Summary and recommendation
HiBob includes native SCIM support across all plans at no additional cost, with bidirectional sync capabilities for Okta, Entra ID, and other major identity providers. However, HiBob creates a unique challenge: as an HRIS platform, it's typically the authoritative source for employee data, meaning it pushes user information TO your IdP rather than receiving it. This reverses the normal provisioning flow and can create complex sync conflicts when managing users across multiple systems.
The bidirectional sync complexity becomes particularly problematic when HiBob and your IdP disagree on employee status, department changes, or termination dates. IT teams often struggle with determining which system should be the ultimate source of truth for different attributes, leading to manual intervention and potential security gaps during employee transitions.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation that handles the complex bidirectional sync logic, ensuring clean data flow between HiBob and your identity provider without manual intervention. Works with any HiBob plan and any IdP. Flat pricing under $5K/year, regardless of employee count.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Free |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages HiBob accounts manually. Here's what that costs:
The HiBob pricing problem
HiBob gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | $16-25/employee/mo (custom pricing) |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Standard | $16-25/employee/mo (custom pricing) | ✓ |
All HiBob plans include SCIM capabilities, but pricing requires sales contact and custom quoting based on company size and module requirements.
What this means in practice
The challenge isn't cost—it's architectural complexity:
Source of truth conflicts: Most organizations use HiBob as their HR system of record, meaning employee data flows FROM HiBob TO your IdP (Okta, Entra ID), not the reverse. This creates questions about which system manages what attributes.
Bidirectional sync complexity: When you need true bidirectional sync (HiBob updates IdP, IdP manages app access), you're coordinating two provisioning systems that can conflict or create data loops.
Implementation overhead: Custom pricing typically includes 10-20% implementation fees, and setup requires careful mapping of data flows, attribute ownership, and conflict resolution rules.
Additional constraints
Summary of challenges
- HiBob supports SCIM but only at Free tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What HiBob actually offers for identity
HiBob includes SCIM provisioning on all plans, but there's a key distinction: HiBob is designed to be your HR source of truth, not just another app receiving provisioning data.
The challenge isn't feature limitations—it's architectural complexity. HiBob's SCIM works in reverse from most SaaS apps. Instead of your IdP pushing users to HiBob, HiBob pushes employee records to your IdP when someone is hired, transferred, or terminated. This creates bidirectional sync scenarios that require careful planning to avoid data conflicts and determine the authoritative source for different attributes.
Most IT teams struggle with the "source of truth" question: should employee data live in HiBob (HR-driven) or your IdP (IT-driven)? The answer determines your entire provisioning architecture.
What IT admins are saying
Community sentiment on HiBob's SCIM implementation is mixed, with most concerns centered around complexity rather than availability. Common challenges:
- Determining the correct source of truth between HiBob and the IdP
- Managing bidirectional sync without creating data conflicts
- Understanding which direction data should flow for different attributes
- Configuring sync logic when HiBob serves as the HR master
The trickiest part with HiBob is figuring out who owns what data. You don't want employee updates in your IdP overwriting HR changes in Bob, but you also need identity changes to flow back.
Bidirectional SCIM sounds great until you realize you need to map out every possible conflict scenario. What happens when someone updates a user's department in both systems?
The recurring theme
HiBob's SCIM works well technically, but the complexity of managing bidirectional sync between HR and identity systems creates operational headaches that require careful planning.
The decision
| Your Situation | Recommendation |
|---|---|
| Using HiBob as HR source, need automated sync to IdP | Use Stitchflow: simplifies bidirectional sync without custom implementation |
| Have native SCIM but struggling with sync direction/conflicts | Use Stitchflow: eliminates source-of-truth confusion with managed rules |
| Small HR team, infrequent employee changes | Native SCIM may work: you're already paying for it on all plans |
| Complex org structure, multiple sync requirements | Use Stitchflow: handles nuanced mapping without IT overhead |
| Basic setup, clear data flow requirements | Native SCIM is viable: HiBob's implementation is reasonably robust |
The bottom line
While HiBob includes SCIM on all plans, its role as an HR source system creates bidirectional sync complexity that IT teams often underestimate. Stitchflow eliminates the architectural headaches and provides managed automation for under $5K/year.
Automate HiBob without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for HiBob at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Free
Prerequisites
SSO must be configured first
Key limitations
- Often acts as HR source system (pushes TO IdP)
- Can push data to Azure AD/Okta
- Bidirectional sync available
- Custom pricing requires sales contact
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM integration. Imports users from Bob to Okta, syncs departments/sites/lists as groups, handles terminations and rehires. Also available: Aquera User Mastering connector.
Native SCIM is available on Free. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Bidirectional sync with Entra ID. Can push employee data from Bob to Entra ID. Third-party solutions (Aquera, RoboMQ) also available for enhanced sync.
Native SCIM is available on Free. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
HiBob
Stop paying the SCIM Tax for HiBob. Get enterprise-grade SCIM at a fraction of the enterprise plan cost.
See how it works
