Summary and recommendation
Red Hat OpenShift, the enterprise Kubernetes platform, does not support SCIM provisioning on any plan. Instead, OpenShift relies on LDAP group synchronization for user and group management, while authentication is handled through SAML 2.0 (via mod_mellon proxy) or OIDC integration. This means IT teams must manually provision users in their LDAP directory and configure group mappings, then rely on periodic sync operations to update OpenShift permissions. For platform teams managing developer access across multiple OpenShift clusters, this creates a significant operational burden.
The lack of SCIM support creates a critical gap for enterprise deployments where developers need dynamic access to namespaces, projects, and RBAC roles based on changing team assignments. While LDAP sync can handle basic group membership, it doesn't provide the real-time provisioning and deprovisioning that modern DevOps workflows require. This forces platform teams to choose between manual user management overhead or accepting security risks from delayed access revocation when developers change roles or leave the organization.
The strategic alternative
OpenShift has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 (via proxy), OIDC |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | Via third-party | ❌ | No Okta OIN app for OpenShift SCIM. SSO via generic OIDC/SAML configuration. User management via LDAP sync. |
| Microsoft Entra ID | Via third-party | ❌ | Microsoft Entra ID integrates via OIDC OAuth. Configure OpenShift as relying party with app registration in Entra ID. Map groups to OpenShift RBAC roles. No SCIM provisioning. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages OpenShift accounts manually. Here's what that costs:
The OpenShift pricing problem
OpenShift gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Self-managed | $0.076/hr per 4vCPU (3-year commitment) | ||
| ROSA (AWS) | $0.171/hr per 4vCPU + $0.25/hr cluster fee | ||
| Azure Red Hat OpenShift | Linux VM pricing + OpenShift license |
Pricing structure
| Plan | Pricing | SCIM | SSO |
|---|---|---|---|
| Self-managed | $0.076/hr per 4vCPU (3-year commitment) | ❌ Not available | ✓ SAML/OIDC |
| ROSA (AWS) | $0.171/hr per 4vCPU + $0.25/hr cluster fee | ❌ Not available | ✓ SAML/OIDC |
| Azure Red Hat OpenShift | Linux VM pricing + OpenShift license | ❌ Not available | ✓ SAML/OIDC |
OpenShift pricing varies significantly by deployment model, but the provisioning limitation is universal across all tiers.
What this means in practice
Without SCIM, OpenShift forces you into a hybrid identity architecture:
Manual user lifecycle management
LDAP dependency
Additional constraints
Summary of challenges
- OpenShift does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What OpenShift actually offers for identity
SAML/OIDC SSO (Platform Native)
OpenShift supports federated authentication through multiple protocols:
| Protocol | Implementation | Configuration |
|---|---|---|
| SAML 2.0 | Request Header auth with mod_mellon proxy | Requires separate proxy setup |
| OIDC | Native support or via Red Hat SSO | Direct integration with IdP |
| Supported IdPs | Okta, Entra ID, ADFS, generic SAML/OIDC | Standard OAuth/SAML flows |
Key architectural requirement: SAML implementations require setting up and maintaining a separate authentication proxy (mod_mellon), adding infrastructure complexity.
LDAP Group Sync (Not SCIM)
Instead of SCIM provisioning, OpenShift uses LDAP synchronization:
| Feature | Details |
|---|---|
| User creation | Just-in-time via SSO login |
| Group management | LDAP sync pulls groups from directory |
| Deprovisioning | Manual removal required |
| Attribute mapping | Limited to LDAP schema |
Critical gap: No SCIM support means no real-time provisioning events. User lifecycle changes in your IdP won't automatically reflect in OpenShift permissions until the next LDAP sync cycle.
What's Missing for Enterprise Identity Management
OpenShift's identity approach creates operational overhead:
For platform teams managing developer access across multiple environments, this manual approach doesn't scale with modern identity governance requirements.
What IT admins are saying
OpenShift's lack of native SCIM support forces IT teams into complex workarounds for user provisioning:
- No SCIM endpoint means manual user management or complex LDAP synchronization setups
- SAML SSO requires additional proxy configuration with mod_mellon, adding infrastructure complexity
- Group membership changes require LDAP sync jobs rather than real-time provisioning
- Platform teams must choose between multiple authentication methods (OIDC, SAML via proxy, or RH-SSO) without clear provisioning automation
SAML via Request Header auth with mod_mellon proxy... LDAP sync for user/group management.
OpenShift has OIDC/SAML SSO. No SCIM - use LDAP group sync for user management.
The recurring theme
While OpenShift offers multiple SSO options, the absence of SCIM forces IT teams to maintain separate user lifecycle processes through LDAP synchronization, creating operational overhead for platform teams managing developer access.
The decision
| Your Situation | Recommendation |
|---|---|
| Small dev team (<20 users) with simple RBAC needs | Manual LDAP group sync is manageable |
| Platform team using OpenShift with basic SSO requirements | Configure OIDC/SAML directly - no provisioning needed |
| Multi-cluster OpenShift deployment (50+ developers) | Use Stitchflow: LDAP sync becomes complex at scale |
| Enterprise with strict access controls and audit requirements | Use Stitchflow: automated provisioning essential for compliance |
| DevOps teams managing multiple OpenShift environments | Use Stitchflow: automation prevents configuration drift |
The bottom line
Red Hat OpenShift is a robust Kubernetes platform with solid OIDC/SAML SSO, but it lacks modern SCIM provisioning—relying instead on LDAP group synchronization that becomes unwieldy for larger teams. For organizations running multi-cluster deployments or managing complex developer access patterns, Stitchflow provides the automated provisioning that OpenShift simply doesn't offer natively.
Make OpenShift workflows AI-native
OpenShift has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No native SCIM support
- Uses LDAP group sync instead
- SAML requires proxy (mod_mellon)
- OIDC via RH-SSO or direct
Documentation not available.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Where to enable
Microsoft Entra ID integrates via OIDC OAuth. Configure OpenShift as relying party with app registration in Entra ID. Map groups to OpenShift RBAC roles. No SCIM provisioning.
Use Stitchflow for automated provisioning.
Unlock SCIM for
OpenShift
OpenShift has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
