Summary and recommendation
Paylocity offers native SCIM provisioning that's included with all plans starting at $22-32/employee/month. The implementation is solid for an HR platform—supporting user creation, attribute updates, and deactivation across major identity providers like Okta, Entra, and OneLogin. However, there are operational friction points that complicate deployment: SCIM usernames are restricted to 8-20 characters, users must have both username and work email populated in the HR module before provisioning works, and Okta customers must contact Paylocity support directly to enable SAML 2.0 before SCIM can function.
These seemingly minor requirements create real deployment headaches. The username length restriction can break existing naming conventions, the HR module data prerequisite means provisioning fails silently if employee records aren't properly configured, and the Okta support dependency adds weeks to what should be a straightforward integration. For IT teams managing multiple provisioning integrations, these platform-specific quirks multiply administrative overhead.
The strategic alternative
Paylocity gates SCIM behind $22-32/employee/month. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Paylocity accounts manually. Here's what that costs:
The Paylocity pricing problem
Paylocity gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | $22-32/employee/month |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Standard | $22-32/employee/month | ✓ |
Implementation fees: 10-20% of annual software costs
What this means in practice
Unlike pure SaaS apps, Paylocity's HR/payroll platform requires careful coordination between multiple systems and teams:
Setup complexity: SCIM must be enabled through HR & Payroll > User Access > SSO Configuration, requiring admin access to both HR and IT systems. For Okta users, SAML 2.0 must be manually enabled by contacting service@paylocity.com before SCIM can function.
Data dependency: Users must exist in Paylocity's HR module with both username and work email before SCIM provisioning works. This creates a chicken-and-egg problem where HR data entry must precede IT provisioning workflows.
Username constraints: SCIM usernames are limited to 8-20 characters, which can conflict with existing identity naming conventions, especially for organizations using email addresses or longer formats as primary identifiers.
Additional constraints
Summary of challenges
- Paylocity supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Paylocity includes native SCIM provisioning with all Enterprise plans at no additional cost. However, Enterprise is required for mid-market companies (50+ employees):
The challenge isn't additional SCIM costs—it's that Paylocity requires Enterprise pricing ($22-32/employee/month) plus implementation fees of 10-20% of annual software costs. For a 100-employee company, you're looking at $26K-38K annually plus $2.6K-7.6K implementation fees.
Stitchflow Insight
If you already need comprehensive HR/payroll capabilities, this makes sense. But if you're evaluating Paylocity primarily for its identity management features, you're paying for extensive HR functionality you may not fully utilize. We estimate ~60% of Paylocity's feature set is HR/payroll-specific rather than pure identity management.
What IT admins are saying
Community sentiment on Paylocity's SCIM implementation is mixed, with admins appreciating native support but frustrated by setup complexity. Common complaints:
- Having to contact Paylocity support directly to enable SAML 2.0 for Okta integration
- The 8-20 character username limitation causing conflicts with existing naming conventions
- Needing custom SAML attribute mappings for proper identity integration
- Requirement for users to exist in both HR module and identity provider before SCIM works
For Okta integration, you have to email service@paylocity.com to get SAML 2.0 enabled - can't just flip a switch in the admin panel like other apps.
The username character limit is annoying when your org uses email addresses as usernames. Had to create a whole mapping strategy.
The recurring theme
While Paylocity offers native SCIM (a major plus for HR platforms), the implementation requires manual support intervention and careful attribute planning that adds friction to what should be straightforward identity automation.
The decision
| Your Situation | Recommendation |
|---|---|
| Under 50 employees (below Paylocity minimum) | Use Stitchflow: get HR provisioning without meeting seat minimums |
| 50+ employees, comfortable with $22-32/employee/month | Use native SCIM: it's included in your Paylocity plan |
| Need bidirectional sync (Paylocity as source system) | Use native SCIM: leverage Paylocity's HR data as your identity source |
| Using Okta and want to avoid contacting support | Use Stitchflow: skip the SAML 2.0 enablement process |
| Complex attribute mapping requirements | Evaluate both: native offers custom mappings, Stitchflow simplifies setup |
The bottom line
Paylocity gates SCIM behind $22-32/employee/month. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Paylocity workflow gap
Paylocity gates SCIM behind $22-32/employee/month, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM username must be 8-20 characters
- Users need username and work email in HR module
- Contact Paylocity Support to enable SAML 2.0 for Okta
- Custom SAML attribute mappings required
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Okta Paylocity integration supports SSO and user provisioning via SCIM API. Supports import users, Schema Discovery, and Attribute Writeback. Generally Available in OIN.
Paylocity gates SCIM behind $22-32/employee/month. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Microsoft tutorial available for SSO configuration. SCIM provisioning supported. Enable SCIM in Paylocity's SSO Configuration settings.
Paylocity gates SCIM behind $22-32/employee/month. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Paylocity
Paylocity gates SCIM behind $22-32/employee/month plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
