Summary and recommendation
JetBrains supports SCIM 2.0 through its Hub identity management platform, which handles user provisioning across the entire JetBrains ecosystem (IntelliJ IDEA, PyCharm, WebStorm, YouTrack, etc.). However, the implementation has several problematic quirks that create headaches for IT teams: Okta integration requires a workaround due to URL loop issues, SCIM doesn't work with OIDC authentication (forcing you to set up separate SAML apps just for provisioning), and there's risk of unwanted license allocation when users are automatically provisioned.
These technical complications mean what should be straightforward automated provisioning becomes a multi-step configuration challenge. You're dealing with separate authentication and provisioning workflows, managing multiple JetBrains products with different configurations, and navigating integration-specific workarounds that increase your risk of misconfiguration. Add in JetBrains' upcoming price increases (up to 30% starting October 2025) and discontinued continuity discounts, and you're looking at both higher complexity and higher costs.
The strategic alternative
Jet Brains gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Jet Brains accounts manually. Here's what that costs:
The Jet Brains pricing problem
Jet Brains gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| JetBrains Hub | ✓ Full SCIM 2.0 | ||
| Individual IDEs | ❌ | ||
| YouTrack | ✓ Full SCIM 2.0 | ||
| TeamCity/Space | Via Hub | Via Hub |
SCIM Access Structure
| Component | SCIM Support | Notes |
|---|---|---|
| JetBrains Hub | ✓ Full SCIM 2.0 | Central identity management |
| Individual IDEs | ❌ | Managed through Hub |
| YouTrack | ✓ Full SCIM 2.0 | Separate configuration |
| TeamCity/Space | Via Hub | Depends on Hub setup |
Hub acts as the central identity provider for the JetBrains ecosystem, but this creates a dependency chain that complicates provisioning workflows.
What this means in practice
Multi-product complexity: IT teams must configure and maintain SCIM connections for each JetBrains product separately, even though they're part of the same ecosystem. Hub manages IDE access, but YouTrack requires its own SCIM setup.
License allocation risks: SCIM provisioning can automatically allocate expensive IDE licenses when users are created, potentially burning through license budgets without approval workflows.
IdP-specific workarounds: Different identity providers require different approaches—Okta users must work around URL loop issues, while OIDC setups require creating separate SAML applications just for provisioning.
Additional constraints
Summary of challenges
- Jet Brains supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
JetBrains doesn't sell SCIM as a standalone feature. It comes bundled with JetBrains Hub, which serves as the identity management layer for their entire product suite:
The challenge: JetBrains Hub pricing isn't transparently published, and it often gets bundled with team tool packages. You're essentially paying for a comprehensive identity platform when you might just need basic user provisioning. Additionally, the October 2025 price increases (up to 30%) across JetBrains subscriptions will make this bundle even more expensive.
For organizations that only need automated user lifecycle management for their development tools, roughly 60% of Hub's identity and collaboration features will go unused.
What IT admins are saying
Community sentiment on JetBrains's SCIM implementation is mixed, with praise for functionality but frustration over complexity. Common complaints:
- Okta integration requires non-intuitive workarounds due to URL loop issues
- Risk of accidentally allocating expensive licenses during user provisioning
- SCIM doesn't work with OIDC - requires separate SAML app configuration
- Managing multiple JetBrains products (Hub, YouTrack, IDEs) with different configs
The Okta setup is more complex than it should be - you have to work around the URL loop which isn't documented well.
Be careful with SCIM provisioning - it can automatically assign licenses and you'll get hit with unexpected costs if you're not monitoring it closely.
The recurring theme
JetBrains offers solid SCIM functionality, but the implementation complexity and license allocation risks make it challenging for IT teams to deploy confidently.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but concerned about license costs | Use Stitchflow: avoid JetBrains' complex licensing per IDE |
| Using Okta and want simple setup | Use Stitchflow: skip the URL loop workarounds and SAML complications |
| Already have JetBrains Hub deployed | Use native SCIM: you have the infrastructure in place |
| Multiple JetBrains products to manage | Evaluate Stitchflow: centralized provisioning across all tools |
| Small dev team with low turnover | Manual may work: but prepare for 30% price increases in Oct 2025 |
The bottom line
Jet Brains gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Jet Brains workflow gap
Jet Brains gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Okta setup requires workaround due to URL loop
- License allocation concerns when provisioning
- SCIM endpoint URL must be stored in IdP settings
- SCIM provisioning not supported with OIDC - requires SAML workaround
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM 2.0 supported but requires SAML app for provisioning (OIDC doesn't support SCIM in Okta). Permanent token authentication. Watch for license allocation when provisioning users.
Jet Brains gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Microsoft Entra ID supported as OAuth2/OIDC provider. SCIM provisioning available - recommend mapping userName to mailNickname instead of userPrincipalName. Use Provision on demand to test before full sync.
Jet Brains gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Jet Brains
Jet Brains gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
