Stitchflow
Back to directory
Mosaic logo

Mosaic SCIM guide

Connector Only

How to automate Mosaic user provisioning, and what it actually costs

Summary and recommendation

Mosaic Project Operations, the resource planning and project management platform, does not offer SCIM provisioning on any plan. While Mosaic supports SAML 2.0 SSO integration with Azure AD/Entra ID and can be configured with other identity providers, this only handles authentication—not automated user provisioning or deprovisioning. IT teams must manually create user accounts in Mosaic before SSO can work, and there's no automated way to sync group memberships, role assignments, or handle employee departures.

For project management platforms like Mosaic, this creates significant operational overhead. Project teams frequently change as resources are allocated across different initiatives, meaning IT admins are constantly fielding requests to add contractors, remove team members, or adjust permissions. Without SCIM, every user lifecycle change requires manual intervention in both your identity provider and Mosaic, creating delays that can impact project timelines and leaving departed employees with lingering access to sensitive project data.

The strategic alternative

Mosaic has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.

Quick SCIM facts

SCIM available?No
SCIM tier requiredN/A
SSO required first?Yes
SSO available?Yes
SSO protocolSAML 2.0
DocumentationNot available

Supported identity providers

IdPSSOSCIMNotes
OktaVia third-partyOkta SSO via custom SAML 2.0 app. ACS URL and Entity ID from Mosaic settings. No SCIM provisioning documented.
Microsoft Entra IDVia third-partyMicrosoft tutorial for SAML SSO only. SP-initiated SSO. Domain verification required. No SCIM provisioning.
Google WorkspaceVia third-partyNo native support
OneLoginVia third-partyNo native support

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Mosaic accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees
Orphaned accounts (ex-employees with access)7
Unused licenses12
IT hours spent on manual management/year101 hours
Unused license cost/year$3,925
IT labor cost/year$6,088
Cost of compliance misses/year$1,741
Total annual financial impact$11,754

The Mosaic pricing problem

Mosaic gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

PlanPriceSSOSCIM
StarterCustom ($10+ range)
ProfessionalCustom quote
EnterpriseCustom quote

Provisioning options

PlanPriceSSOSCIM
StarterCustom ($10+ range)
ProfessionalCustom quote
EnterpriseCustom quote

Additional user costs

Guest users
$1.99/month each
Project contractors
$4.99/month each
Integration fees apply separately

What this means in practice

Without SCIM provisioning, IT teams must manually manage user accounts in Mosaic even after setting up SAML SSO. For a 100-person organization with mixed user types:

Manual onboarding
Create accounts individually for each project manager, resource coordinator, and operations user
Guest management overhead
Separately provision and deprovision external project stakeholders at $1.99/month each
Contractor complexity
Track and manage project-based contractor access at $4.99/month per user
No automated cleanup
Departing employees retain access until manually removed

Additional constraints

Domain verification required
IT must configure domain settings in Mosaic before SSO works
SP-initiated SSO only
Users must start login from Mosaic, not your IdP
Azure AD focus
While generic SAML works, documentation primarily covers Microsoft Entra
Project-based access controls
No automated assignment to projects based on IdP group membership

Summary of challenges

  • Mosaic does not provide native SCIM at any price tier
  • Organizations must rely on third-party tools or manual provisioning
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What Mosaic actually offers for identity

SAML SSO (Azure AD/Entra ID)

Mosaic provides SAML 2.0 integration with Microsoft Azure AD/Entra ID:

SettingDetails
ProtocolSAML 2.0
Supported IdPsAzure AD/Entra ID, generic SAML providers
InitiationSP-initiated only
ConfigurationDomain verification required in Mosaic settings
User requirementManual provisioning - no automated user creation

Critical limitation: SAML provides single sign-on authentication only. Users must be manually created in Mosaic before they can authenticate via SSO.

What's missing entirely

Provisioning FeatureMosaic Support
SCIM protocol❌ No
Automated user creation❌ No
User attribute updates❌ No
User deactivation❌ No
Group/role mapping❌ No
JIT provisioning❌ No

Translation: Mosaic offers basic SAML authentication with Azure AD, but zero automation for user lifecycle management. Every user addition, update, or removal requires manual intervention in the Mosaic interface.

For project management platforms where team composition changes frequently, this creates ongoing administrative overhead as project managers join and leave initiatives.

What IT admins are saying

Mosaic's lack of automated provisioning creates operational overhead for IT teams managing project operations platforms:

  • Manual user provisioning required - no SCIM support documented
  • SSO works but users must be created manually in Mosaic first
  • Domain verification steps add complexity to initial setup
  • SP-initiated SSO only limits flexibility compared to IdP-initiated flows

SAML 2.0 with Azure AD/Entra ID. Domain verification in Mosaic settings. Security group assignment controls access.

Microsoft documentation

SP-initiated SSO only

Technical limitations noted in integration guides

The recurring theme

Even with SAML SSO configured through Azure AD, IT teams must manually provision and deprovision users in Mosaic. For project management platforms where team composition changes frequently, this creates ongoing administrative burden that scales poorly with organization growth.

