Summary and recommendation
Pardot (now Marketing Cloud Account Engagement) does not offer direct SCIM provisioning. Instead, it relies entirely on the Salesforce platform's identity management system. While Salesforce does support SCIM at the platform level, this creates a complex dependency where IT teams must manage Pardot users through Salesforce's broader ecosystem. This means you need Salesforce platform access and must navigate Salesforce's SCIM implementation, which can be unnecessarily complex for teams who only need to provision marketing users into Pardot itself.
This platform dependency creates significant operational overhead. IT teams must either grant broad Salesforce admin access to manage marketing users, or constantly handle manual provisioning requests through Salesforce. The integration assumes you're already deep in the Salesforce ecosystem with dedicated platform administrators, which isn't always the case for companies using Pardot as a standalone marketing automation tool.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Pardot without requiring Salesforce platform expertise or additional admin overhead. Works with any Pardot plan and any identity provider. Flat pricing under $5K/year, regardless of your marketing team size.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | Pardot uses Salesforce identity management. Provisioning handled via Salesforce platform SCIM, not directly to Pardot. |
| Microsoft Entra ID | ✓ | ❌ | Pardot uses Salesforce identity management. Configure SCIM through Salesforce Azure AD integration. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Pardot accounts manually. Here's what that costs:
The Pardot pricing problem
Pardot gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Growth | $1,250/month | Via Salesforce only | |
| Plus | $2,500/month | Via Salesforce only | |
| Advanced | $4,000/month | Via Salesforce only | |
| Premium | $15,000/month | Via Salesforce only |
Pricing structure
| Plan | Price | SCIM Support |
|---|---|---|
| Growth | $1,250/month | Via Salesforce only |
| Plus | $2,500/month | Via Salesforce only |
| Advanced | $4,000/month | Via Salesforce only |
| Premium | $15,000/month | Via Salesforce only |
All Pardot provisioning must go through Salesforce's SCIM endpoints, not directly to Pardot itself.
What this means in practice
Salesforce platform dependency: Your IdP connects to Salesforce's SCIM API, which then provisions users into Pardot. This creates a multi-step process where issues in Salesforce affect Pardot access.
Complex attribute mapping: User attributes and role assignments often require manual configuration within Salesforce before they properly sync to Pardot, defeating the purpose of automated provisioning.
Ecosystem lock-in: Since Pardot uses Salesforce identity, you're effectively managing two systems (Salesforce + Pardot) even if you only need marketing automation.
Additional constraints
Summary of challenges
- Pardot does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Pardot actually offers for identity
SAML SSO via Salesforce platform
Pardot (now Marketing Cloud Account Engagement) doesn't have its own identity system—it uses Salesforce's platform for all authentication and user management:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Configuration | Through Salesforce org settings, not Pardot directly |
| Supported IdPs | Any SAML 2.0 provider (Okta, Entra, OneLogin) |
| Access method | Users authenticate to Salesforce, then access Pardot |
SCIM provisioning (through Salesforce)
User provisioning for Pardot happens at the Salesforce platform level:
| Feature | Supported? |
|---|---|
| Create users | ✓ Yes (via Salesforce SCIM) |
| Update attributes | ✓ Yes (via Salesforce SCIM) |
| Deactivate users | ✓ Yes (via Salesforce SCIM) |
| Group sync | ✓ Yes (via Salesforce SCIM) |
| Direct Pardot provisioning | ❌ No |
The complexity problem: While SCIM technically works, you're not provisioning directly to Pardot. You're provisioning to Salesforce, then managing Pardot access through Salesforce permission sets and profiles. This adds significant configuration overhead—especially if your team only needs Pardot access, not broader Salesforce functionality.
Okta Integration specifics
The Okta Integration Network shows Pardot as SSO-only:
For teams that just want marketing automation user management, navigating Salesforce's enterprise identity architecture is overkill.
What IT admins are saying
Pardot's integration with Salesforce identity management creates confusion for IT teams managing B2B marketing automation access:
- Users must be provisioned through Salesforce SCIM, not directly to Pardot
- Marketing team access requires understanding complex Salesforce ecosystem permissions
- Account deactivation must happen at the Salesforce platform level
- License assignment gets complicated when organizations use multiple Salesforce products
Part of Salesforce ecosystem... Uses Salesforce identity management... Some attributes need manual assignment
SCIM through Salesforce platform... Salesforce acts as both IDP and SDP
The recurring theme
Pardot (now Marketing Cloud Account Engagement) doesn't have its own identity system - everything flows through Salesforce's platform SCIM. IT teams must navigate Salesforce's enterprise identity management even if they only need marketing automation provisioning.
The decision
| Your Situation | Recommendation |
|---|---|
| Small marketing team (<20 users) with stable staff | Manual management with SSO is workable |
| Growing B2B company with frequent marketing hires | Use Stitchflow: automation prevents access delays |
| Enterprise with Salesforce + Pardot integration | Use Stitchflow: simpler than navigating Salesforce SCIM complexity |
| Multi-brand organization with separate marketing teams | Use Stitchflow: automation essential for scale |
| Compliance-heavy industries requiring audit trails | Use Stitchflow: automated provisioning provides complete access history |
The bottom line
Pardot (Marketing Cloud Account Engagement) relies entirely on Salesforce's identity platform, creating unnecessary complexity for teams that just want automated user provisioning. Rather than wrestling with Salesforce SCIM configurations and enterprise licensing requirements, Stitchflow provides direct automation that works with any Pardot plan and any identity provider.
Automate Pardot without third-party complexity
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Pardot at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Not specifiedPlan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- Part of Salesforce ecosystem
- Uses Salesforce identity management
- Some attributes need manual assignment
- Rebranded as Marketing Cloud Account Engagement
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Pardot uses Salesforce identity management. Provisioning handled via Salesforce platform SCIM, not directly to Pardot.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Pardot
Pardot doesn't offer SCIM. Get an enterprise-grade SCIM endpoint in your IdP, even without native support.
See how it works
