Summary and recommendation
KnowBe4 supports SCIM across all plans (Silver through Diamond), enabling automatic user provisioning from your IdP to their KSAT console. However, SCIM is strictly one-way sync only—changes made within KnowBe4 never sync back to your identity provider. This creates a problematic data flow where user attributes, group memberships, or account status changes made in KnowBe4 remain isolated, forcing IT teams to maintain dual sources of truth.
For security awareness training, this limitation is particularly problematic because compliance tracking requires accurate, centralized user data. When employees complete training, change departments, or have their access modified in KnowBe4, those updates don't flow back to your IdP, creating gaps in your identity governance. SSO alone doesn't solve this—it handles authentication but leaves the provisioning gap that compliance audits will catch.
The strategic alternative
KnowBe4 gates SCIM behind Enterprise (varies by plan). Skip the Enterprise (varies by plan) plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages KnowBe4 accounts manually. Here's what that costs:
The KnowBe4 pricing problem
KnowBe4 gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Silver | $0.95-$1.50/user/mo | ||
| Gold | $1.50-$2.00/user/mo | ||
| Platinum | $2.00-$2.50/user/mo | ||
| Diamond | $2.50-$3.25/user/mo |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Silver | $0.95-$1.50/user/mo | ✓ |
| Gold | $1.50-$2.00/user/mo | ✓ |
| Platinum | $2.00-$2.50/user/mo | ✓ |
| Diamond | $2.50-$3.25/user/mo | ✓ |
Note: 25-user minimum across all plans. SCIM available through KSAT console integration.
What this means in practice
The one-way sync limitation creates several operational challenges:
Additional constraints
Summary of challenges
- KnowBe4 supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
KnowBe4 includes SCIM across all pricing tiers—no upgrade required. Here's what comes with their security awareness platform:
The catch: KnowBe4's SCIM is fundamentally limited by design. It only syncs from your IdP to KnowBe4—changes made in the KSAT console don't sync back to your identity provider. This breaks the core promise of SCIM: bidirectional synchronization.
Additional limitations include no support for alias email addresses when using SCIM, and nested Azure groups don't work properly. For a security training platform where compliance tracking is critical, these sync gaps create real operational problems.
What IT admins are saying
Community sentiment on KnowBe4's SCIM implementation is mixed, with most complaints focused on functional limitations rather than pricing. Common frustrations:
- One-way sync only - changes made in KnowBe4 don't sync back to IdP
- Loss of alias email functionality when enabling SCIM
- Azure nested groups not supported despite being a common enterprise setup
- Manual workarounds still required for bi-directional updates
The one-way sync is really limiting - we still have to manually update our IdP when users change roles in KnowBe4, which defeats half the purpose of automation.
Switched to SCIM and immediately lost all our alias emails. Had to choose between automation and email flexibility.
The recurring theme
KnowBe4's SCIM works for basic provisioning but falls short on advanced enterprise requirements, forcing admins to accept functional trade-offs or maintain hybrid manual processes.
The decision
| Your Situation | Recommendation |
|---|---|
| Need bidirectional sync or alias email support | Use Stitchflow: KnowBe4's one-way SCIM won't meet your needs |
| Using nested Azure groups for organization | Use Stitchflow: KnowBe4 doesn't support nested groups |
| Want changes in KnowBe4 to sync back to IdP | Use Stitchflow: native SCIM is one-way only |
| Happy with one-way sync, have any KnowBe4 plan | Use native SCIM: it's included across all tiers |
| Small org with stable workforce | Manual may work: but security training compliance is critical |
The bottom line
KnowBe4's native SCIM works across all plans but forces you into one-way sync only—changes in the KSAT console never flow back to your IdP. For organizations that need full bidirectional provisioning or use complex group structures, Stitchflow provides the automation KnowBe4's native integration can't deliver.
Make KnowBe4 workflows AI-native
KnowBe4 gates SCIM behind Enterprise (varies by plan). We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- One-way sync only (IdP to KnowBe4)
- Changes in KSAT console don't sync back to IdP
- Alias email addresses not supported with SCIM
- Nested groups not supported with Azure SCIM
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM support. One-way sync from Okta to KSAT. Test Mode available before enabling. Nested groups not supported.
KnowBe4 gates SCIM behind Enterprise (varies by plan). Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM with Azure AD/Entra. Microsoft Learn tutorial available. Nested Azure groups not supported.
KnowBe4 gates SCIM behind Enterprise (varies by plan). Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
KnowBe4
KnowBe4 gates SCIM behind Enterprise (varies by plan). We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
