Summary and recommendation
Keap (formerly Infusionsoft), the CRM and marketing automation platform, does not support SCIM provisioning on any plan. Despite starting at $249/month annually, Keap lacks enterprise-grade identity management features entirely—no native SAML SSO and no automated user provisioning. The platform only supports OAuth authentication for API access, while Okta integration relies on Secure Web Authentication (SWA), essentially password vaulting rather than true single sign-on. This means IT teams must manually create, update, and deactivate user accounts in Keap, with no ability to sync user data or group memberships from their identity provider.
For organizations using Keap to manage customer relationships and marketing campaigns, this creates a significant operational burden. Sales and marketing teams frequently join, change roles, or leave, requiring constant manual account management. Without SCIM provisioning, there's no way to automatically grant appropriate permissions based on Active Directory groups or ensure former employees are immediately deprovisioned. The lack of true SAML SSO also means users must manage separate credentials, increasing password fatigue and security risks.
The strategic alternative
Keap has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | OAuth 2.0, SWA via Okta |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | Via third-party | ❌ | SWA only - not true SAML. Password vaulting, no native provisioning. |
| Microsoft Entra ID | Via third-party | ❌ | No native Azure AD/Entra integration documented. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Keap accounts manually. Here's what that costs:
The Keap pricing problem
Keap gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | $249/month (annual) - 1,500 contacts, 2 users | ||
| Max | $399/month - 2,500 contacts, 3 users | ||
| Ultimate | Custom pricing - 10,000+ contacts |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | $249/month (annual) - 1,500 contacts, 2 users | ||
| Max | $399/month - 2,500 contacts, 3 users | ||
| Ultimate | Custom pricing - 10,000+ contacts |
Additional costs
What this means in practice
Without SAML SSO or SCIM, IT administrators must:
For a 50-user deployment, this means 50 manual account creations at onboarding and ongoing manual management for every role change or termination.
Additional constraints
Summary of challenges
- Keap does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Keap actually offers for identity
OAuth API Authentication Only
Keap provides basic OAuth 2.0 authentication for API access, but no enterprise SSO capabilities:
| Feature | Supported? |
|---|---|
| SAML SSO | ❌ No |
| OIDC SSO | ❌ No |
| SCIM provisioning | ❌ No |
| Just-in-time provisioning | ❌ No |
| OAuth API access | ✓ Yes |
The reality: Keap has no native enterprise identity features. Users report frequent OAuth re-prompts and the community has been requesting SAML 2.0 support with no timeline provided.
Okta Integration (SWA Only)
The official Okta Integration Network listing for Keap shows:
| Feature | Supported? |
|---|---|
| SAML SSO | ❌ No |
| OIDC SSO | ❌ No |
| SWA (password vaulting) | ✓ Yes |
| Create users | ❌ No |
| Update users | ❌ No |
| Deactivate users | ❌ No |
| Group push | ❌ No |
Translation: The Okta integration only provides password vaulting (SWA), not true federated SSO or any provisioning capabilities. This means Okta stores and auto-fills passwords rather than eliminating them through federation.
No Azure AD/Entra Integration
Keap has no documented integration with Microsoft Azure AD (Entra ID), leaving Microsoft-centric organizations without any automated identity management options.
Bottom line: For a CRM/marketing platform starting at $249/month, Keap's complete lack of enterprise identity features forces IT teams into manual user management and password-based authentication across their entire sales and marketing organization.
What IT admins are saying
Community sentiment on Keap's authentication capabilities reveals significant frustration with the lack of enterprise-grade SSO options:
The community forum shows this SAML request has been active for years without resolution, with users specifically asking for "custom SAML 2.0 integrations" to move beyond basic OAuth authentication.
- No native SAML 2.0 support despite years of customer requests
- Okta integration relies on password vaulting (SWA) instead of true SSO
- OAuth connections frequently re-prompt users for access permissions
- Complete absence of automated user provisioning capabilities
Does Infusionsoft by Keap support custom SAML 2.0 integrations?
The recurring theme
IT teams are stuck with password vaulting through Okta or dealing with OAuth re-authentication prompts, while having to manually manage every user account in Keap. For a CRM that targets growing businesses, the lack of enterprise authentication feels like a significant oversight.
The decision
| Your Situation | Recommendation |
|---|---|
| Small business (<10 users) with basic needs | Manual management is acceptable |
| Growing team but budget-constrained | Manual management with password manager |
| Mid-market company (25+ users) | Use Stitchflow: no native SSO/SCIM available |
| Enterprise with compliance requirements | Use Stitchflow: essential for audit trail and security |
| Multi-department CRM usage | Use Stitchflow: automation prevents access sprawl |
The bottom line
Keap offers solid CRM functionality for SMBs but completely lacks enterprise identity management—no SAML SSO, no SCIM, just OAuth and password vaulting. For any organization that needs automated provisioning or true single sign-on, Stitchflow is the only path forward.
Make Keap workflows AI-native
Keap has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No native SAML SSO
- No SCIM provisioning
- Okta uses SWA (password vaulting)
- Community requesting SAML 2.0 support
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Where to enable
Docs
SWA only - not true SAML. Password vaulting, no native provisioning.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Keap
Keap has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
