Stitchflow
Back to directory
Jenkins logo

Jenkins SCIM guide

Connector Only

How to automate Jenkins user provisioning, and what it actually costs

Summary and recommendation

Jenkins, the open-source CI/CD platform, does not support SCIM provisioning on any plan. While Jenkins offers SAML 2.0 SSO through plugins like the SAML plugin or miniOrange SAML SP, this only provides authentication with just-in-time (JIT) provisioning—meaning user accounts are created automatically on first login but there's no automated lifecycle management thereafter. For DevOps teams managing Jenkins across development, staging, and production environments, this creates a significant security gap when developers or contractors leave the organization.

The lack of SCIM support means IT teams have no automated way to deprovision users, disable accounts, or update permissions when roles change. Unlike other enterprise tools that might have admin dashboards for manual user management, Jenkins relies heavily on configuration files and role-based authorization plugins, making manual deprovisioning both time-consuming and error-prone. This is particularly problematic for Jenkins given its access to critical CI/CD pipelines, deployment keys, and production infrastructure—exactly the type of access that needs immediate revocation during offboarding.

The strategic alternative

Jenkins has no native SCIM. That leaves a workflow gap in offboarding, access reviews, and license cleanup unless your team handles the app another way. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.

Quick SCIM facts

SCIM available?No
SCIM tier requiredN/A
SSO required first?No
SSO available?Yes
SSO protocolSAML 2.0
DocumentationNot available

Supported identity providers

IdPSSOSCIMNotes
OktaVia third-partyNo native SCIM support. SAML 2.0 SSO with JIT provisioning via plugins (saml or miniorange-saml-sp). Users created on first login. Group attributes map to Jenkins roles.
Microsoft Entra IDVia third-partyMicrosoft Entra ID plugin for authentication/authorization. No SCIM provisioning. Uses Graph API for user/group lookup. Matrix Authorization with Entra groups supported.
Google WorkspaceVia third-partyNo native support
OneLoginVia third-partyNo native support

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Jenkins accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees
Orphaned accounts (ex-employees with access)7
Unused licenses12
IT hours spent on manual management/year101 hours
Unused license cost/year$3,925
IT labor cost/year$6,088
Cost of compliance misses/year$1,741
Total annual financial impact$11,754

The Jenkins pricing problem

Jenkins gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

PlanPriceSSOSCIM
Open SourceFree
CloudBees Team$30/user/month
CloudBees EnterpriseCustom pricing

Pricing and provisioning options

PlanPriceSCIM Support
Open SourceFree❌ No native support
CloudBees Team$30/user/month❌ No native support
CloudBees EnterpriseCustom pricing❌ No native support

What this means in practice

No automated user lifecycle management: When developers leave your organization, their Jenkins accounts remain active indefinitely. You must manually track sessions and disable accounts through the Jenkins admin interface—there's no API call from your IdP that automatically deprovisions users.

Plugin dependency for basic SSO: Even basic SAML authentication requires installing and configuring third-party plugins (typically saml or miniorange-saml-sp). Your SSO integration is only as reliable as these community-maintained plugins.

JIT provisioning creates visibility gaps: New users are created automatically on first login, but you have no advance visibility into who will access Jenkins until they actually authenticate. Role assignments happen through SAML group attributes, but troubleshooting access issues requires checking both IdP group memberships and Jenkins plugin configuration.

Additional constraints

Session persistence after termination
Terminated employees with active Jenkins sessions can continue working until their session expires (typically 24 hours)
No centralized user sync
User attributes, group memberships, and role assignments are only updated during login events
Plugin maintenance overhead
SAML plugins require updates and compatibility testing with each Jenkins version upgrade
Limited audit trail
No centralized logging of provisioning events since all user creation happens through JIT during authentication

Summary of challenges

  • Jenkins does not provide native SCIM at any price tier
  • Organizations must rely on third-party tools or manual provisioning
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What Jenkins actually offers for identity

SAML SSO (via plugins)

Jenkins supports SAML 2.0 authentication through community-maintained plugins:

SettingDetails
ProtocolSAML 2.0
Supported IdPsOkta, Entra ID, Google Workspace, generic SAML providers
Plugin optionsSAML Plugin or miniOrange SAML SP Plugin
JIT provisioning✓ Users created on first login
Group mapping✓ SAML attributes map to Jenkins roles

Plugin dependency: You must install and configure either the SAML Plugin or miniOrange SAML SP Plugin to enable SSO. Configuration requires uploading IdP metadata and mapping SAML attributes to Jenkins roles.

What's included with SAML authentication:

Just-in-time (JIT) user creation
New users are automatically created when they first log in via SAML
Group attribute mapping
SAML group attributes can be mapped to Jenkins roles and permissions
Role-based authorization
Works with the Role-based Authorization Strategy plugin for granular permissions
Session management
Standard Jenkins session handling

What's missing (no SCIM support):

FeatureAvailable?
Automated user creation❌ JIT only
User profile updates❌ No
Automated deprovisioning❌ No
Group membership sync❌ SAML attributes only
License management❌ No

The core problem: Jenkins has no automated deprovisioning mechanism. When users leave your organization, their Jenkins accounts remain active indefinitely unless manually disabled. For DevOps teams managing CI/CD pipelines with sensitive deployment access, this creates a significant security gap.

