Summary and recommendation
Guru supports full SCIM 2.0 provisioning for users and groups, but only on Enterprise plans with custom pricing. The implementation has several operational restrictions: SSO must be configured before SCIM can be enabled, and once SCIM is active, users cannot be removed directly from the Guru web interface—only deactivated through your identity provider. Additionally, all synced users and groups become read-only in Guru's interface, removing local management flexibility.
This creates a management gap for IT teams who need provisioning automation but don't require Enterprise-level features or can't justify custom pricing for a knowledge management tool. The SSO prerequisite adds complexity to deployment, and the loss of local user management means your IdP becomes a single point of control—problematic for organizations that need hybrid management approaches or want to maintain emergency access capabilities.
The strategic alternative
Guru gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, Google SSO |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Guru accounts manually. Here's what that costs:
The Guru pricing problem
Guru gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Starter | Free | ||
| Builder | Contact for pricing | ||
| Enterprise | Custom pricing |
Note: Enterprise includes full SCIM 2.0 provisioning for users and groups, plus dedicated customer success management and advanced integrations.
What this means in practice
Since Guru uses custom Enterprise pricing, exact costs vary by organization size and negotiation. However, the pricing structure creates several financial pressure points:
Additional constraints
Summary of challenges
- Guru supports SCIM but only at Enterprise tier (Custom pricing (includes CSM, ticket linking))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Guru doesn't sell SCIM à la carte. It's bundled with Enterprise features:
The catch: SSO must be configured before you can enable SCIM. Once SCIM is active, users become locked to your IdP - you can't remove them through Guru's web interface, and all synced users/groups become read-only in the platform.
If you need knowledge management controls and dedicated support anyway, Enterprise may work. If you just want automated user provisioning, you're paying custom pricing for a bundle where ~60% of features are irrelevant for teams that only need SCIM automation.
What IT admins are saying
Community sentiment on Guru's SCIM implementation reveals frustration with the SSO prerequisite and management restrictions. Common complaints:
- Having to configure SSO before SCIM can be enabled
- Users becoming locked to IdP management once SCIM is activated
- Inability to remove users through the web interface after SCIM enablement
- Synced users and groups becoming read-only in the Guru admin panel
Once SCIM enabled, users can't be removed from web app... Synced users/groups become uneditable in Guru
Office 365 automatic provisioning not supported
The recurring theme
While Guru offers full SCIM 2.0 functionality, the rigid SSO requirement and loss of manual user management flexibility creates operational constraints that many IT teams find restrictive.
The decision
| Your Situation | Recommendation |
|---|---|
| On Starter/Builder, need SCIM | Use Stitchflow: avoid the Enterprise upgrade and custom pricing |
| Already on Enterprise | Use native SCIM: you're paying for it |
| Need Enterprise features beyond SCIM | Evaluate Enterprise: SCIM comes bundled |
| SSO not yet configured | Consider Stitchflow: skip the SSO prerequisite complexity |
| Need flexibility to manage users in Guru | Use Stitchflow: avoid the read-only lock-in that comes with native SCIM |
The bottom line
Guru gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Make Guru workflows AI-native
Guru gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SSO must be configured before SCIM
- Once SCIM enabled, users can't be removed from web app
- Synced users/groups become uneditable in Guru
- Office 365 automatic provisioning not supported
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM 2.0 provisioning for users and groups. SSO must be configured first. Once SCIM enabled, users cannot be removed from web app. Synced items show sync icon and become read-only.
Guru gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 provisioning. SSO required before SCIM. Users deactivated when removed from Entra if Deactivate Users enabled.
Guru gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Guru
Guru gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
