Summary and recommendation
Harness supports SCIM 2.0 for automated user and group provisioning, but only on Enterprise plans with custom pricing. While SCIM handles creating, updating, and deactivating users from your IdP, it doesn't provision role bindings or permissions—those must be configured separately within Harness after users are synced. This creates a significant gap in true automated provisioning for DevOps teams.
The result is a two-step provisioning process: SCIM syncs the user accounts, but administrators still need to manually assign roles, project access, and pipeline permissions within Harness. For organizations with multiple clusters or complex role hierarchies, this manual overhead defeats much of the automation benefit. SSO with JIT provisioning is available but provides even less control over user lifecycle management.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Harness that handles both user sync and role assignment workflows. Works with any Harness plan and any IdP. Flat pricing under $5K/year with 24/7 human-in-the-loop support to manage the complex permission mappings that native SCIM leaves behind.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Harness accounts manually. Here's what that costs:
The Harness pricing problem
Harness gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 (2,000 cloud credits/mo) | ||
| Team | Contact for pricing (up to 100 services) | ||
| Enterprise | Custom pricing (annual subscription) |
What this means in practice
Harness follows the "contact sales" model for Enterprise pricing, making cost evaluation difficult. Based on industry standards for DevOps platforms:
The modular pricing approach means you pay only for needed modules, but SCIM access still requires Enterprise-level commitment across all modules you use.
Additional constraints
Summary of challenges
- Harness supports SCIM but only at Enterprise tier (Custom pricing (annual subscription, all modules available))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Harness doesn't sell SCIM separately. It's bundled with Enterprise features across their modular platform:
The catch: SCIM only handles user/group sync. Role bindings and permissions must be configured separately in Harness after provisioning. You're also locked into cluster-specific SCIM URLs and API key management.
Stitchflow Insight
If you need enterprise DevOps governance anyway, the upgrade delivers value. If you just want automated user provisioning, you're paying for enterprise features most teams don't need. We estimate ~60% of Enterprise capabilities are overkill for organizations that only want basic identity automation.
What IT admins are saying
Community sentiment on Harness's SCIM implementation is mixed, with admins appreciating the functionality but frustrated by the operational complexity. Common complaints:
- SCIM doesn't handle role bindings, requiring manual permission management after provisioning
- Cluster-specific SCIM URLs create configuration overhead for multi-environment setups
- Enterprise tier requirement locks out smaller DevOps teams from automated provisioning
- Split workflow between identity sync and role assignment increases administrative burden
SCIM provisioning works well for getting users into Harness, but then you're back to manual work assigning roles and permissions. It's only half the automation story.
Having to configure separate SCIM endpoints for each cluster is a pain when you're managing multiple environments. Wish it was more centralized.
The recurring theme
While Harness offers solid SCIM functionality, the separation between user provisioning and role management creates a two-step process that undermines the efficiency gains teams expect from automation.
The decision
| Your Situation | Recommendation |
|---|---|
| Not on Enterprise tier | Use Stitchflow: avoid the Enterprise upgrade just for SCIM |
| On Enterprise but need role automation | Use Stitchflow: automate role bindings that native SCIM can't handle |
| Already on Enterprise with simple role needs | Use native SCIM: you're paying for it already |
| Managing multiple Harness clusters | Use Stitchflow: avoid configuring cluster-specific SCIM URLs |
| Small DevOps team with stable membership | Manual may work: but watch for permission gaps as you scale |
The bottom line
Harness locks SCIM behind Enterprise tier pricing and doesn't automate role bindings—leaving you with half-solved provisioning. Stitchflow provides complete automation including role assignments at flat pricing that works with any Harness plan.
Automate Harness without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Harness at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM does not handle role bindings
- Permissions managed separately in Harness
- API key with user/group permissions required
- Cluster-specific SCIM URL required
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM 2.0 provisioning for users and groups. Cluster-specific SCIM URL required. SCIM does not handle role bindings - permissions managed separately in Harness.
Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 provisioning. Requires API key with user/group permissions. Role bindings managed separately in Harness after provisioning.
Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
Harness
Harness gates automation behind Enterprise plan. Stitchflow delivers the same SCIM outcomes for a flat fee.
See how it works
