Stitchflow
Back to directory
Ivanti logo

Ivanti SCIM guide

Connector Only

How to automate Ivanti user provisioning, and what it actually costs

Summary and recommendation

Ivanti, the IT service management platform, does not support native SCIM provisioning on any plan. Instead, Ivanti relies on SAML 2.0 and OIDC just-in-time (JIT) provisioning through attribute mapping. While this enables automatic user creation during first login, it creates significant gaps in user lifecycle management. IT teams cannot programmatically deprovision users when they leave the organization or change roles, nor can they bulk-update user attributes or group memberships through their identity provider. For an ITSM platform handling sensitive IT operations and service desk workflows, this manual provisioning approach becomes a security and compliance liability.

The JIT-only approach means deprovisioning must be handled manually within Ivanti's interface, creating delays in removing access to critical IT systems and service desk functions. This is particularly problematic for organizations with high employee turnover or frequent role changes, where delayed deprovisioning poses security risks. While Okta offers a custom connector with "schema discovery and attribute writeback," this proprietary integration lacks the standardization and reliability of SCIM protocol.

The strategic alternative

Ivanti has no native SCIM. That leaves a workflow gap in offboarding, access reviews, and license cleanup unless your team handles the app another way. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.

Quick SCIM facts

SCIM available?No
SCIM tier requiredN/A
SSO required first?Yes
SSO available?Yes
SSO protocolSAML 2.0, OIDC
DocumentationNot available

Supported identity providers

IdPSSOSCIMNotes
OktaVia third-partyIvanti Neurons integration enables SSO and provisioning via Okta connector. Schema discovery and attribute writeback supported. No native SCIM.
Microsoft Entra IDVia third-partyIvanti Service Manager supports SP and IDP initiated SSO with JIT user provisioning. Entra ID connector imports users, devices, and SSO sign-in activity. Auto provisioning via OIDC available.
Google WorkspaceVia third-partyNo native support
OneLoginVia third-partyNo native support

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Ivanti accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees
Orphaned accounts (ex-employees with access)7
Unused licenses12
IT hours spent on manual management/year101 hours
Unused license cost/year$3,925
IT labor cost/year$6,088
Cost of compliance misses/year$1,741
Total annual financial impact$11,754

The Ivanti pricing problem

Ivanti gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

PlanPriceSSOSCIM
Enterprise$100-$500+ per user/analyst

Pricing structure

PlanPricingSCIMSSO
Enterprise$100-$500+ per user/analyst❌ Not available✓ SAML/OIDC

Pricing notes

Quote-based enterprise pricing only
Cost varies by platform fee plus per-license (analyst/asset)
Cloud deployment costs 3-5x more than on-premises
Perpetual or subscription licensing available

What this means in practice

Without SCIM, you're stuck with attribute-based JIT provisioning that creates several operational headaches:

Manual attribute mapping required

You must configure SAML/OIDC attributes for login ID, first/last name, and email
Any role or group assignments require manual attribute configuration
Changes to user roles mean updating IdP attribute mappings

No automated deprovisioning

Users remain active in Ivanti even after being removed from your IdP
Manual cleanup required when employees leave or change roles
Compliance gaps for access reviews and auditing

Limited user lifecycle management

No bulk user creation or updates
Profile changes require manual intervention or attribute reconfiguration
Group membership changes aren't automatically synchronized

Additional constraints

IdP-specific connectors required
Okta has a custom Ivanti Neurons connector, but other IdPs rely on generic SAML/OIDC attribute mapping
No standardized provisioning API
Each integration requires custom attribute mapping and testing
Service desk impact
IT teams often need manual intervention for user access issues since automated provisioning isn't available
Audit trail gaps
Without SCIM event logging, tracking user provisioning changes requires manual documentation

Summary of challenges

  • Ivanti does not provide native SCIM at any price tier
  • Organizations must rely on third-party tools or manual provisioning
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What Ivanti actually offers for identity

