Summary and recommendation
Jack Henry supports SCIM 2.0 provisioning, but only for Enterprise customers through a complex setup requiring SAML SSO, SSL certificates from a Certificate Authority, and administrative access to both your IdP and Jack Henry's partner portal. The integration is primarily optimized for Okta, with limited support for other identity providers like Microsoft Entra. Jack Henry's Enterprise pricing is custom-only, meaning you'll need to negotiate directly with their sales team to access SCIM functionality.
The real-world challenge is that Jack Henry serves community banks and credit unions where IT teams often manage multiple banking platforms (SilverLake, CIF 20/20, Core Director) with limited resources. The Enterprise tier requirement creates a significant barrier for smaller institutions that need automated provisioning for compliance and security but can't justify the enterprise licensing costs. Manual user management across banking systems creates audit risks and operational overhead that smaller IT teams can't sustain.
The strategic alternative
Jack Henry gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ❌ | SSO only |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Jack Henry accounts manually. Here's what that costs:
The Jack Henry pricing problem
Jack Henry gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | Contact for pricing | ||
| Professional | Contact for pricing | ||
| Enterprise | Custom pricing only |
Note: Jack Henry operates on custom enterprise pricing models rather than published per-user rates, making cost planning difficult for IT teams.
What this means in practice
No transparent pricing: Unlike SaaS applications with published rates, Jack Henry requires custom quotes for Enterprise access. This creates several practical challenges:
Banking compliance overhead: Even with SCIM access, Jack Henry integrations require extensive setup including SSL certificates from Certificate Authorities and administrative access to both IdP and Jack Henry partner portals.
Additional constraints
Summary of challenges
- Jack Henry supports SCIM but only at Enterprise tier (Custom (enterprise only))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Jack Henry doesn't sell SCIM standalone. It's exclusively available with their Enterprise tier at custom pricing:
The challenge? Jack Henry's Enterprise tier is designed for large financial institutions with complex needs. If you're a smaller organization that just needs automated user provisioning, you're paying enterprise prices for a feature set that includes extensive banking-specific tools, compliance frameworks, and support structures you likely won't use.
Stitchflow Insight
We estimate ~80% of Jack Henry's Enterprise features are irrelevant for teams that only need SCIM provisioning for basic user lifecycle management.
What IT admins are saying
Community sentiment on Jack Henry's SCIM implementation reveals significant deployment challenges. Common complaints:
- Complex setup requiring administrative access to both IdP and Jack Henry systems
- SAML prerequisite creates additional configuration overhead
- SSL certificate requirements from Certificate Authority add cost and complexity
- Limited to specific Jack Henry platforms (SilverLake, CIF 20/20, Core Director)
Getting Jack Henry SCIM working isn't just about the integration - you need SSL certs, SAML configured on both sides, and access to their partners portal. It's a multi-week project.
The documentation assumes you have enterprise-level access to everything. For smaller credit unions, the administrative overhead is significant.
The recurring theme
Jack Henry's SCIM works but requires extensive technical prerequisites and administrative coordination across multiple systems, making deployment complex even for experienced IT teams.
The decision
| Your Situation | Recommendation |
|---|---|
| Not on Enterprise tier, need SCIM | Use Stitchflow: avoid custom Enterprise pricing and complex setup |
| Using non-Okta IdP (Entra, Google Workspace) | Use Stitchflow: Jack Henry's SCIM primarily works through Okta |
| Don't have SAML infrastructure in place | Use Stitchflow: bypass SSL certificate and SAML requirements |
| Already on Enterprise with Okta | Use native SCIM: you're paying for the tier and have the infrastructure |
| Small bank with minimal IT changes | Manual may work: but consider automation as you grow |
The bottom line
Jack Henry gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Jack Henry workflow gap
Jack Henry gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SAML required for SSO - IdP and Jack Henry systems must have SAML enabled
- Requires administrative access to both IdP and Jack Henry systems
- SSL certificate from Certificate Authority required
- Setup requires access to Jack Henry partners portal
- Supports SilverLake, CIF 20/20, and Core Director platforms
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Docs
Okta OIN has Jack Henry & Associates (IPAY) and Client Portal integrations with SSO and provisioning capabilities
Jack Henry gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Jack Henry
Jack Henry gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
