Summary and recommendation
KnowBe4 supports SCIM across all plans (Silver through Diamond), enabling automatic user provisioning from your IdP to their KSAT console. However, SCIM is strictly one-way sync only—changes made within KnowBe4 never sync back to your identity provider. This creates a problematic data flow where user attributes, group memberships, or account status changes made in KnowBe4 remain isolated, forcing IT teams to maintain dual sources of truth.
For security awareness training, this limitation is particularly problematic because compliance tracking requires accurate, centralized user data. When employees complete training, change departments, or have their access modified in KnowBe4, those updates don't flow back to your IdP, creating gaps in your identity governance. SSO alone doesn't solve this—it handles authentication but leaves the provisioning gap that compliance audits will catch.
The strategic alternative
KnowBe4 gates SCIM behind Enterprise (varies by plan). That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages KnowBe4 accounts manually. Here's what that costs:
The KnowBe4 pricing problem
KnowBe4 gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Silver | $0.95-$1.50/user/mo | ||
| Gold | $1.50-$2.00/user/mo | ||
| Platinum | $2.00-$2.50/user/mo | ||
| Diamond | $2.50-$3.25/user/mo |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Silver | $0.95-$1.50/user/mo | ✓ |
| Gold | $1.50-$2.00/user/mo | ✓ |
| Platinum | $2.00-$2.50/user/mo | ✓ |
| Diamond | $2.50-$3.25/user/mo | ✓ |
Note: 25-user minimum across all plans. SCIM available through KSAT console integration.
What this means in practice
The one-way sync limitation creates several operational challenges:
Additional constraints
Summary of challenges
- KnowBe4 supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
KnowBe4 includes SCIM across all pricing tiers—no upgrade required. Here's what comes with their security awareness platform:
The catch: KnowBe4's SCIM is fundamentally limited by design. It only syncs from your IdP to KnowBe4—changes made in the KSAT console don't sync back to your identity provider. This breaks the core promise of SCIM: bidirectional synchronization.
Additional limitations include no support for alias email addresses when using SCIM, and nested Azure groups don't work properly. For a security training platform where compliance tracking is critical, these sync gaps create real operational problems.
What IT admins are saying
Community sentiment on KnowBe4's SCIM implementation is mixed, with most complaints focused on functional limitations rather than pricing. Common frustrations:
- One-way sync only - changes made in KnowBe4 don't sync back to IdP
- Loss of alias email functionality when enabling SCIM
- Azure nested groups not supported despite being a common enterprise setup
- Manual workarounds still required for bi-directional updates
The one-way sync is really limiting - we still have to manually update our IdP when users change roles in KnowBe4, which defeats half the purpose of automation.
Switched to SCIM and immediately lost all our alias emails. Had to choose between automation and email flexibility.
The recurring theme
KnowBe4's SCIM works for basic provisioning but falls short on advanced enterprise requirements, forcing admins to accept functional trade-offs or maintain hybrid manual processes.
The decision
| Your Situation | Recommendation |
|---|---|
| Need bidirectional sync or alias email support | Use Stitchflow: KnowBe4's one-way SCIM won't meet your needs |
| Using nested Azure groups for organization | Use Stitchflow: KnowBe4 doesn't support nested groups |
| Want changes in KnowBe4 to sync back to IdP | Use Stitchflow: native SCIM is one-way only |
| Happy with one-way sync, have any KnowBe4 plan | Use native SCIM: it's included across all tiers |
| Small org with stable workforce | Manual may work: but security training compliance is critical |
The bottom line
KnowBe4 gates SCIM behind Enterprise (varies by plan). The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the KnowBe4 workflow gap
KnowBe4 gates SCIM behind Enterprise (varies by plan), but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- One-way sync only (IdP to KnowBe4)
- Changes in KSAT console don't sync back to IdP
- Alias email addresses not supported with SCIM
- Nested groups not supported with Azure SCIM
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM support. One-way sync from Okta to KSAT. Test Mode available before enabling. Nested groups not supported.
KnowBe4 gates SCIM behind Enterprise (varies by plan). The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM with Azure AD/Entra. Microsoft Learn tutorial available. Nested Azure groups not supported.
KnowBe4 gates SCIM behind Enterprise (varies by plan). The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
KnowBe4
KnowBe4 gates SCIM behind Enterprise (varies by plan). That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
