Summary and recommendation
Guru supports full SCIM 2.0 provisioning for users and groups, but only on Enterprise plans with custom pricing. The implementation has several operational restrictions: SSO must be configured before SCIM can be enabled, and once SCIM is active, users cannot be removed directly from the Guru web interface—only deactivated through your identity provider. Additionally, all synced users and groups become read-only in Guru's interface, removing local management flexibility.
This creates a management gap for IT teams who need provisioning automation but don't require Enterprise-level features or can't justify custom pricing for a knowledge management tool. The SSO prerequisite adds complexity to deployment, and the loss of local user management means your IdP becomes a single point of control—problematic for organizations that need hybrid management approaches or want to maintain emergency access capabilities.
The strategic alternative
Guru gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, Google SSO |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Guru accounts manually. Here's what that costs:
The Guru pricing problem
Guru gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Starter | Free | ||
| Builder | Contact for pricing | ||
| Enterprise | Custom pricing |
Note: Enterprise includes full SCIM 2.0 provisioning for users and groups, plus dedicated customer success management and advanced integrations.
What this means in practice
Since Guru uses custom Enterprise pricing, exact costs vary by organization size and negotiation. However, the pricing structure creates several financial pressure points:
Additional constraints
Summary of challenges
- Guru supports SCIM but only at Enterprise tier (Custom pricing (includes CSM, ticket linking))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Guru doesn't sell SCIM à la carte. It's bundled with Enterprise features:
The catch: SSO must be configured before you can enable SCIM. Once SCIM is active, users become locked to your IdP - you can't remove them through Guru's web interface, and all synced users/groups become read-only in the platform.
If you need knowledge management controls and dedicated support anyway, Enterprise may work. If you just want automated user provisioning, you're paying custom pricing for a bundle where ~60% of features are irrelevant for teams that only need SCIM automation.
What IT admins are saying
Community sentiment on Guru's SCIM implementation reveals frustration with the SSO prerequisite and management restrictions. Common complaints:
- Having to configure SSO before SCIM can be enabled
- Users becoming locked to IdP management once SCIM is activated
- Inability to remove users through the web interface after SCIM enablement
- Synced users and groups becoming read-only in the Guru admin panel
Once SCIM enabled, users can't be removed from web app... Synced users/groups become uneditable in Guru
Office 365 automatic provisioning not supported
The recurring theme
While Guru offers full SCIM 2.0 functionality, the rigid SSO requirement and loss of manual user management flexibility creates operational constraints that many IT teams find restrictive.
The decision
| Your Situation | Recommendation |
|---|---|
| On Starter/Builder, need SCIM | Use Stitchflow: avoid the Enterprise upgrade and custom pricing |
| Already on Enterprise | Use native SCIM: you're paying for it |
| Need Enterprise features beyond SCIM | Evaluate Enterprise: SCIM comes bundled |
| SSO not yet configured | Consider Stitchflow: skip the SSO prerequisite complexity |
| Need flexibility to manage users in Guru | Use Stitchflow: avoid the read-only lock-in that comes with native SCIM |
The bottom line
Guru gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Guru workflow gap
Guru gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SSO must be configured before SCIM
- Once SCIM enabled, users can't be removed from web app
- Synced users/groups become uneditable in Guru
- Office 365 automatic provisioning not supported
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM 2.0 provisioning for users and groups. SSO must be configured first. Once SCIM enabled, users cannot be removed from web app. Synced items show sync icon and become read-only.
Guru gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 provisioning. SSO required before SCIM. Users deactivated when removed from Entra if Deactivate Users enabled.
Guru gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Guru
Guru gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
