Summary and recommendation
OneTrust offers native SCIM provisioning with excellent support for Okta and Azure AD, including advanced features like group linking and schema discovery. However, SCIM is only available on Enterprise tier plans, which start at $10,000-$500,000+ annually depending on your OneTrust product mix. For privacy and GRC teams managing smaller user bases, this creates a significant cost barrier to automated provisioning.
The pricing structure is particularly challenging because OneTrust's modular approach means you might need multiple product licenses (Consent Management at ~$827/month, Privacy Automation at ~$3,680/month, etc.) before reaching Enterprise tier minimums. This forces IT teams to choose between manual user management or substantial licensing increases that far exceed typical provisioning budgets.
The strategic alternative
OneTrust gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OAuth, OpenID Connect |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages OneTrust accounts manually. Here's what that costs:
The OneTrust pricing problem
OneTrust gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard/Professional | $827-$17,500+/mo | ||
| Enterprise | Custom pricing |
Note: OneTrust's pricing varies significantly by product line (Consent & Preferences, Privacy Automation, Tech Risk & Compliance, etc.) but SCIM access consistently requires Enterprise tier across all products.
What this means in practice
OneTrust's enterprise pricing is entirely custom, but industry reports suggest:
For organizations currently on standard OneTrust plans, adding SCIM means:
Additional constraints
Summary of challenges
- OneTrust supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
OneTrust doesn't sell SCIM separately. It's bundled with Enterprise-tier privacy management features:
The challenge? OneTrust's Enterprise tier starts around $10,000+ annually and includes comprehensive privacy/GRC tooling that most IT teams don't manage directly. If your privacy and compliance teams already use OneTrust, the SCIM upgrade makes perfect sense. If you're only looking at OneTrust for identity management, you're paying for enterprise privacy features you won't use.
Stitchflow Insight
We estimate ~85% of OneTrust's Enterprise capabilities are privacy-focused workflows irrelevant for teams that just want automated user provisioning.
What IT admins are saying
Community sentiment on OneTrust's SCIM implementation is generally positive, though pricing concerns dominate the conversation. Common complaints:
While specific community quotes about OneTrust's SCIM are limited due to its enterprise focus, the pricing structure follows a familiar pattern seen across GRC platforms - powerful features locked behind high-cost enterprise tiers.
- Enterprise tier requirement creates a massive cost barrier for smaller privacy teams
- Annual subscriptions starting at $10,000+ exclude mid-market organizations
- Complex pricing across five product lines makes budgeting difficult
- SCIM works well but only accessible after significant financial commitment
The recurring theme
OneTrust delivers solid SCIM functionality, but the enterprise pricing requirement means most organizations evaluate alternatives before committing to the $10,000+ annual minimum typical for privacy automation platforms.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but on lower OneTrust tiers | Use Stitchflow: avoid the Enterprise upgrade requirement |
| Already on Enterprise with SCIM access | Use native SCIM: excellent functionality with group linking |
| Mixed IdP environment (beyond Okta/Azure) | Use Stitchflow: works with any IdP including Google Workspace |
| Privacy team budget under $50K/year | Use Stitchflow: flat $5K vs. $10K-500K OneTrust Enterprise |
| Small compliance team, low turnover | Manual may work: but monitor for audit gaps |
The bottom line
OneTrust's Enterprise-only SCIM requirement creates a massive pricing barrier—potentially $10K-500K annually just to get automated provisioning. For privacy and compliance teams that need SCIM without the Enterprise commitment, Stitchflow delivers the automation at a fraction of the cost.
Make OneTrust workflows AI-native
OneTrust gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Enterprise tier required
- Group linking with Okta
- Schema discovery available
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
OneTrust in OIN with SCIM provisioning. Supports group linking, schema discovery, and attribute writeback. Integrates with Okta Universal Directory for automated user preference syncing.
OneTrust gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Microsoft Entra ID gallery app available. Supports both SP and IdP initiated SSO. JIT provisioning enabled by default. SCIM provisioning documented at my.onetrust.com. Contact OneTrust for detailed Azure AD SCIM setup.
OneTrust gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
OneTrust
OneTrust gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
