Summary and recommendation
Kubernetes, the open-source container orchestration platform, does not support SCIM provisioning. While Kubernetes can integrate with identity providers for authentication using OIDC (or SAML through middleware like Dex or OpenUnison), this only handles login verification—not user lifecycle management. Platform teams must manually create service accounts, configure RBAC mappings, and manage cluster access permissions outside of their identity provider workflows.
This creates a significant operational burden for DevOps and platform engineering teams managing multiple Kubernetes clusters. Without automated provisioning, onboarding new developers or SREs requires manual kubectl commands to create accounts and assign appropriate cluster roles. Offboarding becomes a compliance risk, as deprovisioned users in your IdP may retain cluster access through orphaned service accounts or RBAC bindings that weren't properly cleaned up.
The strategic alternative
Kubernetes has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | OIDC, certificates, tokens |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | Via third-party | ❌ | No direct Okta integration for vanilla K8s. Use Dex or OpenUnison for SAML-to-OIDC bridging. RBAC maps groups to roles. |
| Microsoft Entra ID | Via third-party | ❌ | Azure AKS has native Entra ID integration. Vanilla K8s requires OIDC setup with Azure AD as IdP. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Kubernetes accounts manually. Here's what that costs:
The Kubernetes pricing problem
Kubernetes gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Native OIDC | Free | ||
| SAML via Dex/OpenUnison | Free (self-hosted) | ||
| Managed Kubernetes (AKS/EKS/GKE) | Cloud pricing |
Authentication and provisioning options
| Method | Cost | User Provisioning | SSO Support |
|---|---|---|---|
| Native OIDC | Free | Manual RBAC mapping | ✓ With OIDC IdPs |
| SAML via Dex/OpenUnison | Free (self-hosted) | Manual RBAC mapping | ✓ Via middleware |
| Managed Kubernetes (AKS/EKS/GKE) | Cloud pricing | Cloud IAM integration | ✓ Platform-specific |
What this means in practice
For vanilla Kubernetes clusters
Real-world scenario: A 50-person engineering team using Okta needs individual kubectl access. Without automation, platform engineers must: 1. Deploy and configure Dex/OpenUnison for SAML-to-OIDC bridging 2. Create ClusterRoleBindings or RoleBindings for each user 3. Map Okta groups to Kubernetes roles manually 4. Update bindings whenever team members join, leave, or change roles
Additional constraints
Summary of challenges
- Kubernetes does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Kubernetes actually offers for identity
Authentication Options (Free/Open Source)
Kubernetes provides multiple authentication methods but no native SAML or SCIM support:
| Method | Details |
|---|---|
| OIDC | Native support for OpenID Connect providers |
| Client certificates | X.509 client certs for authentication |
| Service account tokens | Bearer tokens for service-to-service auth |
| Static token file | Basic token-based auth (not recommended) |
| Webhook token authentication | External webhook for token validation |
SAML limitation: Kubernetes has no native SAML 2.0 support. Teams using SAML-based identity providers (like Okta, Entra ID with SAML apps, or OneLogin SAML) must deploy middleware like Dex or OpenUnison to bridge SAML to OIDC.
Authorization (RBAC)
Kubernetes includes Role-Based Access Control (RBAC) for authorization:
What's Missing for Enterprise Teams
No user provisioning: Kubernetes has no concept of user lifecycle management. RBAC policies must be manually created, updated, and removed as team members join or leave.
Middleware complexity: SAML integration requires deploying and maintaining additional infrastructure (Dex, OpenUnison, or similar) just to connect your existing identity provider.
Manual group mapping: Every new team, project, or permission change requires manual RBAC configuration updates across clusters.
This approach works for small teams comfortable with YAML configuration but becomes operationally expensive for larger organizations managing multiple clusters and frequent team changes.
What IT admins are saying
Community sentiment on Kubernetes's authentication approach reveals frustration with the complexity of enterprise IdP integration:
- No native SAML support forces teams to deploy additional middleware
- OIDC-only approach doesn't work with legacy SAML-based identity providers
- RBAC configuration becomes complex when mapping IdP groups to cluster roles
- Additional components like Dex or OpenUnison add operational overhead
Kubernetes does not natively support SAML authentication. You'll need to use a proxy or bridge service like Dex to convert SAML assertions to OIDC tokens.
OpenUnison provides a SAML 2.0 identity provider that can be used to provide SSO for kubectl and the Kubernetes dashboard.
The recurring theme
Kubernetes's OIDC-only authentication model forces enterprise teams to architect and maintain additional infrastructure components just to integrate with their existing SAML-based identity providers. What should be a straightforward SSO setup becomes a multi-component deployment with additional failure points.
The decision
| Your Situation | Recommendation |
|---|---|
| Small dev team (<10 engineers) with simple OIDC setup | Manual RBAC management is acceptable |
| Platform team using managed K8s (AKS, EKS, GKE) | Use cloud provider's native identity integration |
| On-premises K8s with SAML-only IdP | Use Stitchflow: avoid Dex/OpenUnison middleware complexity |
| Multi-cluster environments (50+ namespaces) | Use Stitchflow: automation essential for RBAC at scale |
| Enterprise with strict compliance requirements | Use Stitchflow: automated audit trail for cluster access |
The bottom line
Kubernetes excels at container orchestration but lacks native SAML support and has no SCIM capabilities. While OIDC works for simple setups, enterprise teams face middleware complexity and manual RBAC management. For organizations needing automated Kubernetes provisioning without the overhead of maintaining authentication proxies, Stitchflow provides the missing identity automation layer.
Make Kubernetes workflows AI-native
Kubernetes has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No native SAML support
- Requires OIDC or middleware (Dex, OpenUnison)
- RBAC for authorization separate from auth
- Certificate and token auth also supported
Documentation not available.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Where to enable
Azure AKS has native Entra ID integration. Vanilla K8s requires OIDC setup with Azure AD as IdP.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Kubernetes
Kubernetes has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
