Summary and recommendation
Fullstory supports SCIM for automated user provisioning, but only through Okta and only on Enterprise plans (~$10,000+/year minimum). The setup requires creating a custom SAML application in Okta rather than using their published integration. Additionally, SCIM deactivation doesn't actually delete users from Fullstory—it only marks them as inactive, requiring manual cleanup to maintain compliance.
For growing product teams, this creates a significant operational burden. While SSO handles authentication, IT teams must still manually provision users on lower-tier plans ($199-1,000/month), track session-based licensing, and manually remove departed employees to avoid compliance issues with customer data access. Given Fullstory's role in capturing user behavior data, maintaining proper access controls is critical.
The strategic alternative
Fullstory gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ❌ | SSO only |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Fullstory accounts manually. Here's what that costs:
The Fullstory pricing problem
Fullstory gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Business | From $199/month | ||
| Advanced | $300-1,000/month | ||
| Enterprise | Custom (~$10,000+/year) |
Note: Pricing varies significantly based on session volume and data retention requirements. Enterprise includes SAML SSO, advanced permissions, and compliance features beyond SCIM.
What this means in practice
The Enterprise requirement creates substantial cost increases for teams needing automated provisioning:
Minimum Enterprise commitment: Most customers report ~$10,000/year minimum spend, regardless of actual session usage.
From Advanced tier: Teams on $300-600/month Advanced plans face 15-30x cost increases to access SCIM provisioning.
Session-based complexity: Unlike per-seat SaaS pricing, Fullstory's session-based model makes it difficult to predict exact Enterprise costs without custom quotes.
Additional constraints
Summary of challenges
- Fullstory supports SCIM but only at Enterprise tier (Custom (~$10,000+/year minimum))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Fullstory doesn't sell SCIM à la carte. It's bundled with Enterprise features that most teams won't need:
The Enterprise tier starts around $10,000+ annually—a massive jump from Advanced plans at $300-1,000/month. If you just need automated user provisioning for your product analytics team, you're paying for compliance and governance features that 80% of companies never use. Plus, the SCIM limitation to Okta-only means teams using Entra ID or Google Workspace are stuck with manual provisioning regardless of what they pay.
What IT admins are saying
Community sentiment on Fullstory's SCIM implementation is mixed, with frustration centered on complexity and limitations. Common complaints:
- SCIM only works through Okta with a custom SAML app setup
- Published Okta integration doesn't include SCIM provisioning
- Users aren't automatically deleted from Fullstory when deactivated in IdP
- Enterprise tier requirement creates a significant cost barrier for smaller teams
Having to set up a custom SAML app just to get SCIM working feels like an unnecessary workaround when other analytics tools have this built-in.
The fact that deactivating users in Okta doesn't remove them from Fullstory means we're still doing manual cleanup - kind of defeats the purpose of automation.
The recurring theme
While Fullstory offers SCIM, the Okta-only limitation and incomplete lifecycle management forces IT teams into workarounds and manual processes that undermine the automation benefits.
The decision
| Your Situation | Recommendation |
|---|---|
| On Business plan, need SCIM | Use Stitchflow: avoid the $10K+ Enterprise jump |
| Already on Enterprise with Okta | Use native SCIM: you're paying for it, just requires custom SAML setup |
| Using Azure AD or other IdPs | Use Stitchflow: Fullstory only supports SCIM via Okta |
| Need user deletion automation | Use Stitchflow: native SCIM doesn't auto-delete deactivated users |
| Small product team, low churn | Manual may work: but monitor for abandoned analytics access |
The bottom line
Fullstory gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Fullstory workflow gap
Fullstory gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM currently only via Okta
- Requires custom SAML app (not published Okta app)
- User deletion from IdP doesn't auto-delete from Fullstory
- Roles: Admin, Architect, Standard, Guest
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Published Okta app doesn't support SCIM natively. Must create custom SAML 2.0 app to enable SCIM. Supports Create Users, Update User Attributes, Deactivate Users. Role mapping via IdP attributes (Admin, Architect, Standard, Guest - umbrella manager not supported via SCIM).
Fullstory gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
SAML SSO with JIT provisioning only. Users created on first SSO login. No SCIM-based automatic provisioning documented for Entra ID.
Use Stitchflow for automated provisioning.
Close the workflow gap in
Fullstory
Fullstory gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
