Summary and recommendation
Gusto, the HR and payroll platform, does not support SCIM provisioning on any plan—it only offers Just-In-Time (JIT) provisioning through SAML SSO. While JIT creates user accounts on first login, it provides no automated deprovisioning capabilities when employees leave or change roles. This creates a significant compliance gap: terminated employees retain access to sensitive payroll and benefits data until manually removed. Making matters worse, SAML SSO must be activated by contacting Gusto support, adding friction to the setup process.
The lack of automated deprovisioning is particularly problematic for HR platforms like Gusto, which contain highly sensitive employee data including Social Security numbers, bank account details, and salary information. Without SCIM, IT teams must manually track employee departures and remember to deactivate Gusto accounts—a process that's error-prone and creates regulatory compliance risks under SOX, GDPR, and other frameworks requiring timely access revocation.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Gusto without requiring any plan upgrades or custom integration work. Our SOC 2 Type II certified platform handles both provisioning and deprovisioning automatically, ensuring compliance with access governance requirements. Flat pricing under $5K/year, regardless of team size.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | Via third-party | ❌ | SAML SSO with JIT provisioning. No SCIM (exploring transition to SCIM). SAML requires contacting Gusto support to activate. Schema discovery and group linking supported. |
| Microsoft Entra ID | Via third-party | ❌ | SAML SSO supported. JIT creates users on first login. No automated deprovisioning. Contact Gusto support to enable SAML. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Gusto accounts manually. Here's what that costs:
The Gusto pricing problem
Gusto gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Simple | $49/mo + $6/person | ||
| Plus | $80/mo + $12/person | ||
| Premium | $180/mo + $22/person |
Pricing and provisioning support
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Simple | $49/mo + $6/person | ||
| Plus | $80/mo + $12/person | ||
| Premium | $180/mo + $22/person |
What this means in practice
No automated deprovisioning: When employees leave, their Gusto accounts remain active until manually deactivated. This creates compliance risks for payroll and HR data access.
Manual SAML activation required: Even basic SSO setup requires contacting Gusto support for each configuration, adding friction to deployment timelines.
JIT-only creates gaps: Users are only created on first login attempt, meaning you can't pre-provision accounts or manage user attributes before they access the system.
Additional constraints
Summary of challenges
- Gusto does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Gusto actually offers for identity
SAML SSO (All plans, requires support contact)
Gusto supports SAML 2.0 integration but with manual activation requirements:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, OneLogin, generic SAML providers |
| Configuration | Contact Gusto support to activate SAML |
| JIT provisioning | Creates users on first login |
| Deprovisioning | Manual only - no automated removal |
Key limitation: While JIT provisioning creates users automatically on first login, there's no automated deprovisioning when users are removed from your IdP. Departing employees must be manually deactivated in Gusto.
Okta Integration (via OIN)
The official Okta Integration Network listing for Gusto shows:
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Yes (requires Gusto support) |
| SCIM provisioning | ❌ No |
| Create users | ✓ Yes (JIT only) |
| Update users | ❌ No |
| Deactivate users | ❌ No |
| Group push | ❌ No |
Gusto as an Identity Source
Gusto Plus ($80/mo + $12/person) and Premium plans include "Provisioning Apps" - the ability to push employee data FROM Gusto TO other applications like Slack and Zoom. This positions Gusto as an HR source system rather than a typical SaaS application that receives provisioning.
The provisioning gap: While Gusto can provision users to other apps, it lacks SCIM for receiving automated provisioning from your IdP. User lifecycle management remains largely manual, creating security and administrative overhead for IT teams.
What IT admins are saying
Gusto's limited provisioning capabilities create ongoing headaches for IT teams managing HR systems integration:
- Manual SAML activation required - can't self-serve SSO setup
- JIT provisioning only creates users on first login, no automated deprovisioning
- No SCIM support despite being a critical HR source system
- Manual user management required when employees leave the organization
SAML SSO requires contacting Gusto support to activate
JIT creates users on first login. No automated deprovisioning.
The recurring theme
Despite being an HR platform that should seamlessly integrate with identity systems, Gusto forces IT teams into manual processes for both setup and ongoing user lifecycle management. The lack of automated deprovisioning is particularly problematic for a payroll system handling sensitive employee data.
The decision
| Your Situation | Recommendation |
|---|---|
| Small HR team (<20 employees) with low turnover | Manual management is acceptable for now |
| Growing company (50+ employees) needing automated offboarding | Use Stitchflow: JIT creates users but can't remove them |
| Enterprise with compliance requirements for complete audit trails | Use Stitchflow: manual deprovisioning creates compliance gaps |
| Multi-location company with frequent role changes | Use Stitchflow: automated role sync prevents payroll access issues |
| HR team using Gusto as identity source for other apps | Use Stitchflow: orchestrate complete identity lifecycle across all systems |
The bottom line
Gusto handles payroll and benefits well, but its JIT-only provisioning creates a one-way street—users get created automatically but never removed. For companies that need reliable offboarding and complete identity lifecycle management, Stitchflow bridges the gap until Gusto's planned SCIM transition materializes.
Automate Gusto without third-party complexity
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Gusto at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- JIT provisioning only, no full SCIM
- SAML requires contacting Gusto support to activate
- May act as HR source system
- Provisioning apps feature on Plus/Premium plans
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Where to enable
Docs
SAML SSO with JIT provisioning. No SCIM (exploring transition to SCIM). SAML requires contacting Gusto support to activate. Schema discovery and group linking supported.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Gusto
Gusto doesn't offer SCIM. Get an enterprise-grade SCIM endpoint in your IdP, even without native support.
See how it works
