Summary and recommendation
Keeper Security supports full SCIM 2.0 provisioning, but only on Enterprise plans with custom pricing (typically ~$60/user/year for 100+ users). Teams on Business plans ($3.75/user/month) get SSO but no automated provisioning - meaning IT admins must manually invite, assign teams, and manage vault access for every user. When employees leave, deprovisioning only locks their vault rather than deleting the account, creating ongoing security visibility gaps.
This creates a significant gap for password management governance. SSO alone doesn't solve the provisioning problem - you still need manual processes for onboarding, role assignments, and vault permissions. For security-critical applications like password managers, manual user lifecycle management introduces compliance risks and delays that undermine the zero-trust model most organizations are trying to achieve.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Keeper without requiring Enterprise tier upgrades. Works with Business plans and any identity provider. Flat pricing under $5K/year with SOC 2 Type II certification and 24/7 human-in-the-loop support.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Keeper accounts manually. Here's what that costs:
The Keeper pricing problem
Keeper gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Business Starter | $2/user/mo | ||
| Business | $3.75/user/mo | ||
| Enterprise | Custom (~$5/user/mo) |
Note: Enterprise pricing is quoted individually but typically runs around $60/user/year for 100+ user deployments. Full SCIM 2.0 support includes user creation, attribute updates, deactivation, and team provisioning across all major IdPs.
What this means in practice
Using typical Enterprise pricing compared to Business tier:
| Team Size | Annual Upgrade Cost | Business Total | Enterprise Total |
|---|---|---|---|
| 50 users | +$6,750/year | $2,250/year | $9,000/year |
| 100 users | +$13,500/year | $4,500/year | $18,000/year |
| 200 users | +$27,000/year | $9,000/year | $36,000/year |
Calculation: ($5 - $3.75) × users × 12 months for upgrade cost
Additional constraints
Summary of challenges
- Keeper supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Keeper doesn't sell SCIM à la carte. It's bundled with Enterprise features that most teams won't use:
Stitchflow Insight
The challenge? Enterprise pricing starts around $60/user/year for 100+ users, but most organizations just need the password manager with automated provisioning. You're forced to buy advanced security features, PAM modules, and enterprise support you likely don't need. We estimate ~60% of Enterprise features are irrelevant for teams that just want SCIM automation with their existing password management workflows.
What IT admins are saying
Community sentiment on Keeper's SCIM implementation is mixed but generally positive. While the Enterprise tier requirement creates some friction, most admins appreciate the robust zero-knowledge architecture. Common observations:
- Enterprise pricing can be steep for smaller teams (100+ users typically needed for reasonable rates)
- Zero-knowledge architecture adds complexity but provides superior security
- User deletion not supported - deactivation locks vaults instead
- Keeper SSO Connect requirement adds another moving part to manage
The zero-knowledge approach means you can't just delete users like other apps - when you deprovision someone, their vault gets locked but the data stays encrypted. It's secure but different from what most IT teams expect.
Keeper's SCIM works well once you understand the architecture. The Enterprise requirement is annoying for mid-size companies, but the security model is solid.
The recurring theme
Keeper's security-first approach creates some provisioning quirks, but most IT teams accept the tradeoffs once they understand the zero-knowledge benefits.
The decision
| Your Situation | Recommendation |
|---|---|
| On Business plan, need SCIM | Use Stitchflow: avoid the Enterprise upgrade and custom pricing |
| On any plan but need zero-knowledge SSO | Upgrade to Enterprise: SCIM comes with Keeper SSO Connect |
| Already on Enterprise with SCIM | Use native SCIM: you're paying for it and it's fully featured |
| Need advanced PAM features beyond passwords | Evaluate Enterprise: KeeperPAM and SCIM come bundled |
| Small team with basic password management needs | Manual may work: but monitor vault access for departed users |
The bottom line
Keeper's Enterprise-only SCIM means custom pricing for provisioning automation. For teams on Business plans that need SCIM without the Enterprise feature overhead, Stitchflow delivers managed provisioning at predictable pricing while Keeper handles the password security.
Automate Keeper without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Keeper at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- User delete not supported - disable locks vault
- Zero-knowledge architecture affects provisioning
- Keeper SSO Connect required for SSO
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM 2.0. One-click provisioning/deprovisioning. Users in pending state until invite accepted. Ranked #1 fastest growing app in EMEA by Okta.
Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 with Azure AD/Entra. Supports both commercial and Azure Government Cloud. Microsoft Learn tutorial available.
Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
Keeper
Keeper gates automation behind Enterprise plan. Stitchflow delivers the same SCIM outcomes for a flat fee.
See how it works
