Stitchflow
Back to directory
Google Cloud logo

Google Cloud SCIM guide

Native SCIM

How to automate Google Cloud user provisioning, and what it actually costs

Native SCIM requires Cloud Identity Premium plan

Summary and recommendation

Google Cloud Platform supports SCIM provisioning through Cloud Identity Premium at $7.20/user/month, but this creates a fundamental architectural challenge for IT teams. While Cloud Identity can sync users and groups from your IdP (Okta, Entra ID, etc.), it only handles identity provisioning—not the critical step of mapping users to specific GCP projects and IAM roles. This means IT admins face a two-step manual process: first provisioning identities through SCIM, then separately assigning project access and role permissions through GCP's IAM system.

This separation between identity provisioning and access management creates significant operational overhead and security gaps. New developers might be provisioned as users but lack access to the projects they need to work on. Departing employees could have their Cloud Identity deactivated while retaining specific IAM permissions in individual projects. For enterprises managing hundreds of developers across multiple GCP projects, this dual-system approach makes compliance auditing complex and increases the risk of privilege creep.

The strategic alternative

Google Cloud gates SCIM behind Cloud Identity Premium. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.

Quick SCIM facts

SCIM available?Yes
SCIM tier requiredPro
SSO required first?Yes
SSO available?Yes
SSO protocolSAML 2.0, OIDC
DocumentationOfficial docs

Supported identity providers

IdPSSOSCIMNotes
OktaOIN app with full provisioning
Microsoft Entra IDGallery app with SCIM
Google WorkspaceJIT onlySAML SSO with just-in-time provisioning
OneLoginSupported

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Google Cloud accounts manually. Here's what that costs:

Source: Stitchflow customers using Google Cloud, normalized to 500 employees:
Orphaned accounts (ex-employees with access)36
Unused licenses27
IT hours spent on manual management/year129 hours
Unused license cost/year$3,958
IT labor cost/year$7,751
Cost of compliance misses/year$8,595
Total annual financial impact$20,304

The Google Cloud pricing problem

Google Cloud gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

PlanPriceSSOSCIM
Cloud Identity Free$0 (50 users default)
Cloud Identity Premium$7.20/user/month

Pricing structure

PlanPriceSCIM
Cloud Identity Free$0 (50 users default)❌ Not available
Cloud Identity Premium$7.20/user/month✓ Available

What this means in practice

For a 100-person team wanting SCIM provisioning to Google Cloud:

Annual cost
$8,640 ($7.20 × 100 users × 12 months)
What you're paying for
Google Cloud Identity Premium licenses just to enable SCIM
The architectural reality
Your IdP provisions to Cloud Identity, which then manages GCP access

This creates a forced upsell scenario where Google Cloud SCIM requires purchasing their competing identity platform. You're essentially paying Google $7.20/user/month to compete with your existing IdP investment.

Additional constraints

Dual identity architecture
Cloud Identity sits between your IdP and GCP, adding complexity
IAM permissions handled separately
SCIM only provisions identities; project roles and permissions require separate management
Limited control
Google controls the SCIM implementation and any changes to the Cloud Identity service
Vendor lock-in
Once committed to Cloud Identity Premium, switching costs become significant

The fundamental issue is architectural: Google designed GCP provisioning to drive adoption of their Cloud Identity platform, not to integrate cleanly with existing enterprise identity infrastructure.

Summary of challenges

  • Google Cloud supports SCIM but only at Pro tier (custom pricing)
  • Google Workspace users get JIT provisioning only, not full SCIM
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What the upgrade actually includes

Cloud Identity Premium ($7.20/user/month)

Google Cloud requires Cloud Identity Premium to enable SCIM provisioning:

FeatureIncluded
SCIM provisioning✓ Yes
SSO for thousands of apps✓ Yes
Directory Sync✓ Yes
Secure LDAP✓ Yes
HR system sync✓ Yes
Advanced security controls✓ Yes
Premium support✓ Yes

SCIM capabilities:

Create users in Cloud Identity
Update user attributes
Deactivate users
Group provisioning and management
Bidirectional sync (Google can be source or destination)

The enterprise bloat problem

Cloud Identity Premium bundles SCIM with numerous enterprise features that most teams don't need:

SSO for thousands of apps: Irrelevant if you're just syncing users to GCP
Advanced security controls: Overkill for basic user provisioning
HR system integrations: Unnecessary complexity for straightforward IdP sync
Premium support: You're paying for support on features you won't use

Key limitation: IAM permissions and project access are managed separately from Cloud Identity provisioning. SCIM only handles user/group sync - you still need to manually configure GCP IAM roles and project permissions.

For teams that simply want automated user provisioning to Google Cloud, you're paying $7.20/user/month for enterprise features you don't need, while still handling IAM role assignments manually.

What IT admins are saying

Google Cloud's SCIM provisioning creates cost barriers and complexity for IT teams:

  • Premium pricing wall - SCIM requires Cloud Identity Premium at $7.20/user/month, adding significant cost just for basic provisioning
  • Dual management overhead - Identity sync through Cloud Identity is separate from GCP IAM role assignments, requiring parallel management
  • Enterprise-only features - Advanced provisioning capabilities locked behind premium tiers, excluding smaller organizations
  • Complex architecture - Multi-layered setup with Cloud Identity as intermediary adds troubleshooting complexity

Cloud Identity Premium includes: SSO for thousands of apps, Directory Sync, secure LDAP, HR system sync.