SAML/OIDC SSO with JIT Provisioning

Ivanti doesn't support native SCIM protocol. Instead, it provides SAML 2.0 and OIDC single sign-on with just-in-time provisioning:

SettingDetails
ProtocolSAML 2.0, OIDC
Supported IdPsOkta, Entra ID, ADFS, CyberArk, SecureAuth, generic SAML
JIT provisioningUser accounts created via SAML/OIDC attributes
Required attributesLogin ID, first name, last name, email address
ConfigurationManual attribute mapping in IdP

Key limitation: No true SCIM provisioning protocol. User lifecycle management happens through SAML attributes during login, not through dedicated provisioning API calls.

Okta Integration (via OIN)

The Okta Integration Network listing for Ivanti Neurons shows:

FeatureSupported?
SAML SSO✓ Yes
SCIM provisioning❌ No
Create users✓ Via connector (not SCIM)
Update users✓ Via connector (not SCIM)
Deactivate users✓ Via connector (not SCIM)
Schema discovery✓ Yes
Attribute writeback✓ Yes

Entra ID Integration

Microsoft's documentation shows Ivanti Service Manager supports:

SP and IdP initiated SAML SSO
JIT user provisioning via SAML/OIDC attributes
OIDC auto-provisioning with Entra ID
Import of users, devices, and sign-in activity

Bottom line: Ivanti relies on IdP-specific connectors and JIT provisioning rather than standardized SCIM. This means more complex setup, IdP vendor lock-in, and limited real-time provisioning capabilities compared to true SCIM implementations.

What IT admins are saying

Community sentiment on Ivanti's provisioning reveals frustration with the lack of true SCIM automation:

  • No native SCIM protocol support - relies entirely on SAML/OIDC attribute mapping
  • Manual attribute configuration required for each IdP integration
  • JIT provisioning creates inconsistent user experiences across different access scenarios
  • Enterprise pricing barrier makes advanced SSO features cost-prohibitive for many teams

SAML SSO with auto-provisioning via attributes. Ivanti can act as IdP or SP. Required SAML attributes: login ID, first/last name, email.

Ivanti official documentation

User provisioning and de-provisioning must be configured through SAML/OIDC attribute mapping rather than automated SCIM protocol.

Microsoft Entra documentation

The recurring theme

IT teams must manually configure and maintain attribute mappings for each identity provider instead of leveraging standardized SCIM automation. This creates ongoing maintenance overhead and limits scalability for larger organizations.

The decision

Your SituationRecommendation
Small IT team (<20 users) with basic ITSM needsManual management with SAML/OIDC JIT provisioning
Mid-size IT organization (20-100 users)Use Stitchflow: JIT attribute mapping becomes unwieldy
Enterprise with multiple Ivanti modulesUse Stitchflow: automation essential for complex deployments
Organizations with frequent IT staff changesUse Stitchflow: manual attribute management creates security gaps
Multi-tenant or MSP deploymentsUse Stitchflow: automation strongly recommended for scale

The bottom line

Ivanti has no native SCIM. That means one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.

Close the Ivanti workflow gap

Ivanti is one gap in a broader workflow. Stitchflow builds and maintains the offboarding, access review, or license workflow across every app in your environment.

Across every app in the workflow, including the ones without APIs
Built in less than a week, with roughly 2 hours from your team
You review the exceptions. Stitchflow maintains the workflow underneath
Start with the free gap diagnostic

Technical specifications

SCIM Version

Not specified

Supported Operations

Not specified

Supported Attributes

No native SCIM - uses SAML/OIDC auto-provisioningJIT provisioning via SAML/OIDC attributesCan act as SAML IdP or SP

Plan requirement

Not specified

Prerequisites

Not specified

Key limitations

  • No native SCIM - uses SAML/OIDC auto-provisioning
  • JIT provisioning via SAML/OIDC attributes
  • Can act as SAML IdP or SP

Documentation not available.

