Summary and recommendation
Kyriba supports native SCIM 2.0 provisioning through its Okta integration, but only on Enterprise plans that start around $15,000/month—a 3x jump from Pro plans at $5,000/month. For mid-market finance teams, this creates an impossible choice: pay $120,000+ annually extra just to unlock automated user provisioning, or manually manage accounts in your treasury management system. The pricing gap is particularly painful since Kyriba's implementation costs can add another $5K-$50K upfront, making the total cost of automated provisioning potentially $175,000+ in year one.
This pricing structure forces IT teams into manual user lifecycle management for one of their most sensitive financial systems. Finance teams constantly onboard new analysts, rotate through seasonal staff, and adjust access as responsibilities change. Without automated provisioning, every hire, role change, or departure requires manual intervention in a system handling millions in treasury operations—creating both operational overhead and compliance risk.
The strategic alternative
Kyriba gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ❌ | SSO only |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Kyriba accounts manually. Here's what that costs:
The Kyriba pricing problem
Kyriba gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | ~$5,000/month | ||
| Enterprise | ~$15,000/month |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Pro | ~$5,000/month | ❌ |
| Enterprise | ~$15,000/month | ✓ |
Note: Pricing is estimated based on market reports. Kyriba does not publish standard rates and requires custom enterprise sales engagement for all pricing.
What this means in practice
The jump to Enterprise-level SCIM access represents a substantial cost increase:
Pro to Enterprise upgrade: +$120,000/year minimum
This calculation assumes the lower end of enterprise pricing. Actual costs vary significantly based on:
Additional constraints
Summary of challenges
- Kyriba supports SCIM but only at Enterprise tier (~$15,000/month)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Kyriba doesn't sell SCIM à la carte. It's bundled with Enterprise features that require custom pricing:
Note that Entra ID users have no native provisioning option - only Okta gets first-party SCIM support through their standard connector or enhanced capabilities via the third-party Aquera connector.
Stitchflow Insight
The Enterprise tier starts around $15,000/month with implementation costs ranging from $5K-$50K+ depending on complexity. If you need comprehensive treasury management, the upgrade may justify itself. If you just want automated user provisioning for a finance team, you're paying for enterprise treasury features you won't use. We estimate ~80% of Enterprise features are irrelevant for teams that only need SCIM provisioning.
What IT admins are saying
Community sentiment on Kyriba's SCIM implementation reveals frustration with cost barriers and complexity. Common complaints:
- Enterprise tier requirement adds ~$10,000/month just for SCIM access
- Implementation costs ranging from $5K-$50K+ on top of licensing fees
- Limited Entra ID support forces organizations into Okta ecosystem
- Reliance on third-party Aquera connector for enhanced SCIM functionality
We're already paying $5K/month for Pro features we actually use, but they want us to triple our spend just to get automated user provisioning. The math doesn't work for mid-size finance teams.
The implementation quote came back at $35K plus the Enterprise upgrade. For a treasury management system, that's a massive ask just to sync users from our IdP.
The recurring theme
Kyriba treats SCIM as an enterprise-only luxury, forcing significant budget increases for what should be standard identity automation functionality.
The decision
| Your Situation | Recommendation |
|---|---|
| On Pro plan (~$5K/month), need SCIM | Use Stitchflow: avoid the 3x price jump to Enterprise |
| Enterprise pricing exceeds your budget | Use Stitchflow: start with a free gap diagnostic, then build the workflow across every app without asking your team to own the plumbing. |
| Already on Enterprise with native SCIM | Use native SCIM: you're paying premium pricing for it |
| Using Entra ID as your IdP | Use Stitchflow: no native Entra provisioning connector available |
| Implementation budget under $10K | Use Stitchflow: avoid $5K-50K+ implementation costs |
The bottom line
Kyriba gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Kyriba workflow gap
Kyriba gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
None
Key limitations
- Enterprise pricing with no public pricing - custom quotes required
- Implementation costs can range from $5K-$50K+ depending on complexity
- Okta Aquera connector provides enhanced SCIM but is third-party
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Docs
Official Okta integration with Group Linking and Schema Discovery. Also available via Aquera connector with enhanced SCIM/entitlements
Kyriba gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Kyriba
Kyriba gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack, and it can add a 200% markup just to get there.
Start with the free gap diagnostic
