Summary and recommendation
Hotjar, the behavior analytics platform used by UX teams and product managers, does not clearly support SCIM provisioning despite offering SAML SSO on Scale plans. While Okta's integration catalog suggests some provisioning capabilities, Hotjar's official documentation makes no mention of SCIM support, leaving IT teams in the dark about automated user lifecycle management. This creates a significant gap for organizations managing UX analytics access across product teams, designers, and analysts who need timely provisioning and deprovisioning as projects and roles change.
The absence of clear SCIM support means IT admins must manually create, update, and remove user accounts in Hotjar—a time-consuming process that becomes problematic as teams scale. With behavior analytics containing sensitive user interaction data, manual provisioning introduces compliance risks and delays that can impact product development cycles. SSO authentication alone doesn't address the operational burden of managing user lifecycles across multiple Hotjar workspaces and team permissions.
The strategic alternative
Hotjar has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | Via third-party | ❌ | OIN integration with SSO and provisioning. Supports Group Linking, Schema Discovery, Attribute Writeback. Full SCIM capabilities unclear. |
| Microsoft Entra ID | Via third-party | ❌ | No Microsoft Entra ID provisioning documentation found. SSO may be possible via custom SAML app. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Hotjar accounts manually. Here's what that costs:
The Hotjar pricing problem
Hotjar gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Observe | Free-$213/month | ||
| Ask | Free-$159/month | ||
| Engage | Free-$550/month | ||
| Scale (any product) | Custom quote | ⚠️ Okta only, unclear scope |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Observe | Free-$213/month | ||
| Ask | Free-$159/month | ||
| Engage | Free-$550/month | ||
| Scale (any product) | Custom quote | ⚠️ Okta only, unclear scope |
What this means in practice
Manual user management is the norm: Without clear SCIM documentation, most IT teams resort to manual user creation and deactivation in Hotjar, even on expensive Scale plans.
Okta users get limited provisioning: Okta's integration claims to support provisioning with features like Group Linking and Schema Discovery, but the actual SCIM capabilities aren't documented by Hotjar. This creates uncertainty about what actually works.
Other IdPs get nothing: Teams using Microsoft Entra ID, Google Workspace, or OneLogin have no provisioning options beyond manual processes.
Additional constraints
Summary of challenges
- Hotjar does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Hotjar actually offers for identity
SAML SSO (Scale plans)
Hotjar provides SAML 2.0 single sign-on on their Scale tier across all three products (Observe, Ask, Engage):
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, CyberArk, generic SAML providers |
| Configuration | Account Owner must configure via settings |
| Initiation | Both SP-initiated and IdP-initiated |
| JIT provisioning | Not supported |
Key limitation: Only Account Owners can configure SSO, and there's no just-in-time provisioning. Users must be manually added to Hotjar before they can authenticate.
Okta Integration (partial provisioning)
The Okta Integration Network listing shows some provisioning capabilities:
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Yes |
| Create users | ✓ Yes (via Okta provisioning) |
| Update users | ✓ Yes |
| Deactivate users | ✓ Yes |
| Group push | ✓ Yes (Group Linking) |
| Schema Discovery | ✓ Yes |
| Attribute Writeback | ✓ Yes |
The catch: Hotjar's own documentation doesn't mention SCIM or automated provisioning. The Okta integration appears to provide basic user lifecycle management, but it's unclear if this works reliably across all Hotjar products or requires manual intervention.
What's missing
For UX and product teams using multiple identity providers or requiring reliable automated provisioning, Hotjar's current offerings create operational gaps.
What IT admins are saying
Hotjar's unclear provisioning capabilities leave IT teams guessing about automation options:
- SSO requires Scale plan pricing, but SCIM provisioning documentation is virtually non-existent
- Okta integration claims provisioning support, but Hotjar's own help docs don't mention automated user management
- Account Owners must manually configure SSO, creating dependency bottlenecks for IT teams
- No clear path for automated deprovisioning when UX team members leave
Account Owner must configure SSO
The recurring theme
Hotjar treats provisioning as an afterthought. While they've built SAML SSO for Scale customers, the lack of clear SCIM documentation means IT teams can't confidently plan for automated user lifecycle management across their behavior analytics tools.
The decision
| Your Situation | Recommendation |
|---|---|
| Small UX team (<10 users) on Observe plan | Manual management is acceptable |
| Design team using Scale plan with stable membership | Use Okta provisioning if available, manual otherwise |
| Product organization (25+ users) across multiple Hotjar products | Use Stitchflow: automation essential for cross-product management |
| Enterprise with compliance requirements | Use Stitchflow: automation essential for audit trail |
| Growing company switching between Hotjar products | Use Stitchflow: automation handles product transitions seamlessly |
The bottom line
Hotjar offers behavior analytics insights but leaves user management in the dark ages. While Okta users may have some provisioning options, the documentation is unclear and limited to specific IdPs. For product teams that need reliable provisioning automation across Hotjar's three-product suite, Stitchflow eliminates the guesswork.
Make Hotjar workflows AI-native
Hotjar has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- Account Owner must configure SSO
- SCIM provisioning status unclear from public docs
- Okta integration may support provisioning
- SSO only on Scale plans
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Where to enable
Docs
OIN integration with SSO and provisioning. Supports Group Linking, Schema Discovery, Attribute Writeback. Full SCIM capabilities unclear.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Hotjar
Hotjar has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
