Stitchflow
Back to directory
Pigment logo

Pigment SCIM guide

Native SCIM

How to automate Pigment user provisioning, and what it actually costs

Native SCIM requires Enterprise plan

Summary and recommendation

Pigment provides full SCIM 2.0 support for user lifecycle management, but only on its Enterprise tier. This means organizations need to pay Enterprise pricing (starting around $65,000-127,500/year for Professional configurations) to unlock automated provisioning. The limitation isn't just financial—once SCIM is enabled, all member management moves entirely to your IdP, and users must be assigned via groups for proper deprovisioning to work.

For FP&A teams on lower tiers, this creates a significant operational gap. Without SCIM, IT admins must manually provision and deprovision users in Pigment as team members join, leave, or change roles. In financial planning software where access to sensitive budget and forecast data is critical, manual processes introduce compliance risks and delayed access removal when employees leave.

The strategic alternative

Pigment gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.

Quick SCIM facts

SCIM available?Yes
SCIM tier requiredEnterprise
SSO required first?Yes
SSO available?Yes
SSO protocolSAML 2.0
DocumentationOfficial docs

Supported identity providers

IdPSSOSCIMNotes
OktaOIN app with full provisioning
Microsoft Entra IDGallery app with SCIM
Google WorkspaceJIT onlySAML SSO with just-in-time provisioning
OneLoginSupported

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Pigment accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees
Orphaned accounts (ex-employees with access)7
Unused licenses12
IT hours spent on manual management/year101 hours
Unused license cost/year$3,925
IT labor cost/year$6,088
Cost of compliance misses/year$1,741
Total annual financial impact$11,754

The Pigment pricing problem

Pigment gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Plan Structure

PlanPriceSSOSCIM
Professional~$65,000-127,500/year base
EnterpriseCustom pricing (contact sales)

Note: Professional pricing shown is typical configuration cost including seats and use-case add-ons. Enterprise pricing is quote-based with significant volume discounts available (36-47% off list price for $100K+ contracts).

What this means in practice

Pigment's seat-based model with expensive Enterprise upgrade requirements creates substantial cost barriers:

Typical upgrade scenarios

Professional customers already spending $65K-$127K annually must upgrade to Enterprise for SCIM
Enterprise pricing is quote-based, but typically represents 20-40% premium over Professional
Use-case add-ons (FP&A, SPM, Workforce Planning) cost $30K-$50K each on top of base pricing

Real-world impact

Small finance teams (10-20 users) face disproportionate SCIM tax relative to seat count
Mid-market organizations already at Professional pricing ceiling must negotiate Enterprise deals
Budget planning becomes complex due to quote-based Enterprise pricing

Additional constraints

SAML prerequisite
SSO must be configured and active before SCIM can be enabled
Complete IdP handoff
Once SCIM is activated, all member management moves to your identity provider—no hybrid management
Group assignment required
Users should be assigned via IdP groups rather than direct assignment to ensure proper deprovisioning
Missing group sync
Group provisioning is not yet supported (though it's on Pigment's roadmap)
Security Admin dependency
SCIM setup requires Security Admin access level in Pigment

Summary of challenges

  • Pigment supports SCIM but only at Enterprise tier (custom pricing)
  • Google Workspace users get JIT provisioning only, not full SCIM
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What the upgrade actually includes

Pigment doesn't sell SCIM à la carte. It's bundled with Enterprise tier features:

SCIM 2.0 automated provisioning (user lifecycle only)
SAML single sign-on (available on all tiers, but required for SCIM)
Enterprise-grade security controls
Advanced workspace administration
Priority support and dedicated customer success
Enhanced compliance features
Custom integrations and API access

Stitchflow Insight

The catch: SCIM requires moving all user management to your IdP once enabled, and group provisioning isn't supported yet (though it's on Pigment's roadmap). If you need enterprise planning controls anyway, the upgrade makes sense. If you just want automated user provisioning, you're paying for enterprise features you may not use. We estimate ~60% of Enterprise features are irrelevant for teams that only need basic SCIM automation.

What IT admins are saying

Community sentiment on Pigment's SCIM implementation is mixed, with most feedback focused on setup complexity and tier requirements. Common complaints:

  • SCIM being locked behind the Enterprise tier pricing wall
  • Requiring SAML SSO configuration as a prerequisite before SCIM setup
  • Manual coordination needed with Pigment Support for initial configuration
  • All member management transferring to the IdP once SCIM is enabled (no hybrid management)

Member management moves entirely to your identity provider when SCIM is enabled, so make sure your user assignment strategy is solid before flipping the switch.

Pigment Community Forum

You need to contact Support to get SSO enabled first, then work through the SCIM setup. It's not self-service like some other tools.

Implementation discussion

The recurring theme

While Pigment's SCIM works well once configured, the Enterprise tier requirement and mandatory Support involvement create barriers for teams wanting automated provisioning without the full enterprise commitment.

