Summary and recommendation
PandaDoc supports SCIM, but only the outdated SCIM 1.1 protocol on Enterprise plans with additional fees. The implementation is severely limited: it can only create and delete users—no attribute updates whatsoever. This means when employees change roles, departments, or access requirements, IT teams must manually update their PandaDoc profiles. The setup also requires contacting PandaDoc Support, and you can't use JIT provisioning alongside SCIM.
For document automation platforms handling sensitive contracts and legal documents, this creates a significant operational gap. Manual user management becomes a bottleneck as teams scale, and the inability to update user attributes means stale permissions and potential compliance issues. SSO handles authentication, but without proper provisioning automation, you're still managing user lifecycle events manually—exactly what SCIM should eliminate.
The strategic alternative
PandaDoc gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages PandaDoc accounts manually. Here's what that costs:
The PandaDoc pricing problem
PandaDoc gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Starter | $19-35/user/mo | ||
| Business | $49-65/user/mo | ||
| Enterprise | $59+/user/mo | SCIM 1.1 only |
Note: SCIM requires Enterprise plan plus additional fees. Only create and delete operations supported - no user attribute updates.
What this means in practice
Using current list prices (Business → Enterprise for SCIM access):
| Team Size | Minimum Upgrade Cost | Additional SCIM Fees |
|---|---|---|
| 25 users | +$3,000/year | Unknown (contact sales) |
| 50 users | +$6,000/year | Unknown (contact sales) |
| 100 users | +$12,000/year | Unknown (contact sales) |
Calculation: ($59 - $49) × users × 12 months, plus undisclosed SCIM fees
Additional constraints
Summary of challenges
- PandaDoc supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
PandaDoc doesn't sell SCIM separately. It's bundled with Enterprise features and requires additional fees beyond the base Enterprise price:
The catch: PandaDoc only supports outdated SCIM 1.1 (not the modern 2.0 standard), and you can't update user attributes - only create and delete accounts. You also can't use JIT provisioning if you enable SCIM.
Stitchflow Insight
If you need Enterprise security controls anyway, the upgrade may make sense. But if you just want modern automated provisioning, you're paying premium Enterprise prices for a limited SCIM implementation. We estimate ~60% of Enterprise features are irrelevant for teams that only need user provisioning, and the SCIM 1.1 limitation means you'll still need manual attribute management.
What IT admins are saying
Community sentiment on PandaDoc's SCIM implementation is consistently frustrated. Common complaints:
- SCIM 1.1 only - no support for the modern SCIM 2.0 standard
- Create and delete operations only - cannot update user attributes
- Enterprise tier requirement with additional fees on top of base pricing
- JIT provisioning and SCIM are mutually exclusive (can't use both)
Only SCIM 1.1 supported
SCIM setup requires PandaDoc Support
The recurring theme
PandaDoc offers SCIM but with significant technical limitations that make it feel like a half-built feature locked behind premium pricing.
The decision
| Your Situation | Recommendation |
|---|---|
| On Starter/Business, need SCIM | Use Stitchflow: avoid the Enterprise tier jump and extra SCIM fees |
| Already on Enterprise but SCIM costs extra | Use Stitchflow: save on add-on fees while getting full SCIM 2.0 |
| On Enterprise with SCIM included | Evaluate native vs. Stitchflow: weigh limitations against what you're paying |
| Need user attribute updates | Use Stitchflow: native SCIM only does create/delete |
| Using JIT provisioning successfully | Consider staying: but remember JIT and SCIM are mutually exclusive |
The bottom line
PandaDoc gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the PandaDoc workflow gap
PandaDoc gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM 1.1 only - SCIM 2.0 not supported
- Only create and delete - no updates
- Enterprise plan required with extra fees
- JIT and SCIM mutually exclusive
- SCIM setup requires PandaDoc Support
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Aquera connector in OIN. Alternatively, use SCIM 1.1 Test App (Header Auth). Add 'Bearer' before API key. Create/delete only - no updates. SCIM setup requires PandaDoc Support.
PandaDoc gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
SSO tutorial available. SCIM 1.1 only (not 2.0). Add 'Bearer' before key in Tenant URL. Create/delete only - no update or read operations. JIT and SCIM mutually exclusive.
PandaDoc gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
PandaDoc
PandaDoc gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
