Summary and recommendation
Panther supports SCIM 2.0 on Enterprise plans, but with critical limitations that undermine automated provisioning workflows. SCIM cannot create new users—only JIT (Just-In-Time) provisioning via SSO can create accounts. Users must complete their first login through SSO before SCIM can manage their profiles, role assignments, or deactivation. The /Groups endpoint isn't supported, and changes made directly in Panther Console get overwritten by IdP sync.
This creates a problematic gap for IT teams. You can't fully automate user lifecycle management because every new user still requires manual coordination—they must know to log in via SSO first, and you can't pre-provision accounts for new hires or assign them to security groups before they arrive. For a security platform where timely access control is critical, this JIT-only approach introduces unnecessary delays and manual touchpoints that defeat the purpose of SCIM automation.
The strategic alternative
Panther gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ❌ | SSO only |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Panther accounts manually. Here's what that costs:
The Panther pricing problem
Panther gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Community (Free) | $0 (limited) | ||
| Enterprise | Custom (usage-based) |
Note: Panther doesn't publish standard Pro/Business tiers with transparent pricing. All production deployments require Enterprise engagement with custom usage-based pricing negotiations.
What this means in practice
Without published pricing, organizations face several challenges:
Additional constraints
Summary of challenges
- Panther supports SCIM but only at Enterprise tier (Custom (usage-based))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Panther doesn't sell SCIM standalone. It's locked behind Enterprise pricing with usage-based billing:
The SCIM implementation itself is severely limited - it can't create users (only JIT via SSO), can't manage groups, and only works after users manually log in first. This means you're paying Enterprise rates for a partial provisioning solution that still requires manual intervention.
Stitchflow Insight
If you need enterprise security features anyway, the upgrade has value. But if you just want reliable user provisioning, you're paying for enterprise complexity while getting basic automation that doesn't actually automate user creation. We estimate ~80% of Enterprise features are irrelevant for teams that simply need complete SCIM provisioning.
What IT admins are saying
Community sentiment on Panther's SCIM implementation reveals significant frustration with architectural limitations. Common complaints:
- SCIM cannot create new users - forcing reliance on JIT provisioning through SSO
- Users must complete their first login via SSO before SCIM can manage their profiles
- No support for group provisioning via SCIM endpoints
- Changes made directly in Panther Console get overwritten by identity provider sync
- Enterprise tier requirement creates high barrier to entry for basic provisioning
The fact that SCIM can't actually create users defeats the purpose of automated provisioning. We still have to manage the initial onboarding manually through SSO.
Having to tell new hires to log in first before their account can be properly managed is backwards. That's not how modern provisioning should work.
The recurring theme
Panther's Amazon Cognito-based architecture creates a broken provisioning experience where SCIM feels like an afterthought rather than a core identity management capability.
The decision
| Your Situation | Recommendation |
|---|---|
| On Pro/Business plan, need SCIM | Use Stitchflow: avoid the expensive Enterprise upgrade |
| Have Enterprise but hit SCIM limitations | Use Stitchflow: bypass the no-user-creation restriction |
| Using Entra ID as your IdP | Use Stitchflow: Panther's SCIM only supports Okta |
| Already on Enterprise with Okta | Evaluate native SCIM: but prepare for JIT-only user creation |
| Small security team, minimal user changes | Manual may work: but security tools need reliable access control |
The bottom line
Panther's SCIM requires Enterprise pricing and still can't create users directly—only through JIT SSO login first. For teams that need true automated provisioning without Enterprise costs or Okta lock-in, Stitchflow delivers complete user lifecycle management at a fraction of the price.
Make Panther workflows AI-native
Panther gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM cannot create new users - only JIT provisioning via SSO creates users
- Users must complete first login via SSO before SCIM can manage their profiles
- /Groups SCIM endpoint is not supported
- Users can only be deactivated, not deleted via SCIM
- Changes made directly in Panther Console will be overwritten by Okta sync
- Built on Amazon Cognito which limits some SCIM capabilities
Documentation not available.
Unlock SCIM for
Panther
Panther gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