Google Cloud documentation

Can be source or destination for SCIM... IAM permissions separate from identity

Google Cloud Identity docs

The recurring theme

Google forces IT teams to pay premium pricing for basic SCIM functionality, then still requires separate management of GCP IAM roles, creating both cost burden and operational overhead that many organizations struggle to justify.

The decision

Your SituationRecommendation
Small DevOps team (<20 users) on GCP FreeManual management acceptable for now
Medium organization (20-100 users)Upgrade to Cloud Identity Premium for native SCIM
Enterprise with complex GCP project structureUse Stitchflow: separates identity sync from IAM complexity
Multi-cloud setup (GCP + AWS/Azure)Use Stitchflow: unified provisioning across platforms
Cost-sensitive with stable workforceNative SCIM if you can justify $7.20/user/month premium

The bottom line

Google Cloud gates SCIM behind Cloud Identity Premium. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.

Close the Google Cloud workflow gap

Google Cloud gates SCIM behind Cloud Identity Premium, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.

Across every app in the workflow, including the ones without APIs
Built in less than a week, with roughly 2 hours from your team
You review the exceptions. Stitchflow maintains the workflow underneath
Start with the free gap diagnostic

Technical specifications

SCIM Version

2.0

Supported Operations

Create, Update, Deactivate, Groups

Supported Attributes

Not specified

Plan requirement

Pro

Prerequisites

SSO must be configured first

Key limitations

  • Cloud Identity Premium required for SCIM
  • Can be source or destination for SCIM
  • IAM permissions separate from identity
View Official Documentation

Configuration for Okta

Integration type

Okta Integration Network (OIN) app with SCIM provisioning

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Okta Admin Console → Applications → Google Cloud → Provisioning

Required credentials

SCIM endpoint URL and bearer token (generated in app admin console).

Configuration steps

Enable Create Users, Update User Attributes, and Deactivate Users.

Provisioning trigger

Okta provisions based on app assignments (users or groups).

Docs

Okta integrationGoogle Cloud SCIM setup

Okta can provision users to Google Cloud Identity via SCIM. Cloud Identity acts as the IdP layer for GCP. Directory Sync extends on-premises directory to cloud.

Google Cloud gates SCIM behind Cloud Identity Premium. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.

Configuration for Entra ID

Integration type

Microsoft Entra Gallery app with SCIM provisioning

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Entra admin center → Enterprise applications → Google Cloud → Provisioning

Required credentials

Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).

Configuration steps

Set Provisioning Mode = Automatic, configure SCIM connection.

Provisioning trigger

Entra provisions based on user/group assignments to the enterprise app.

Sync behavior

Entra provisioning runs on a scheduled cycle (typically every 40 minutes).

Docs

Microsoft Entra integrationGoogle Cloud SCIM setup

Entra ID can provision users to Google Cloud Identity. Google can be source or destination for SCIM. IAM role permissions managed separately from identity provisioning.

Google Cloud gates SCIM behind Cloud Identity Premium. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.

Close the workflow gap in
Google Cloud

Google Cloud gates SCIM behind Cloud Identity Premium plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.

Start with the free gap diagnostic
Admin Console
Directory
Applications
Google Cloud logo
Google Cloud
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

Gainsight logo

Gainsight

SCIM Tax

Customer Success

SCIM Tax+100%
Manual Cost$20,164/yr

Gainsight supports native SCIM provisioning, but only on Enterprise plans that typically cost $300+/user/month with custom pricing. This creates a significant barrier: customer success teams need automated provisioning to handle frequent role changes and customer data access requirements, but the Enterprise tier often represents a 2x+ price increase from standard plans. Additionally, Gainsight requires SAML SSO configuration before SCIM setup, and custom field mapping requires opening support tickets rather than self-service configuration. For customer success organizations, this pricing gate creates a problematic gap. CS teams experience high internal mobility as managers shift between accounts, and manual provisioning creates delays in accessing critical customer health data. The inSided community platform (part of Gainsight's ecosystem) doesn't support SCIM at all, forcing IT teams to manage those accounts separately through JIT provisioning.

View full guide
Miro logo

Miro

SCIM Tax
SCIM StatusIncluded
Manual Cost$19,839/yr

Miro supports SCIM (the protocol that lets your identity provider automatically create, update, and remove user accounts). But SCIM is locked behind Miro's Enterprise plan, which requires custom pricing for 30+ members. Teams on Starter ($8/user/month) or Business ($16/user/month) can't access automated provisioning, even though Business includes SAML SSO. This creates a costly gap for mid-sized teams. A 50-person team on Business pays $9,600/year but can't automate user lifecycle management—they're forced into manual provisioning or an expensive Enterprise upgrade just to eliminate the security risk of orphaned accounts. Additionally, Miro's SCIM implementation can't create or delete teams, limiting automation to basic user operations.

View full guide
ClickUp logo

ClickUp

SCIM Tax
SCIM Tax+192%
Manual Cost$24,531/yr

ClickUp supports SCIM provisioning, but only on its Enterprise plan, which costs around $35/user/month (roughly $42,000/year for 100 users). Teams on the Business plan ($12/user/month) can access most premium features but are locked out of automated provisioning entirely. Making matters worse, ClickUp's SCIM implementation varies significantly by identity provider: Okta gets full provisioning with roles and teams, while Entra ID users are limited to basic user creation and removal only—no role assignments or team memberships. For the 70% of organizations using Entra ID or other non-Okta IdPs, this creates a compliance gap. You're paying Enterprise pricing but getting hobbled functionality that still requires manual role and team management. Even with SSO enabled, IT teams must manually assign users to workspaces and set permissions, defeating the purpose of automated provisioning.

View full guide