Summary and recommendation
GitLab supports SCIM for automated user provisioning, but requires Premium ($29/user/month) or Ultimate ($99/user/month) plans. While SCIM is available at the Premium tier, the implementation has significant constraints: you must configure Group SSO first, only Azure AD is officially tested and supported, and Okta users need the Lifecycle Management product tier. Configuration errors are notoriously difficult to troubleshoot, and the documentation warnings about following setup procedures "exactly" suggest a fragile implementation.
For engineering teams managing source code access, these limitations create real security risks. Manual provisioning delays mean developers can't contribute on day one, while delayed deprovisioning leaves former employees with access to critical repositories and CI/CD pipelines. SSO alone doesn't solve this - it only handles authentication, not the lifecycle management of user accounts and permissions that SCIM provides.
The strategic alternative
GitLab gates SCIM behind Premium or Ultimate. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages GitLab accounts manually. Here's what that costs:
The GitLab pricing problem
GitLab gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure (Billed Annually)
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 (up to 5 users) | ||
| Premium | $29/user/month ($348/user/year) | ||
| Ultimate | $99/user/month ($1,188/user/year) |
Note: Group SAML SSO must be configured before SCIM can be enabled. Both Premium and Ultimate include the same SCIM capabilities.
What this means in practice
Using current list prices (Free → Premium for SCIM access):
| Team Size | Annual Cost for SCIM |
|---|---|
| 25 developers | $104,400/year |
| 50 developers | $208,800/year |
| 100 developers | $417,600/year |
For teams currently on Free: $348 × number of users per year just to get automated provisioning.
Additional constraints
Summary of challenges
- GitLab supports SCIM but only at Enterprise tier ($99/user/month ($1,188/user/year) - Ultimate)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
GitLab doesn't sell SCIM separately. It's bundled with Premium or Ultimate plan features:
Note that GitLab's SCIM has strict configuration requirements and limited IdP support - only Azure AD is officially tested, and Okta requires their Lifecycle Management tier on top of your GitLab subscription.
Stitchflow Insight
The Premium plan at $29/user/month gets you SCIM, but Ultimate at $99/user/month includes DevSecOps tools most teams actually want. However, if you only need user provisioning, you're paying for extensive DevOps tooling you may not use. We estimate ~60% of Premium/Ultimate features are development workflow enhancements irrelevant for basic identity management needs.
What IT admins are saying
Community sentiment on GitLab's SCIM implementation is mixed, with significant frustration around configuration complexity and limited IdP support. Common complaints:
- SCIM configuration is fragile and errors are difficult to troubleshoot
- Only Azure AD is officially tested and supported, leaving Okta users in limbo
- Okta integration requires the expensive Lifecycle Management product tier
- Group SSO must be configured first, adding setup complexity
SCIM configuration errors are difficult to resolve
Limited official IdP support (mainly Azure AD)
Okta requires additional product tier
The recurring theme
GitLab's SCIM works well when everything is configured perfectly, but the narrow support matrix and configuration sensitivity create headaches for IT teams using anything other than Azure AD.
The decision
| Your Situation | Recommendation |
|---|---|
| On Free or Premium, need SCIM | Use Stitchflow: avoid the $99/user/month Ultimate upgrade |
| Already on Ultimate plan | Use native SCIM: you're paying $1,188/user/year, it's included |
| Using Okta without Lifecycle Management | Use Stitchflow: avoid both GitLab Ultimate AND Okta tier upgrades |
| Need Ultimate features beyond SCIM | Evaluate Ultimate: SCIM comes bundled with advanced DevSecOps |
| Small dev team, low turnover | Manual may work: but source code access requires tight controls |
The bottom line
GitLab gates SCIM behind Premium or Ultimate. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the GitLab workflow gap
GitLab gates SCIM behind Premium or Ultimate, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Group SSO must be configured before SCIM
- Okta requires Lifecycle Management product tier
- SCIM must be configured exactly as documented to avoid issues
- Only Azure AD officially tested and supported
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
OIN app available. Supports Create Users, Deactivate Users. Group synchronization NOT supported in standard OIN app (requires custom SCIM integration). Configure SCIM API endpoint URL and token from GitLab.
GitLab gates SCIM behind Premium or Ultimate. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Set Provisioning Mode to Automatic. Tenant URL from GitLab SCIM API endpoint. Group provisioning NOT supported - causes confusing errors in logs. Attribute mappings required for NameID, displayName, mail.
GitLab gates SCIM behind Premium or Ultimate. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
GitLab
GitLab gates SCIM behind Premium or Ultimate plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