What IT admins are saying

Jenkins's lack of native SCIM support creates ongoing provisioning headaches for IT teams managing DevOps access:

  • No automated user deprovisioning when employees leave - accounts remain active
  • SAML plugin setup required for each Jenkins instance, adding complexity to deployments
  • Manual role management outside the identity provider workflow
  • Session cleanup becomes a security concern during offboarding

SAML 2.0 via plugins. JIT provisioning creates users on first login. Group attributes map to Jenkins roles. Role-based Authorization Strategy plugin recommended.

Jenkins SAML Plugin Documentation

No native SCIM support. SAML 2.0 SSO with JIT provisioning via plugins... Users created on first login.

Okta Integration Notes

The recurring theme

While Jenkins handles login through SAML SSO, IT teams are left manually tracking active sessions and cleaning up user accounts when developers leave. The lack of automated deprovisioning turns employee offboarding into a multi-step security checklist.

The decision

Your SituationRecommendation
Small DevOps team (<10 developers)Manual user management with SAML SSO plugins
Development team with low turnoverManual management acceptable, configure role-based authorization
Large engineering organization (50+ developers)Use Stitchflow: automation essential for scale
Enterprise with security compliance requirementsUse Stitchflow: automated deprovisioning critical for audit compliance
Multi-environment Jenkins deploymentsUse Stitchflow: consistent provisioning across all instances

The bottom line

Jenkins has no native SCIM. That means one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.

Close the Jenkins workflow gap

Jenkins is one gap in a broader workflow. Stitchflow builds and maintains the offboarding, access review, or license workflow across every app in your environment.

Across every app in the workflow, including the ones without APIs
Built in less than a week, with roughly 2 hours from your team
You review the exceptions. Stitchflow maintains the workflow underneath
Start with the free gap diagnostic

Technical specifications

SCIM Version

Not specified

Supported Operations

Not specified

Supported Attributes

No native SCIM supportRequires SAML plugin installationJIT provisioning via SAMLRole-based authorization via separate plugin

Plan requirement

Not specified

Prerequisites

Not specified

Key limitations

  • No native SCIM support
  • Requires SAML plugin installation
  • JIT provisioning via SAML
  • Role-based authorization via separate plugin

Documentation not available.

Configuration for Okta

Integration type

Okta Integration Network (OIN) app

Where to enable

Okta Admin Console → Applications → Jenkins → Sign On

Docs

Okta integration

No native SCIM support. SAML 2.0 SSO with JIT provisioning via plugins (saml or miniorange-saml-sp). Users created on first login. Group attributes map to Jenkins roles.

Use Stitchflow for automated provisioning.

Close the workflow gap in
Jenkins

Jenkins has no native SCIM. That leaves one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.

Start with the free gap diagnostic
Admin Console
Directory
Applications
Jenkins logo
Jenkins
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

Buildkite logo

Buildkite

No SCIM

CI/CD / DevOps

ProvisioningNot Supported
Manual Cost$11,754/yr

Buildkite supports SCIM provisioning through Okta and Azure AD connectors, but only on Enterprise plans with custom pricing. While Business plans ($25/user/month) include SAML SSO, they lack SCIM deprovisioning—meaning users remain active in Buildkite even after being removed from your IdP. Additionally, custom SAML providers require contacting support for a feature flag to enable SCIM functionality, creating deployment delays and support dependencies. This creates a significant security gap for engineering organizations. DevOps teams frequently change, contractors come and go, and engineers move between projects requiring different pipeline access. Without automated deprovisioning, former team members retain access to build agents, deployment pipelines, and potentially production infrastructure. JIT provisioning delays billing until first login, but manual offboarding creates compliance risks that outweigh any cost savings.

View full guide
CircleCI logo

CircleCI

No SCIM

CI/CD / DevOps

ProvisioningNot Supported
Manual Cost$11,754/yr

CircleCI, the popular CI/CD platform, does not offer native SCIM provisioning capabilities. While CircleCI supports SAML 2.0 SSO on their Scale plan ($300+/month), automated user provisioning is only available through Okta's CircleCI connector using SCIM 2.0. This creates a significant limitation: organizations using Azure Entra ID, Google Workspace, or OneLogin as their primary identity provider cannot automate CircleCI user lifecycle management, forcing IT teams to manually provision and deprovision developer accounts in a platform that handles sensitive source code and build secrets. The lack of universal SCIM support creates a compliance and security risk for DevOps teams. Manual provisioning means delayed access for new developers joining projects, and more critically, potential delays in deprovisioning when team members leave—leaving former employees with access to CI/CD pipelines, source code repositories, and build secrets. For organizations not using Okta, the choice becomes accepting manual user management overhead or switching identity providers solely to enable CircleCI automation.

View full guide
Builder.io logo

Builder.io

No SCIM

Visual CMS / Headless CMS

ProvisioningNot Supported
Manual Cost$11,754/yr

Builder.io, the visual CMS platform used by developers and content teams, does not offer SCIM provisioning on any plan. While Builder.io provides SAML 2.0 SSO integration on their Enterprise tier with identity providers like Okta, Azure AD, and Google Workspace, this only handles authentication—not the automated provisioning and deprovisioning of user accounts. IT teams must manually create and manage user accounts in Builder.io, then separately assign appropriate permissions for different Spaces and projects. This creates a significant operational gap for organizations using Builder.io across multiple content teams. Without SCIM, departing employees retain access to Builder.io Spaces until manually removed, creating security risks around content management systems that often contain sensitive marketing materials and website code. The manual overhead becomes particularly problematic when managing access across multiple Builder.io Spaces, each requiring individual permission management for developers, marketers, and content editors.

View full guide