Summary and recommendation
LastPass supports SCIM provisioning starting at the Business tier ($7/user/month), with integration support for all major identity providers including Okta, Entra ID, Google Workspace, and OneLogin. However, LastPass SCIM has critical limitations around deprovisioning: when users are removed, their vault access isn't immediately revoked, and shared folder permissions become complex to manage at scale.
This creates a significant security gap for IT teams. Password vaults contain the most sensitive credentials in your organization—API keys, service accounts, privileged access passwords. When employees leave or change roles, their access to these credentials must be revoked immediately, not left accessible while IT manually cleans up vault permissions. SSO alone doesn't solve this because it only controls login authentication, not ongoing vault access or shared resource permissions.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for LastPass with proper deprovisioning workflows that immediately revoke vault access and handle shared folder permissions. Works with any LastPass plan and any identity provider. Flat pricing under $5K/year, regardless of user count.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Business |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages LastPass accounts manually. Here's what that costs:
The LastPass pricing problem
LastPass gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure (Billed Monthly)
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Teams | $4/user/mo | ||
| Business | $7/user/mo | ||
| Enterprise | Custom pricing |
What this means in practice
Using current list prices (Teams → Business for SCIM access):
| Team Size | Annual Upgrade Cost |
|---|---|
| 25 users | +$900/year |
| 50 users | +$1,800/year |
| 100 users | +$3,600/year |
| 250 users | +$9,000/year |
Calculation: ($7 - $4) × users × 12 months
Additional constraints
Summary of challenges
- LastPass supports SCIM but only at Business tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
LastPass doesn't sell SCIM separately. It's bundled with Business plan features at $7/user/month:
The Business plan makes sense if you need enterprise password management with SSO. But if you just want automated user provisioning for a smaller team already using LastPass Teams ($4/user/month), you're paying 75% more for features like unlimited shared folders and advanced MFA that many teams don't need.
Stitchflow Insight
We estimate ~60% of Business plan features are overkill for organizations that simply want to automate LastPass user lifecycle management without the full enterprise security suite.
What IT admins are saying
Community sentiment on LastPass's SCIM implementation focuses heavily on security concerns and deprovisioning gaps. Common complaints:
- Deprovisioning doesn't immediately revoke access to existing vault data
- Complex shared folder permission management creates security gaps
- Post-breach trust concerns affecting enterprise adoption
- Master password reset policies clash with automated provisioning workflows
The biggest issue is that when you deprovision someone, they can still access their vault data until their session expires. For a security tool, that's pretty concerning.
Shared folder permissions are a nightmare to manage at scale. SCIM helps with user lifecycle but doesn't solve the vault access complexity.
The recurring theme
While LastPass offers SCIM on reasonable pricing tiers, the fundamental challenge is ensuring truly secure offboarding when password vaults contain critical credentials that need immediate access revocation.
The decision
| Your Situation | Recommendation |
|---|---|
| On Teams ($4/user/month), need SCIM | Use Stitchflow: avoid the 75% price jump to Business |
| On Business/Enterprise with native SCIM | Use native SCIM: you're already paying for it |
| Security-first organization with strict offboarding | Use Stitchflow: better deprovisioning controls than native |
| Complex shared folder permissions requirements | Use Stitchflow: managed configuration avoids permission gaps |
| Small team with low turnover | Manual may work: but password vaults make offboarding errors costly |
The bottom line
LastPass requires Business tier ($7/user/month) for SCIM—a 75% increase from Teams pricing. For organizations that need automated provisioning without the tier upgrade or want stronger deprovisioning controls for sensitive password data, Stitchflow delivers enterprise-grade automation at flat-rate pricing.
Automate LastPass without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for LastPass at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Business
Prerequisites
SSO must be configured first
Key limitations
- Vault data handling during deprovisioning
- Shared folder permissions need configuration
- Master password reset considerations
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM with real-time provisioning/deprovisioning. Federated login available (no master password). SCIM endpoint requires no software installation.
Native SCIM is available on Business. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM via Azure AD/Entra. Federated login supported. Deprovisioning removes account access while keeping data available for reactivation.
Native SCIM is available on Business. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
LastPass
LastPass gates automation behind Business plan. Stitchflow delivers the same SCIM outcomes for a flat fee, saving you 75%.
See how it works
