Summary and recommendation
Palo Alto Networks supports SCIM through its Cloud Identity Engine, providing automated user provisioning across its security platform. However, the implementation creates significant complexity for IT teams: each Palo Alto product (GlobalProtect, Admin UI, Prisma Access) requires separate SSO configurations, and SCIM only works through the Cloud Identity Engine component. This fragmented approach means managing multiple integrations for what should be a unified security platform.
The real-world impact is substantial operational overhead. IT teams must configure and maintain separate identity connections for each Palo Alto service their organization uses, rather than having a single, consolidated provisioning pipeline. While SSO handles authentication, the provisioning complexity remains - especially problematic when onboarding users who need access to multiple Palo Alto products simultaneously.
The strategic alternative
Palo Alto Networks gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Palo Alto Networks accounts manually. Here's what that costs:
The Palo Alto Networks pricing problem
Palo Alto Networks gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Enterprise | Contact for pricing |
Note: Palo Alto Networks operates on subscription-based enterprise pricing with multi-year discounts up to 32% for 3-year commitments.
What this means in practice
Architectural complexity: While SCIM is technically available, it requires deploying and configuring the Cloud Identity Engine as a centralized identity hub. This adds an additional layer between your IdP and the actual Palo Alto products your users need access to.
Multi-product SSO fragmentation: Each Palo Alto product (GlobalProtect VPN, Admin UI, Prisma Access) requires separate SSO configurations. Even with SCIM handling user provisioning centrally, you still need to manage multiple authentication endpoints and policies across the product suite.
Limited group provisioning scope: Palo Alto recommends only provisioning groups that are actively used in security policies to optimize performance. This means IT admins must coordinate with security teams to determine which groups should sync, creating ongoing operational overhead.
Additional constraints
Summary of challenges
- Palo Alto Networks supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Palo Alto Networks doesn't sell SCIM separately. It's bundled with their enterprise security platform through the Cloud Identity Engine:
Stitchflow Insight
The complexity here is real: each Palo Alto product requires separate SSO configurations, and you can only provision groups that are actually used in security policies. If you just need straightforward user provisioning without the full security platform overhead, you're paying for enterprise security infrastructure you may not need. We estimate ~80% of the Cloud Identity Engine features are irrelevant for organizations that simply want clean user lifecycle management across their security tools.
What IT admins are saying
Community sentiment on Palo Alto Networks's SCIM implementation is mixed, with admins appreciating the capability but frustrated by the complexity. Common complaints:
- Multiple separate SSO configurations needed for different products (GlobalProtect, Prisma Access, Admin UI)
- Cloud Identity Engine requirement adds another layer of complexity
- Having to manage different provisioning setups for each Palo Alto product
- Documentation scattered across multiple product lines makes initial setup challenging
Setting up SCIM with Palo Alto is like configuring three different apps - you need separate configs for GlobalProtect, the admin interface, and Prisma Access. It's not the unified experience you'd expect from a single vendor.
The Cloud Identity Engine works well once configured, but getting there requires understanding their entire product ecosystem first. Not exactly plug-and-play.
The recurring theme
While Palo Alto provides comprehensive SCIM support, their multi-product architecture creates administrative overhead that many IT teams weren't expecting from a single security vendor.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but don't want Enterprise tier complexity | Use Stitchflow: avoid the multi-product SSO configuration maze |
| Using multiple Palo Alto products (GlobalProtect, Prisma, etc.) | Use Stitchflow: manage all identities from one place instead of separate configs |
| Want SCIM without Cloud Identity Engine setup | Use Stitchflow: skip the separate infrastructure requirement |
| Already have Enterprise with Cloud Identity Engine | Use native SCIM: you're paying for the infrastructure |
| Small security team, minimal user changes | Manual may work: but watch for security policy group mismatches |
The bottom line
Palo Alto Networks gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Palo Alto Networks workflow gap
Palo Alto Networks gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Multiple products with different SSO configs
- Cloud Identity Engine for SCIM
- Separate configs for GlobalProtect, Admin UI, Prisma
- Only provision groups used in Security policy
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Multiple OIN apps: SCIM Connector, Cloud Identity Engine, Cloud Identity Engine (Application-enabled). Use gallery app for Directory Sync. Full sync required after config. Enables real-time identity threat detection with Cortex XDR integration.
Palo Alto Networks gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full provisioning tutorial. Contact support for SCIM URL and Token. Set Provisioning Mode to Automatic. Only provision groups used in Security policy for optimal performance. Cloud Identity Engine tutorial also available.
Palo Alto Networks gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Palo Alto Networks
Palo Alto Networks gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