The decision

Your SituationRecommendation
On Professional or lower, need SCIMUse Stitchflow: avoid the $50K+ Enterprise tier jump
Already on Enterprise tierUse native SCIM: you're paying for it anyway
Need Enterprise features beyond SCIMEvaluate Enterprise: SCIM comes bundled with advanced planning
Small finance team, low turnoverManual may work: but watch for security gaps during rapid growth
Multi-app provisioning needsUse Stitchflow: manage all apps from one platform

The bottom line

Pigment gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.

Make Pigment workflows AI-native

Pigment gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.

No Enterprise upgrade required
Less than a week, start to finish (~2 hours of your time)
We maintain the integration layer underneath
Book a Demo

Technical specifications

SCIM Version

2.0

Supported Operations

Create, Update, Deactivate, Groups

Supported Attributes

Not specified

Plan requirement

Enterprise

Prerequisites

SSO must be configured first

Key limitations

  • SCIM requires Enterprise tier
  • SAML SSO required before SCIM
  • Member management moves entirely to IdP when SCIM enabled
  • Users should be assigned via groups for proper deprovisioning
  • Group provisioning not yet supported (planned)
View Official Documentation

Configuration for Entra ID

Integration type

Microsoft Entra Gallery app with SCIM provisioning

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Entra admin center → Enterprise applications → Pigment → Provisioning

Required credentials

Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).

Configuration steps

Set Provisioning Mode = Automatic, configure SCIM connection.

Provisioning trigger

Entra provisions based on user/group assignments to the enterprise app.

Sync behavior

Entra provisioning runs on a scheduled cycle (typically every 40 minutes).

Docs

Microsoft Entra integrationPigment SCIM setup

Create enterprise app in Azure Portal. Set Provisioning Mode to Automatic. Enter Pigment's SCIM base URL as Tenant URL and API token as Secret Token.

Pigment gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.

Unlock SCIM for
Pigment

Pigment gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.

See how it works
Admin Console
Directory
Applications
Pigment logo
Pigment
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

Amplitude logo

Amplitude

SCIM Tax

Product Analytics

SCIM StatusIncluded
Manual Cost$11,754/yr

Amplitude supports SCIM provisioning, but only on Growth plans (starting around $36K/year) or Enterprise plans with custom pricing. While Amplitude's SCIM implementation covers the core functionality—creating, updating, and deactivating users—it requires SCIM to be specifically enabled for your organization, and regenerating the SCIM key immediately invalidates existing integrations without warning. For product teams on Plus plans ($49/month), upgrading to Growth just to unlock SCIM means jumping from under $600/year to $36,000+/year—a 60x increase. That's often more than the entire analytics budget for smaller product teams. The gap becomes particularly problematic for cross-functional product teams where analysts, PMs, and engineers need varying levels of access to user behavior data, but manual provisioning creates security risks around sensitive analytics permissions.

View full guide
Bill.com logo

Bill.com

SCIM Tax

Accounts Payable / Receivable Automation

SCIM StatusIncluded
Manual Cost$11,754/yr

Bill.com offers inconsistent SCIM provisioning support that varies dramatically by identity provider. While Okta users can access SCIM provisioning through the OIN integration, Bill.com doesn't publish native SCIM documentation, and other IdPs like Entra ID are limited to SAML SSO only. This fragmented approach means your provisioning capabilities depend entirely on your IdP choice rather than Bill.com's platform features. For finance teams managing sensitive AP/AR workflows where user access directly impacts invoice approvals and payment processing, this inconsistency creates operational gaps—especially when onboarding new controllers, AP clerks, or accountants requires manual role assignment tied to spending limits and approval hierarchies. The real problem is that Bill.com gates all SSO functionality behind Enterprise plans with custom pricing (typically 2-3x their Corporate plan at $79/user/month), yet still provides no clear path to automated provisioning for most customers. Since financial systems require precise role-based access controls for SOX compliance and segregation of duties, manual user management creates both security risks and administrative overhead. When employees change departments or leave the company, orphaned accounts in payment systems pose significant financial and compliance risks that manual processes often miss.

View full guide
Bitwarden logo

Bitwarden

SCIM Tax

Password Manager / Secrets Management

SCIM StatusIncluded
Manual Cost$11,754/yr

Bitwarden supports SCIM 2.0 provisioning, but only on Teams ($4/user/month) and Enterprise ($6/user/month) plans. While this pricing is reasonable compared to other password managers, the real challenge lies in Bitwarden's zero-knowledge architecture: SCIM can provision user accounts, but users still need to manually accept vault invitations and set up their encryption keys before gaining access to shared passwords. This creates a critical security gap. Your identity provider shows users as "provisioned," but they can't actually access company passwords until they complete manual setup steps. When employees leave, SCIM deprovisioning removes their account, but any locally cached vault data remains accessible until they next sync. For security teams managing hundreds of shared credentials, this manual friction undermines the entire purpose of automated provisioning.

View full guide