Summary and recommendation
Oyster HR, the global employment platform, does not support SCIM provisioning despite pricing that ranges from $29/month for contractors to $699/month per employee for Employer of Record services. While Oyster offers Okta SSO integration, this is limited to admin and manager roles only—Team Members cannot use SSO, creating a two-tiered access system. For user lifecycle management, Oyster only provides webhook-based deprovisioning through Okta event hooks, meaning you can automatically remove users when they're deactivated in your IdP, but provisioning and updates must be handled manually.
This creates a significant operational burden for HR teams managing global workforces. Without SCIM, every new hire, role change, or team transfer requires manual intervention in Oyster, despite the platform's focus on streamlining global employment processes. For companies using Oyster to manage hundreds of international employees and contractors, this manual overhead undermines the efficiency gains the platform is supposed to provide. The SSO limitation to admin roles also means most users still need separate credentials, reducing security consistency across your workforce.
The strategic alternative
Oyster has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 (via Okta) |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | Via third-party | ❌ | SSO integration in OIN for admin/manager roles. Deprovisioning via Okta event hooks (user suspended, deactivated, unassigned). No full SCIM provisioning. Sign-in only, not sign-up. |
| Microsoft Entra ID | Via third-party | ❌ | No documented Microsoft Entra ID integration. Contact vendor for enterprise SSO options beyond Okta. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Oyster accounts manually. Here's what that costs:
The Oyster pricing problem
Oyster gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| User provisioning | ❌ Manual only | ||
| User deprovisioning | ⚠️ Okta only | Event hooks | |
| SAML SSO | ✓ Admin/manager roles | Okta integration | |
| Team member SSO | ❌ Not supported | N/A |
Provisioning capabilities
| Feature | Availability | Method |
|---|---|---|
| User provisioning | ❌ Manual only | No SCIM endpoint |
| User deprovisioning | ⚠️ Okta only | Event hooks |
| SAML SSO | ✓ Admin/manager roles | Okta integration |
| Team member SSO | ❌ Not supported | N/A |
Pricing across plans
What this means in practice
Without SCIM support, IT teams managing Oyster face significant manual overhead:
For a 100-employee global team on EOR plans, this represents ~$60,000-70,000/year in Oyster costs with zero provisioning automation.
Additional constraints
Summary of challenges
- Oyster does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Oyster actually offers for identity
Okta SSO Integration (Admin/Manager Only)
Oyster provides SAML 2.0 SSO through their official Okta Integration Network listing, but with significant restrictions:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported roles | Admin and Manager accounts only |
| Team Member access | Manual login required |
| IdP support | Okta only (documented) |
| JIT provisioning | ❌ No |
Critical limitation: SSO only works for admin and manager roles. Your actual workforce (Team Members) still requires manual password management.
Webhook-Based Deprovisioning
Oyster offers automated deprovisioning through Okta event hooks:
| Feature | Supported? |
|---|---|
| User creation | ❌ No |
| User updates | ❌ No |
| User deactivation | ✓ Yes (via webhook) |
| Group management | ❌ No |
| Role assignment | ❌ No |
How it works: Configure an Okta event hook with your Oyster API token. When users are suspended, deactivated, or unassigned from the Oyster app in Okta, they're automatically removed from Oyster.
Missing SCIM Capabilities
Oyster's webhook approach handles the most critical security need (deprovisioning), but lacks standard SCIM functionality:
For a global employment platform managing contractors and employees across multiple countries, this creates significant manual overhead for HR teams managing user lifecycle at scale.
What IT admins are saying
Oyster's limited provisioning automation creates manual overhead for IT teams managing global workforces:
- Manual user management required for all employee and contractor accounts
- SSO access restricted to admin and manager roles only - regular team members can't use single sign-on
- Deprovisioning relies on Okta webhooks rather than standard SCIM protocols
- No documented integration path for Microsoft Entra ID or other identity providers
SSO for admin/manager roles only, not Team Members
Create Okta hook with Oyster token for automatic user deletion on removal
The recurring theme
Even with Okta SSO configured, most users still require manual provisioning, and IT teams must set up custom webhooks for basic deprovisioning automation. The lack of standard SCIM support means vendor lock-in to Okta-specific solutions.
The decision
| Your Situation | Recommendation |
|---|---|
| Small HR team (<10 users) managing contractors only | Manual management is acceptable |
| Growing global workforce with frequent contractor onboarding | Use Stitchflow: automation essential for scaling |
| Enterprise with compliance requirements for employee access | Use Stitchflow: automation essential for audit trail |
| Mixed workforce (EOR + contractors) with high turnover | Use Stitchflow: automation strongly recommended |
| Using non-Okta IdP (Entra, Google Workspace, OneLogin) | Use Stitchflow: only option for automated provisioning |
The bottom line
Oyster offers Okta SSO for admin roles and webhook-based deprovisioning, but there's no documented SCIM support for full lifecycle management. For HR teams managing global workforces at scale, Stitchflow provides the automated provisioning that Oyster's native integration gaps leave behind.
Make Oyster workflows AI-native
Oyster has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- Okta SSO integration available
- Deprovisioning via Okta event hook
- No documented SCIM endpoint
- SSO for admin/manager roles only, not Team Members
- HRIS platform
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Docs
SSO integration in OIN for admin/manager roles. Deprovisioning via Okta event hooks (user suspended, deactivated, unassigned). No full SCIM provisioning. Sign-in only, not sign-up.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Oyster
Oyster has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
