Summary and recommendation
One Medical, Amazon's primary care membership service used by 8,500+ employers for employee healthcare benefits, does not support SCIM provisioning on any plan. While One Medical offers basic SSO integration through Okta's Secure Web Authentication (SWA) method, this only handles authentication for existing users—it cannot provision new accounts or manage user lifecycle. For the majority of enterprise customers using One Medical through employer-sponsored programs, this creates a significant gap between employee onboarding in your IdP and healthcare access provisioning.
This limitation forces IT teams to manually coordinate healthcare benefit enrollment with HR systems, often requiring separate processes outside of standard user provisioning workflows. When employees join or leave, their One Medical access must be managed independently from other business applications, creating compliance risks and administrative overhead. For organizations with hundreds or thousands of employees relying on One Medical as a core healthcare benefit, this manual process becomes a significant operational burden.
The strategic alternative
One Medical has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | One Medical Member Login and OneMedical integrations exist in OIN. SWA (Secure Web Authentication) for SSO. No SCIM provisioning supported. |
| Microsoft Entra ID | Via third-party | ❌ | No Microsoft Entra gallery provisioning tutorial found for One Medical. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages One Medical accounts manually. Here's what that costs:
The One Medical pricing problem
One Medical gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Individual | $199/person/year | ||
| Business (via Justworks) | $149/person/year | ||
| Enterprise (employer-sponsored) | Custom quote |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Individual | $199/person/year | ||
| Business (via Justworks) | $149/person/year | ||
| Enterprise (employer-sponsored) | Custom quote |
What this means in practice
No automated user lifecycle management: IT teams cannot programmatically create, update, or deactivate One Medical accounts. Every employee onboarding, role change, or termination requires manual intervention or unreliable screen scraping.
SSO limitations: Even Enterprise customers only get Secure Web Authentication (SWA) - a credential-stuffing approach that's less secure and reliable than SAML or OIDC. SWA requires storing and replaying login credentials through the browser.
Additional constraints
Summary of challenges
- One Medical does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What One Medical actually offers for identity
SSO via Secure Web Authentication (SWA)
One Medical provides basic single sign-on through Okta's password vaulting system:
| Setting | Details |
|---|---|
| Protocol | SWA (Secure Web Authentication) |
| Supported IdPs | Okta (via OIN integration) |
| Authentication method | Password vaulting/credential injection |
| User management | Manual account creation required |
Critical limitation: SWA is not true federated SSO. It's automated password entry - Okta stores One Medical credentials and injects them during login. Users still need individual One Medical accounts created manually.
Okta Integration (via OIN)
The official Okta Integration Network has two One Medical integrations with identical limitations:
| Feature | Supported? |
|---|---|
| SAML SSO | ❌ No |
| OIDC SSO | ❌ No |
| SWA (password vaulting) | ✓ Yes |
| Create users | ❌ No |
| Update users | ❌ No |
| Deactivate users | ❌ No |
| Group push | ❌ No |
Microsoft Entra Integration
| Feature | Supported? |
|---|---|
| Gallery app | ❌ No |
| SAML SSO | ❌ No |
| Provisioning | ❌ No |
Reality check: One Medical offers no meaningful identity integration. As a healthcare membership service (now owned by Amazon), they've prioritized patient experience over enterprise IT requirements. The SWA integration is a band-aid solution that still requires manual user lifecycle management for all 8,500+ employer customers.
What IT admins are saying
One Medical's lack of SCIM provisioning forces IT teams into manual account management for their primary care benefits platform:
- Manual user provisioning required even with SSO configured
- No automated deprovisioning when employees leave the company
- Limited to SWA-based SSO instead of modern SAML/OIDC protocols
- Enterprise features require custom pricing negotiations with Amazon
One Medical Member Login and OneMedical integrations exist in OIN. SWA (Secure Web Authentication) for SSO. No SCIM provisioning supported.
User accounts must be manually managed since there's no SCIM API available for user provisioning.
The recurring theme
Despite being owned by Amazon and serving 8,500+ employers, One Medical still requires manual user lifecycle management. IT teams must coordinate between their identity provider and One Medical's admin portal for every employee change, creating operational overhead for what should be a seamless employee benefit.
The decision
| Your Situation | Recommendation |
|---|---|
| Small company (<25 employees) using One Medical | Manual management is acceptable |
| HR team comfortable with periodic manual onboarding | Manual management with SSO for authentication |
| Mid-size organization (50+ employees) with regular turnover | Use Stitchflow: automation essential for efficiency |
| Enterprise with 500+ employees and One Medical benefit | Use Stitchflow: automation critical for scale |
| Multi-location company with distributed HR management | Use Stitchflow: centralized provisioning strongly recommended |
The bottom line
One Medical offers valuable primary care services to 8,500+ employers, but provides zero automation for user lifecycle management. Without SCIM support and only basic SWA authentication, IT teams face endless manual provisioning work. For organizations that want to deliver healthcare benefits without administrative overhead, Stitchflow automates the entire user lifecycle.
Make One Medical workflows AI-native
One Medical has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- Primary care membership service (now owned by Amazon)
- No SCIM API available for user provisioning
- SSO via SWA only (not SAML/OIDC)
- 8,500+ employers use One Medical for employee benefits
- Enterprise pricing requires direct contact
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Where to enable
Docs
One Medical Member Login and OneMedical integrations exist in OIN. SWA (Secure Web Authentication) for SSO. No SCIM provisioning supported.
Use Stitchflow for automated provisioning.
Unlock SCIM for
One Medical
One Medical has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
