Summary and recommendation
Ironclad offers comprehensive SCIM support for user provisioning, but only on Enterprise plans that start at $60,000+/year for small teams. While the SCIM implementation itself is robust—supporting user creation, updates, deactivation, and group provisioning across major IdPs—there are operational constraints that create friction for IT teams. SAML SSO must be configured before SCIM can be enabled, and critically, group permissions still require manual configuration within Ironclad after users are provisioned via SCIM.
For contract management platforms handling sensitive legal documents, this creates a compliance gap. IT teams can automate user creation but can't automate role assignments, meaning newly provisioned users may have incorrect access permissions until someone manually adjusts their groups in Ironclad. The single SAML configuration requirement also limits deployment flexibility for organizations with complex identity architectures.
The strategic alternative
Ironclad gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Ironclad accounts manually. Here's what that costs:
The Ironclad pricing problem
Ironclad gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | $500+/month (~$25K-75K+/year) | ||
| Enterprise | Custom quotes ($60K-150K+/year) |
Note: Ironclad uses quote-based pricing with no public tiers. Enterprise includes full SCIM with user provisioning, attribute updates, deactivation, and group sync across Okta, Entra ID, OneLogin, and JumpCloud.
What this means in practice
Enterprise pricing estimates based on typical contract management deployments:
| Team Size | Estimated Enterprise Cost | vs. Standard Uplift |
|---|---|---|
| 50 users | $60,000+/year | +$35,000+/year |
| 100 users | $85,000+/year | +$35,000+/year |
| 200+ users | $150,000+/year | +$75,000+/year |
These estimates reflect seat-based pricing with potential usage charges for AI features, e-signature integrations, and workflow expansions.
Additional constraints
Summary of challenges
- Ironclad supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Ironclad doesn't sell SCIM separately. It's bundled with Enterprise-level contract management features:
The catch: group permissions still require manual configuration in Ironclad after SCIM pushes users. You get automated user lifecycle management, but role assignments happen separately.
Stitchflow Insight
If you need enterprise contract management capabilities anyway, the upgrade delivers comprehensive identity features. If you just want automated provisioning for a smaller legal team, you're paying $60,000+ annually for contract workflow features you may never use. We estimate ~60% of Enterprise features are overkill for teams focused purely on user management automation.
What IT admins are saying
Community sentiment on Ironclad's SCIM implementation is mixed, with admins appreciating the functionality but frustrated by complexity and prerequisites. Common complaints:
- SAML must be configured before SCIM can be enabled
- Group permissions still require manual configuration after SCIM provisioning
- Single SAML configuration requirement limits multi-tenant flexibility
- Enterprise tier requirement adds significant cost barrier for smaller legal teams
The documentation is clear but the SAML prerequisite is annoying - we had to coordinate SSO rollout just to get automated user provisioning working.
Group mappings work but you still have to manually set permissions in Ironclad after users are provisioned. It's only half automated.
The recurring theme
While Ironclad offers full SCIM support with major IdPs, the SAML dependency and manual permission management create operational friction that reduces the automation benefits.
The decision
| Your Situation | Recommendation |
|---|---|
| Not on Enterprise, need SCIM | Use Stitchflow: avoid the $60K+/year Enterprise upgrade |
| Already on Enterprise with SCIM included | Use native SCIM: you're paying for it |
| Need other Enterprise features beyond SCIM | Evaluate Enterprise upgrade: SCIM comes bundled |
| Small legal team, infrequent user changes | Manual provisioning may work: but watch for security gaps |
| Complex group permissions requirements | Consider Stitchflow: eliminates post-SCIM manual configuration |
The bottom line
Ironclad gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Ironclad workflow gap
Ironclad gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SAML must be configured before SCIM
- Group permissions managed in Ironclad after SCIM push
- No suspended/deactivated user state - users are soft-deleted
- Only works with single SAML configuration
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM support. SAML SSO required before SCIM. Base URL: https://ironcladapp.com/scim/v2 (or eu1.ironcladapp.com for EU). Users deactivated in Okta are soft-deleted. Single SAML config required.
Ironclad gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM support with Microsoft Entra ID. Provisioning cycle ~45 minutes. Custom attributes supported. Group permissions managed in Ironclad after SCIM push.
Ironclad gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Ironclad
Ironclad gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