Configuration for Okta

Integration type

Okta Integration Network (OIN) app

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Okta Admin Console → Applications → Ivanti → Sign On

Docs

Okta integration

Ivanti Neurons integration enables SSO and provisioning via Okta connector. Schema discovery and attribute writeback supported. No native SCIM.

Use Stitchflow for automated provisioning.

Configuration for Entra ID

Integration type

Microsoft Entra Gallery app

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Entra admin center → Enterprise applications → Ivanti → Single sign-on

Docs

Microsoft Entra integration

Ivanti Service Manager supports SP and IDP initiated SSO with JIT user provisioning. Entra ID connector imports users, devices, and SSO sign-in activity. Auto provisioning via OIDC available.

Use Stitchflow for automated provisioning.

Close the workflow gap in
Ivanti

Ivanti has no native SCIM. That leaves one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.

Start with the free gap diagnostic
Admin Console
Directory
Applications
Ivanti logo
Ivanti
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

6sense logo

6sense

No SCIM

B2B Revenue Intelligence / ABM

ProvisioningNot Supported
Manual Cost$11,754/yr

6sense, the B2B revenue intelligence platform, has paused SCIM provisioning for new customers until Q4 2026. While existing customers with SCIM enabled can continue using it, new implementations are limited to JIT (Just-In-Time) provisioning through SAML SSO. This creates a significant gap for IT teams managing revenue intelligence access, as JIT only creates users on first login and provides minimal attribute mapping (email, first name, last name only). For an enterprise platform with typical pricing of $55,000-$130,000 annually, the absence of automated user lifecycle management is a substantial limitation. The lack of SCIM until Q4 2026 forces IT teams into manual provisioning workflows for a platform handling sensitive revenue data. While SAML SSO handles authentication, it doesn't address user lifecycle events like role changes, department transfers, or offboarding. This creates compliance risks in revenue teams where access to prospect data and sales intelligence must be tightly controlled. The nearly two-year wait for SCIM restoration means organizations implementing 6sense today face manual user management for the foreseeable future.

View full guide
ActiveCampaign logo

ActiveCampaign

No SCIM

Marketing Automation / Email

ProvisioningNot Supported
Manual Cost$11,754/yr

ActiveCampaign, the marketing automation platform, does not offer native SCIM provisioning on any plan. While the Enterprise plan ($145+/month) includes SAML 2.0 SSO with just-in-time (JIT) provisioning, this only creates user accounts on first login—there's no automated deprovisioning when employees leave or change roles. New SSO users are automatically added to a generic "SSO Users" group with configurable permissions, but IT teams have no way to programmatically manage user lifecycles or enforce granular access controls based on department or role changes. This creates a significant gap for marketing teams that need to manage access to customer data and campaign tools. When employees leave the company or change departments, their ActiveCampaign access must be manually revoked, creating compliance risks and potential data exposure. The lack of automated deprovisioning means former employees could theoretically retain access to sensitive marketing data and customer information until someone manually removes them from the platform.

View full guide
Adyen logo

Adyen

No SCIM

Payments / Fintech

ProvisioningNot Supported
Manual Cost$11,754/yr

Adyen offers SCIM 2.0 provisioning, but only through Okta's integration—there's no native SCIM endpoint. This creates a significant vendor lock-in scenario where your provisioning capabilities are entirely dependent on using Okta as your identity provider. Teams using Azure Entra, Google Workspace, or OneLogin are left with manual user management despite Adyen supporting SAML SSO with these platforms. The Okta integration itself requires maintaining a company account (not just a merchant account) and keeping at least one non-SSO admin for troubleshooting, adding operational complexity. For payment platforms handling sensitive financial data, this provisioning gap creates serious compliance risks. Your finance team, payment operations staff, and developers need timely access to process transactions and manage risk controls, but without automated provisioning, you're stuck with manual onboarding that can delay critical payment operations. The requirement to maintain non-SSO admin accounts also creates a security backdoor that compliance auditors will flag.

View full guide