The decision

Your SituationRecommendation
Small project teams (<10 users)Manual management is workable
Stable operations team with low turnoverManual provisioning with SAML SSO for authentication
Growing consultancy (25+ users)Use Stitchflow: automation prevents project delays
Enterprise with multiple project portfoliosUse Stitchflow: automation essential for resource planning
Agencies with frequent contractor onboardingUse Stitchflow: automation critical for client project access

The bottom line

Mosaic Project Operations offers SAML SSO but no documented SCIM provisioning, creating manual overhead for project teams that need rapid user onboarding. For organizations managing multiple projects with changing team compositions, Stitchflow eliminates the bottleneck of manual user management.

Make Mosaic workflows AI-native

Mosaic has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.

Covers apps without native SCIM, including the ones without APIs
Less than a week, start to finish (~2 hours of your time)
Built with your team; extend to anything else in the company
Book a Demo

Technical specifications

SCIM Version

Not specified

Supported Operations

Not specified

Supported Attributes

No SCIM provisioning documentedSAML SSO with Azure ADSP-initiated SSO onlyDomain verification required

Plan requirement

Not specified

Prerequisites

Not specified

Key limitations

  • No SCIM provisioning documented
  • SAML SSO with Azure AD
  • SP-initiated SSO only
  • Domain verification required

Documentation not available.

Configuration for Entra ID

Integration type

Microsoft Entra Gallery app

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Entra admin center → Enterprise applications → Mosaic → Single sign-on

Docs

Microsoft Entra integration

Microsoft tutorial for SAML SSO only. SP-initiated SSO. Domain verification required. No SCIM provisioning.

Use Stitchflow for automated provisioning.

Unlock SCIM for
Mosaic

Mosaic has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.

See how it works
Admin Console
Directory
Applications
Mosaic logo
Mosaic
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

6sense logo

6sense

No SCIM

B2B Revenue Intelligence / ABM

ProvisioningNot Supported
Manual Cost$11,754/yr

6sense, the B2B revenue intelligence platform, has paused SCIM provisioning for new customers until Q4 2026. While existing customers with SCIM enabled can continue using it, new implementations are limited to JIT (Just-In-Time) provisioning through SAML SSO. This creates a significant gap for IT teams managing revenue intelligence access, as JIT only creates users on first login and provides minimal attribute mapping (email, first name, last name only). For an enterprise platform with typical pricing of $55,000-$130,000 annually, the absence of automated user lifecycle management is a substantial limitation. The lack of SCIM until Q4 2026 forces IT teams into manual provisioning workflows for a platform handling sensitive revenue data. While SAML SSO handles authentication, it doesn't address user lifecycle events like role changes, department transfers, or offboarding. This creates compliance risks in revenue teams where access to prospect data and sales intelligence must be tightly controlled. The nearly two-year wait for SCIM restoration means organizations implementing 6sense today face manual user management for the foreseeable future.

View full guide
ActiveCampaign logo

ActiveCampaign

No SCIM

Marketing Automation / Email

ProvisioningNot Supported
Manual Cost$11,754/yr

ActiveCampaign, the marketing automation platform, does not offer native SCIM provisioning on any plan. While the Enterprise plan ($145+/month) includes SAML 2.0 SSO with just-in-time (JIT) provisioning, this only creates user accounts on first login—there's no automated deprovisioning when employees leave or change roles. New SSO users are automatically added to a generic "SSO Users" group with configurable permissions, but IT teams have no way to programmatically manage user lifecycles or enforce granular access controls based on department or role changes. This creates a significant gap for marketing teams that need to manage access to customer data and campaign tools. When employees leave the company or change departments, their ActiveCampaign access must be manually revoked, creating compliance risks and potential data exposure. The lack of automated deprovisioning means former employees could theoretically retain access to sensitive marketing data and customer information until someone manually removes them from the platform.

View full guide
Adyen logo

Adyen

No SCIM

Payments / Fintech

ProvisioningNot Supported
Manual Cost$11,754/yr

Adyen offers SCIM 2.0 provisioning, but only through Okta's integration—there's no native SCIM endpoint. This creates a significant vendor lock-in scenario where your provisioning capabilities are entirely dependent on using Okta as your identity provider. Teams using Azure Entra, Google Workspace, or OneLogin are left with manual user management despite Adyen supporting SAML SSO with these platforms. The Okta integration itself requires maintaining a company account (not just a merchant account) and keeping at least one non-SSO admin for troubleshooting, adding operational complexity. For payment platforms handling sensitive financial data, this provisioning gap creates serious compliance risks. Your finance team, payment operations staff, and developers need timely access to process transactions and manage risk controls, but without automated provisioning, you're stuck with manual onboarding that can delay critical payment operations. The requirement to maintain non-SSO admin accounts also creates a security backdoor that compliance auditors will flag.

View full guide