Summary and recommendation
GitLab supports SCIM for automated user provisioning, but requires Premium ($29/user/month) or Ultimate ($99/user/month) plans. While SCIM is available at the Premium tier, the implementation has significant constraints: you must configure Group SSO first, only Azure AD is officially tested and supported, and Okta users need the Lifecycle Management product tier. Configuration errors are notoriously difficult to troubleshoot, and the documentation warnings about following setup procedures "exactly" suggest a fragile implementation.
For engineering teams managing source code access, these limitations create real security risks. Manual provisioning delays mean developers can't contribute on day one, while delayed deprovisioning leaves former employees with access to critical repositories and CI/CD pipelines. SSO alone doesn't solve this - it only handles authentication, not the lifecycle management of user accounts and permissions that SCIM provides.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for GitLab without the complexity and IdP restrictions. Works with any GitLab plan and any identity provider (Okta, Entra, Google Workspace, OneLogin). Flat pricing under $5K/year with 24/7 human-in-the-loop support to ensure your developers get access when they need it and lose it when they shouldn't have it.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages GitLab accounts manually. Here's what that costs:
The GitLab pricing problem
GitLab gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure (Billed Annually)
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 (up to 5 users) | ||
| Premium | $29/user/month ($348/user/year) | ||
| Ultimate | $99/user/month ($1,188/user/year) |
Note: Group SAML SSO must be configured before SCIM can be enabled. Both Premium and Ultimate include the same SCIM capabilities.
What this means in practice
Using current list prices (Free → Premium for SCIM access):
| Team Size | Annual Cost for SCIM |
|---|---|
| 25 developers | $104,400/year |
| 50 developers | $208,800/year |
| 100 developers | $417,600/year |
For teams currently on Free: $348 × number of users per year just to get automated provisioning.
Additional constraints
Summary of challenges
- GitLab supports SCIM but only at Enterprise tier ($99/user/month ($1,188/user/year) - Ultimate)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
GitLab doesn't sell SCIM separately. It's bundled with Premium or Ultimate plan features:
Note that GitLab's SCIM has strict configuration requirements and limited IdP support - only Azure AD is officially tested, and Okta requires their Lifecycle Management tier on top of your GitLab subscription.
Stitchflow Insight
The Premium plan at $29/user/month gets you SCIM, but Ultimate at $99/user/month includes DevSecOps tools most teams actually want. However, if you only need user provisioning, you're paying for extensive DevOps tooling you may not use. We estimate ~60% of Premium/Ultimate features are development workflow enhancements irrelevant for basic identity management needs.
What IT admins are saying
Community sentiment on GitLab's SCIM implementation is mixed, with significant frustration around configuration complexity and limited IdP support. Common complaints:
- SCIM configuration is fragile and errors are difficult to troubleshoot
- Only Azure AD is officially tested and supported, leaving Okta users in limbo
- Okta integration requires the expensive Lifecycle Management product tier
- Group SSO must be configured first, adding setup complexity
SCIM configuration errors are difficult to resolve
Limited official IdP support (mainly Azure AD)
Okta requires additional product tier
The recurring theme
GitLab's SCIM works well when everything is configured perfectly, but the narrow support matrix and configuration sensitivity create headaches for IT teams using anything other than Azure AD.
The decision
| Your Situation | Recommendation |
|---|---|
| On Free or Premium, need SCIM | Use Stitchflow: avoid the $99/user/month Ultimate upgrade |
| Already on Ultimate plan | Use native SCIM: you're paying $1,188/user/year, it's included |
| Using Okta without Lifecycle Management | Use Stitchflow: avoid both GitLab Ultimate AND Okta tier upgrades |
| Need Ultimate features beyond SCIM | Evaluate Ultimate: SCIM comes bundled with advanced DevSecOps |
| Small dev team, low turnover | Manual may work: but source code access requires tight controls |
The bottom line
GitLab's SCIM requires Ultimate at $99/user/month—a 3.4x jump from Premium's $29/user/month, plus potential IdP upgrades for Okta users. For development teams that need provisioning automation without the $1,200/user/year price tag, Stitchflow delivers SCIM functionality at a fraction of the cost.
Automate GitLab without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for GitLab at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Group SSO must be configured before SCIM
- Okta requires Lifecycle Management product tier
- SCIM must be configured exactly as documented to avoid issues
- Only Azure AD officially tested and supported
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
OIN app available. Supports Create Users, Deactivate Users. Group synchronization NOT supported in standard OIN app (requires custom SCIM integration). Configure SCIM API endpoint URL and token from GitLab.
Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Set Provisioning Mode to Automatic. Tenant URL from GitLab SCIM API endpoint. Group provisioning NOT supported - causes confusing errors in logs. Attribute mappings required for NameID, displayName, mail.
Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
GitLab
GitLab gates automation behind Premium or Ultimate plan. Stitchflow delivers the same SCIM outcomes for a flat fee.
See how it works
