Summary and recommendation
Hotjar, the behavior analytics platform used by UX teams and product managers, does not clearly support SCIM provisioning despite offering SAML SSO on Scale plans. While Okta's integration catalog suggests some provisioning capabilities, Hotjar's official documentation makes no mention of SCIM support, leaving IT teams in the dark about automated user lifecycle management. This creates a significant gap for organizations managing UX analytics access across product teams, designers, and analysts who need timely provisioning and deprovisioning as projects and roles change.
The absence of clear SCIM support means IT admins must manually create, update, and remove user accounts in Hotjar—a time-consuming process that becomes problematic as teams scale. With behavior analytics containing sensitive user interaction data, manual provisioning introduces compliance risks and delays that can impact product development cycles. SSO authentication alone doesn't address the operational burden of managing user lifecycles across multiple Hotjar workspaces and team permissions.
The strategic alternative
Hotjar has no native SCIM. That leaves a workflow gap in offboarding, access reviews, and license cleanup unless your team handles the app another way. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | Via third-party | ❌ | OIN integration with SSO and provisioning. Supports Group Linking, Schema Discovery, Attribute Writeback. Full SCIM capabilities unclear. |
| Microsoft Entra ID | Via third-party | ❌ | No Microsoft Entra ID provisioning documentation found. SSO may be possible via custom SAML app. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Hotjar accounts manually. Here's what that costs:
The Hotjar pricing problem
Hotjar gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Observe | Free-$213/month | ||
| Ask | Free-$159/month | ||
| Engage | Free-$550/month | ||
| Scale (any product) | Custom quote | ⚠️ Okta only, unclear scope |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Observe | Free-$213/month | ||
| Ask | Free-$159/month | ||
| Engage | Free-$550/month | ||
| Scale (any product) | Custom quote | ⚠️ Okta only, unclear scope |
What this means in practice
Manual user management is the norm: Without clear SCIM documentation, most IT teams resort to manual user creation and deactivation in Hotjar, even on expensive Scale plans.
Okta users get limited provisioning: Okta's integration claims to support provisioning with features like Group Linking and Schema Discovery, but the actual SCIM capabilities aren't documented by Hotjar. This creates uncertainty about what actually works.
Other IdPs get nothing: Teams using Microsoft Entra ID, Google Workspace, or OneLogin have no provisioning options beyond manual processes.
Additional constraints
Summary of challenges
- Hotjar does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Hotjar actually offers for identity
SAML SSO (Scale plans)
Hotjar provides SAML 2.0 single sign-on on their Scale tier across all three products (Observe, Ask, Engage):
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, CyberArk, generic SAML providers |
| Configuration | Account Owner must configure via settings |
| Initiation | Both SP-initiated and IdP-initiated |
| JIT provisioning | Not supported |
Key limitation: Only Account Owners can configure SSO, and there's no just-in-time provisioning. Users must be manually added to Hotjar before they can authenticate.
Okta Integration (partial provisioning)
The Okta Integration Network listing shows some provisioning capabilities:
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Yes |
| Create users | ✓ Yes (via Okta provisioning) |
| Update users | ✓ Yes |
| Deactivate users | ✓ Yes |
| Group push | ✓ Yes (Group Linking) |
| Schema Discovery | ✓ Yes |
| Attribute Writeback | ✓ Yes |
The catch: Hotjar's own documentation doesn't mention SCIM or automated provisioning. The Okta integration appears to provide basic user lifecycle management, but it's unclear if this works reliably across all Hotjar products or requires manual intervention.
What's missing
For UX and product teams using multiple identity providers or requiring reliable automated provisioning, Hotjar's current offerings create operational gaps.
What IT admins are saying
Hotjar's unclear provisioning capabilities leave IT teams guessing about automation options:
- SSO requires Scale plan pricing, but SCIM provisioning documentation is virtually non-existent
- Okta integration claims provisioning support, but Hotjar's own help docs don't mention automated user management
- Account Owners must manually configure SSO, creating dependency bottlenecks for IT teams
- No clear path for automated deprovisioning when UX team members leave
Account Owner must configure SSO
The recurring theme
Hotjar treats provisioning as an afterthought. While they've built SAML SSO for Scale customers, the lack of clear SCIM documentation means IT teams can't confidently plan for automated user lifecycle management across their behavior analytics tools.
The decision
| Your Situation | Recommendation |
|---|---|
| Small UX team (<10 users) on Observe plan | Manual management is acceptable |
| Design team using Scale plan with stable membership | Use Okta provisioning if available, manual otherwise |
| Product organization (25+ users) across multiple Hotjar products | Use Stitchflow: automation essential for cross-product management |
| Enterprise with compliance requirements | Use Stitchflow: automation essential for audit trail |
| Growing company switching between Hotjar products | Use Stitchflow: automation handles product transitions seamlessly |
The bottom line
Hotjar has no native SCIM. That means one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.
Close the Hotjar workflow gap
Hotjar is one gap in a broader workflow. Stitchflow builds and maintains the offboarding, access review, or license workflow across every app in your environment.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- Account Owner must configure SSO
- SCIM provisioning status unclear from public docs
- Okta integration may support provisioning
- SSO only on Scale plans
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Where to enable
Docs
OIN integration with SSO and provisioning. Supports Group Linking, Schema Discovery, Attribute Writeback. Full SCIM capabilities unclear.
Use Stitchflow for automated provisioning.
Close the workflow gap in
Hotjar
Hotjar has no native SCIM. That leaves one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.
Start with the free gap diagnostic
