Summary and recommendation
JFrog offers native SCIM 2.0 provisioning that integrates with Okta, Entra ID, and other identity providers. However, SCIM functionality is locked behind the Enterprise X plan at $950/month for SaaS or $48K/year for self-managed deployments. This creates a significant cost barrier: teams on Pro plans ($150/month SaaS) face a 6.3x price increase just to unlock automated user provisioning. Additionally, JFrog's SCIM has a notable technical limitation - it cannot provision users with uppercase letters in their usernames, requiring manual workarounds.
For DevOps teams managing artifact repositories and CI/CD pipelines, manual user management creates operational friction and security gaps. When developers join projects or change teams, IT must manually provision JFrog access, creating delays in onboarding and potential security risks when offboarding. SSO alone doesn't solve this - it handles authentication but not the account creation and permission management that SCIM provides.
The strategic alternative
JFrog gates SCIM behind Enterprise X. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages JFrog accounts manually. Here's what that costs:
The JFrog pricing problem
JFrog gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | $150/mo (SaaS) / $27K/year (self-managed) | ||
| Enterprise X | $950/mo (SaaS) / $48K/year (self-managed) |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Pro | $150/mo (SaaS) / $27K/year (self-managed) | ❌ |
| Enterprise X | $950/mo (SaaS) / $48K/year (self-managed) | ✓ |
Note: SCIM and SAML SSO are bundled together in Enterprise X and Enterprise+ tiers only.
What this means in practice
Using current list prices (Pro → Enterprise X for SCIM access):
| Deployment | Annual Upgrade Cost |
|---|---|
| SaaS | +$9,600/year |
| Self-managed | +$21,000/year |
This represents a 533% price increase for SaaS deployments and 78% increase for self-managed just to unlock SCIM provisioning.
Additional constraints
Summary of challenges
- JFrog supports SCIM but only at Enterprise tier ($950/mo (Enterprise X SaaS) / $48K/year (self-managed))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
JFrog doesn't sell SCIM standalone. It's locked behind Enterprise X, bundled with advanced platform features:
The jump from Pro ($150/mo) to Enterprise X ($950/mo) is significant—you're paying 6x more primarily for enterprise-grade infrastructure features. If you just need automated user provisioning for your artifact repository, roughly 80% of Enterprise X capabilities are overkill for most development teams.
Note: JFrog has a known SCIM limitation where usernames containing uppercase letters fail to provision correctly—a basic functionality gap that shouldn't exist at enterprise pricing tiers.
What IT admins are saying
Community sentiment on JFrog's SCIM implementation reveals mixed experiences with significant frustrations around pricing and technical limitations. Common complaints:
- Being locked into Enterprise X tier ($950/mo) just for SCIM provisioning
- Technical bugs like uppercase username provisioning failures
- Complex OAuth2 token requirements for SCIM endpoint access
- Self-hosted vs SaaS feature parity confusion
We're paying almost $1K/month just to get automated user provisioning working. For a DevOps tool, this feels excessive when competitors offer SCIM at much lower tiers.
Hit the uppercase username bug twice now. SCIM just silently fails to provision users if their username has caps. Had to manually create accounts and troubleshoot for hours.
The recurring theme
JFrog gates essential identity automation behind expensive enterprise pricing while delivering a SCIM implementation with known technical limitations that create operational headaches.
The decision
| Your Situation | Recommendation |
|---|---|
| On Pro plan, need SCIM | Use Stitchflow: avoid the $800/mo jump to Enterprise X |
| Self-hosted, can't justify $21K/year increase | Use Stitchflow: get provisioning without the enterprise tier |
| Already on Enterprise X or Enterprise+ | Use native SCIM: you're paying for it |
| Need enterprise features beyond SCIM | Evaluate Enterprise X: SCIM comes bundled with advanced security |
| Small dev team, minimal user changes | Manual may work: but watch for the uppercase username bug |
The bottom line
JFrog gates SCIM behind Enterprise X. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the JFrog workflow gap
JFrog gates SCIM behind Enterprise X, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
None
Key limitations
- SCIM/SAML requires Enterprise X or Enterprise+ plan
- Known issue: SCIM does not provision users with uppercase letters in username
- SCIM endpoint requires OAuth2 access token
- Terraform SCIM module available for self-hosted only
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Docs
Artifactory OIN app supports Group Linking, Schema Discovery, and Attribute Writeback. Full SCIM provisioning with Okta documented.
JFrog gates SCIM behind Enterprise X. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Azure AD SCIM configuration documented. Supports user and group provisioning.
JFrog gates SCIM behind Enterprise X. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
JFrog
JFrog gates SCIM behind Enterprise X plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
