Summary and recommendation
Google Gemini for Workspace does not provide dedicated SCIM provisioning because it's managed entirely through the Google Workspace admin console. While Google Workspace itself supports SCIM for user provisioning, Gemini access is controlled through Workspace licensing rather than separate user provisioning. This creates a significant challenge for organizations using third-party identity providers like Okta or Entra ID—they can provision users to Google Workspace via SCIM, but Gemini license assignment and access controls must be manually managed through Google's admin console.
This approach forces IT teams into a fragmented workflow: automated provisioning handles the Workspace account creation, but AI tool access requires separate manual intervention. For organizations deploying Gemini across hundreds or thousands of users, this manual licensing step becomes a operational bottleneck. The situation is further complicated by Google's recent pricing changes that bundled Gemini into all Workspace plans with a ~17% price increase, meaning organizations can't opt out but still lack automated license management capabilities.
The strategic alternative
Google Gemini gates SCIM behind Workspace (Gemini included). That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Custom |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | Google Identity |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Google Gemini accounts manually. Here's what that costs:
The Google Gemini pricing problem
Google Gemini gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Business Starter | $7/user/month (5 Gemini prompts/day) | Via Workspace only | |
| Business Standard | $14/user/month (full Gemini access) | Via Workspace only | |
| Business Plus | $18/user/month | Via Workspace only | |
| Enterprise | $25+/user/month | Via Workspace only |
Pricing structure
| Plan | Pricing | SCIM Support |
|---|---|---|
| Business Starter | $7/user/month (5 Gemini prompts/day) | Via Workspace only |
| Business Standard | $14/user/month (full Gemini access) | Via Workspace only |
| Business Plus | $18/user/month | Via Workspace only |
| Enterprise | $25+/user/month | Via Workspace only |
Key pricing changes (effective March 2025)
What this means in practice
For existing Google Workspace customers
For non-Workspace organizations
Additional constraints
Summary of challenges
- Google Gemini supports SCIM but only at Custom tier ($25+/user/month (Workspace Enterprise with Gemini))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Google Gemini actually offers for identity
No Dedicated SCIM Endpoint
Google Gemini doesn't provide its own SCIM API or provisioning system. Instead, Gemini access is managed entirely through Google Workspace:
| Feature | Details |
|---|---|
| SCIM protocol | None - managed via Google Workspace admin console |
| Direct provisioning | Not available |
| User lifecycle | Tied to Google Workspace user management |
| License assignment | Manual through Workspace admin console |
Google Workspace Integration Only
Gemini is now bundled into all Google Workspace plans (as of January 2025), but this creates its own limitations:
What This Means for Multi-IdP Environments
If your organization uses Okta, Entra ID, or OneLogin as the primary identity provider:
1. Your IdP provisions users to Google Workspace via SCIM 2. Google Workspace becomes a secondary identity store 3. IT manually assigns Gemini licenses within Workspace admin console 4. No automated license provisioning based on group membership or attributes
The core problem: There's no way to automate "give marketing team Gemini access" without manual intervention in the Google Workspace console, even if your SCIM integration is working perfectly.
What IT admins are saying
Google Gemini's integration into Workspace pricing has created mixed reactions from IT teams managing AI rollouts:
- Forced adoption: "Cannot opt out of Gemini price increase" - effective March 2025, all Workspace customers pay for Gemini whether they want it or not
- Limited control: No dedicated SCIM endpoint means Gemini access is tied entirely to Google Workspace licensing decisions
- Ecosystem lock-in: Third-party IdP customers must provision through Google Workspace, adding complexity to multi-vendor identity strategies
- Tiered access confusion: Business Starter users get only 5 Gemini prompts per day, creating support tickets when users hit limits
Gemini is now included in Google Workspace - no longer a separate add-on. ~17% price increase across Workspace plans.
Must assign Gemini license through Workspace licensing
The recurring theme
Google has simplified Gemini provisioning by bundling it with Workspace, but IT teams lose granular control over AI tool access and face mandatory cost increases across their entire Google Workspace deployment.
The decision
| Your Situation | Recommendation |
|---|---|
| Small Google Workspace team (<25 users) | Manual Gemini license assignment through Workspace admin console |
| Existing Google Workspace customer with stable team | Manual management acceptable - Gemini included in your plan |
| Mixed IdP environment (Okta/Entra + Workspace) | Use Stitchflow: automate cross-platform provisioning |
| Enterprise with multiple Workspace domains | Use Stitchflow: automation essential for multi-domain management |
| Non-Google Workspace organization wanting Gemini | Consider alternatives - you'll need full Workspace migration |
The bottom line
Google Gemini gates SCIM behind Workspace (Gemini included). The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Google Gemini workflow gap
Google Gemini gates SCIM behind Workspace (Gemini included), but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Custom
Prerequisites
None
Key limitations
- No dedicated Gemini SCIM endpoint
- Provisioning tied to Google Workspace admin console
- Must assign Gemini license through Workspace licensing
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Docs
Gemini access managed through Google Workspace. Okta provisions to Workspace via SCIM. Gemini licenses assigned via Workspace admin console.
Google Gemini gates SCIM behind Workspace (Gemini included). The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Entra ID can provision users to Google Workspace via SCIM. Gemini is now bundled with Workspace - no separate provisioning needed.
Google Gemini gates SCIM behind Workspace (Gemini included). The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Google Gemini
Google Gemini gates SCIM behind Workspace (Gemini included) plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
