Summary and recommendation
Fortinet supports SCIM 2.0 provisioning through FortiGate (acting as a SCIM server) starting with FortiOS 7.6.0+ and FortiAuthenticator 6.5+. While this enables automated user provisioning from identity providers like Okta and Entra ID, it requires Enterprise-level licensing and creates a complex multi-product architecture. FortiGate handles SCIM as a server receiving provisioning commands, while FortiAuthenticator manages identity workflows, and individual Fortinet products (FortiCloud, FortiManager, etc.) require separate SSO configurations.
This fragmented approach means IT teams must navigate multiple identity configurations across Fortinet's product ecosystem. Each security appliance or service may need distinct provisioning rules and access policies, making centralized user lifecycle management significantly more complex than traditional SaaS applications. For security teams managing network access, VPN permissions, and SOC tools across FortiGate firewalls and FortiCloud services, the administrative overhead quickly multiplies.
The strategic alternative
Fortinet gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Fortinet accounts manually. Here's what that costs:
The Fortinet pricing problem
Fortinet gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Enterprise | $250 - $300,000+ (varies by appliance) |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Enterprise | $250 - $300,000+ (varies by appliance) | ✓ |
Note: SCIM requires FortiOS 7.6.0+ or FortiAuthenticator 6.5+. FortiGate acts as SCIM server receiving provisioning from your IdP.
What this means in practice
The core challenge isn't pricing—it's operational complexity:
Multi-product identity sprawl: Each Fortinet product (FortiGate, FortiCloud, FortiManager, FortiAnalyzer) has different identity configuration requirements. Your team manages SCIM for some products, SAML for others, and local accounts for legacy systems.
FortiAuthenticator dependency: For centralized identity management, you need FortiAuthenticator as an additional component. This creates a dependency chain: IdP → FortiAuthenticator → FortiGate devices, with multiple failure points.
Network security implications: SCIM traffic flows over HTTP port 44558 or HTTPS port 44559. Your security team must open these ports and manage firewall rules specifically for provisioning traffic.
Additional constraints
Summary of challenges
- Fortinet supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Fortinet doesn't sell SCIM separately. It's integrated into their enterprise security infrastructure:
The challenge: Fortinet's identity features are embedded in their broader network security platform. You're not just buying user provisioning—you're investing in firewalls, authentication appliances, and security subscriptions that can cost anywhere from $250 for small deployments to $300,000+ for enterprise-grade appliances.
Stitchflow Insight
If your organization already runs Fortinet infrastructure, the SCIM capabilities add significant value. But if you just need automated provisioning for security team access, you're paying for a comprehensive network security stack you may not fully utilize. We estimate ~80% of Fortinet's enterprise features are irrelevant for teams that only need streamlined user management.
What IT admins are saying
Community sentiment on Fortinet's SCIM implementation reveals confusion about the multi-product architecture. Common complaints:
While specific community quotes are limited due to Fortinet's enterprise focus, the technical documentation reveals the complexity: FortiGate runs SCIM server on ports 44558/44559, requiring IdPs to provision TO it rather than the standard pattern of apps receiving FROM IdPs.
- FortiGate acting as SCIM server instead of client creates non-standard setup flows
- FortiAuthenticator required for proper identity management adds complexity
- Different SCIM configurations needed across FortiGate, FortiCloud, and other products
- Enterprise licensing requirements lock out smaller security teams
The recurring theme
Fortinet's unique SCIM server architecture and multi-product identity management creates implementation overhead that doesn't match standard provisioning workflows.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but don't have Enterprise licensing | Use Stitchflow: avoid the massive FortiGate Enterprise upgrade |
| Running FortiOS 7.5 or older | Use Stitchflow: SCIM requires FortiOS 7.6+ |
| Don't have FortiAuthenticator deployed | Use Stitchflow: avoid the complexity of multi-product identity setup |
| Already on Enterprise with FortiOS 7.6+ | Use native SCIM: you've paid for the infrastructure |
| Mixed Fortinet environment (multiple products) | Use Stitchflow: unified provisioning across all your security tools |
The bottom line
Fortinet's SCIM implementation requires Enterprise licensing plus FortiOS 7.6+ and often FortiAuthenticator for full identity management—a significant infrastructure investment. For security teams that need provisioning automation without the enterprise-grade licensing overhead, Stitchflow delivers unified user management across your entire Fortinet environment at flat-rate pricing.
Make Fortinet workflows AI-native
Fortinet gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Multiple products with different identity configs
- FortiAuthenticator for identity management
- Product-specific SSO setup
Documentation not available.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
FortiGate SCIM server receives provisioning from Azure AD/Entra ID. LDAPS integration also available via FortiAuthenticator. SAML SSO supported.
Fortinet gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Fortinet
Fortinet gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
