection MAR calculation, typically increasing costs 40-70% for multi-connector setups. Annual costs range from $10K-$500K+ depending on data volume.
What this means in practice
Without SCIM on lower tiers, new users provisioned via JIT (Just-In-Time) SSO are created with zero permissions. This creates a manual bottleneck where IT admins must:
For data teams where connector access determines what sources users can sync, this manual process significantly delays onboarding and creates ongoing administrative overhead.
Additional constraints
Summary of challenges
- Fivetran supports SCIM but only at Enterprise tier (Business Critical (highest tier) - $12K/year minimum commitment)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Fivetran doesn't sell SCIM separately. It's bundled with Enterprise/Business Critical tier features:
Stitchflow Insight
The $12K minimum annual commitment gets you enterprise-grade data platform features, but if you just need automated user provisioning for your data team, you're paying for extensive platform capabilities you likely won't use. We estimate ~60% of Enterprise/Business Critical features are irrelevant for organizations that primarily need SCIM to automate connector permissions and user lifecycle management.
What IT admins are saying
Community sentiment on Fivetran's SCIM restrictions reveals frustration with enterprise-only gatekeeping. Common complaints:
- SCIM locked behind Enterprise/Business Critical plans ($12K+ minimum)
- Without SCIM, new JIT users get zero permissions by default
- Manual role assignment becomes a bottleneck for data teams
- Major pricing overhaul in March 2025 causing 40-70% cost increases
New users created through JIT provisioning have no permissions if SCIM isn't enabled. So you're stuck doing manual role assignments for every data engineer.
The Enterprise plan requirement for SCIM is rough when you just need basic user automation. We're paying for features we'll never use.
The recurring theme
Fivetran forces teams into expensive enterprise tiers just to avoid manual user management, creating a costly barrier for automated provisioning in data teams.
The decision
| Your Situation | Recommendation |
|---|---|
| On Standard plan, need SCIM | Use Stitchflow: avoid the $12K/year minimum commitment jump |
| Need automated provisioning but not Enterprise features | Use Stitchflow: start with a free gap diagnostic, then build the workflow across every app without asking your team to own the plumbing. |
| Already on Business Critical plan | Use native SCIM: you're paying for it |
| Heavy data volume with Enterprise budget | Evaluate Business Critical: SCIM comes bundled with advanced features |
| Small data team, infrequent user changes | Manual may work: but monitor for permission gaps as team grows |
The bottom line
Fivetran gates SCIM behind Enterprise / Business Critical. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Fivetran workflow gap
Fivetran gates SCIM behind Enterprise / Business Critical, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- New JIT users created with no permissions if SCIM not enabled
- Browser session timeout requires Enterprise/Business Critical plan
- Manual role assignment needed without SCIM
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Create, update, deactivate users via SCIM. Account Administrator role required. SCIM disables direct user management in Fivetran. Team roles not configurable via SCIM.
Fivetran gates SCIM behind Enterprise / Business Critical. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Enterprise/Business Critical required. Create non-gallery app with custom roles matching Fivetran RBAC. Destination/connection-level roles not supported via SCIM.
Fivetran gates SCIM behind Enterprise / Business Critical. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Fivetran
Fivetran gates SCIM behind Enterprise / Business Critical plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
