Summary and recommendation
Pleo, the corporate cards and expense management platform, offers SCIM 2.0 provisioning but only through Okta integration and exclusively on Enterprise plans with custom pricing. While this integration supports user creation, attribute updates, and deactivation with schema discovery capabilities, it creates a significant accessibility barrier for most organizations. The combination of Enterprise-tier requirements and Okta-only support means teams using Azure AD, Google Workspace, or other identity providers—or those on Pleo's lower-tier plans ($39-179/month)—are completely locked out of automated provisioning.
This limitation is particularly problematic for growing companies that need expense management automation but aren't ready for enterprise-tier commitments. Without SCIM provisioning, IT teams must manually create accounts for every employee who needs a corporate card, then manually deactivate access when they leave—creating both administrative overhead and security gaps in a system that handles company finances.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Pleo that works with any plan and any identity provider (Okta, Azure AD, Google Workspace, OneLogin). Flat pricing under $5K/year, regardless of team size or Pleo plan.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | No SCIM available |
| Microsoft Entra ID | ✓ | ❌ | No SCIM available |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Pleo accounts manually. Here's what that costs:
The Pleo pricing problem
Pleo gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Starter | Free | ||
| Essential | $39/mo for 3 users + $11/user | ||
| Advanced | $89/mo for 3 users + $14.50/user | ||
| Beyond | $179/mo for 5 users + $17.50/user | ||
| Enterprise | Custom quote |
Pricing structure
| Plan | Price | SCIM |
|---|---|---|
| Starter | Free | ❌ |
| Essential | $39/mo for 3 users + $11/user | ❌ |
| Advanced | $89/mo for 3 users + $14.50/user | ❌ |
| Beyond | $179/mo for 5 users + $17.50/user | ❌ |
| Enterprise | Custom quote | ✓ |
What this means in practice
For a 50-user deployment
For a 100-user deployment
The jump from Beyond to Enterprise eliminates pricing predictability entirely. Companies lose budget control and procurement efficiency just to enable basic user lifecycle management.
Additional constraints
Summary of challenges
- Pleo does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Pleo actually offers for identity
SCIM Provisioning (Enterprise only)
Pleo's SCIM implementation is available exclusively through their Okta integration on Enterprise plans:
| Feature | Details |
|---|---|
| Protocol | SCIM 2.0 via Okta |
| Create users | ✓ Yes |
| Update attributes | ✓ Yes |
| Deactivate users | ✓ Yes |
| Schema discovery | ✓ Yes (custom attributes supported) |
| Group push | ✓ Yes |
| IdP support | Okta only |
The catch: You're locked into Okta. No support for Microsoft Entra ID, Google Workspace, or OneLogin provisioning despite these IdPs supporting SAML SSO.
SAML SSO (Enterprise prerequisite)
SAML 2.0 authentication works with multiple identity providers:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, Microsoft Entra ID, custom SAML |
| SP-initiated | ✓ Yes |
| IdP-initiated | ✓ Yes |
| Just-in-time provisioning | ❌ No |
Critical limitation: Bookkeepers are excluded from SAML SSO and must use passcode authentication. This creates a security gap where your accounting team bypasses centralized identity controls.
What you're really paying for
The Enterprise upgrade bundles SCIM with advanced expense management features most IT teams don't need:
Bottom line: You're paying Enterprise pricing for corporate card features when you just need user provisioning that works with your existing IdP stack.
What IT admins are saying
Community sentiment on Pleo's provisioning is mixed, with IT teams appreciating the Okta SCIM integration but frustrated by limitations for certain user types:
- Bookkeepers are completely excluded from SAML SSO and must use passcode login
- SCIM provisioning only works through Okta - no support for other identity providers
- Enterprise pricing required for any automated provisioning capabilities
- Manual user management still needed for accounting team members
Bookkeepers cannot use SAML SSO and will continue to use passcode login even when SSO is enabled.
Enabling SSO makes it mandatory for new sessions, but we still have to manage bookkeeper accounts manually.
The recurring theme
While Pleo offers solid SCIM support through Okta, the exclusion of bookkeepers from SSO creates a two-tier user management system that defeats the purpose of unified identity management for finance teams.
The decision
| Your Situation | Recommendation |
|---|---|
| Small finance team (<20 users) with Okta | Use native SCIM: Pleo's integration works well |
| Mixed IdP environment (Entra, Google Workspace) | Use Stitchflow: native SCIM only works with Okta |
| Large organization (100+ employees with cards) | Use Stitchflow: automation essential for scale |
| Complex user attributes or custom provisioning | Use Stitchflow: better flexibility than Okta-only schema discovery |
| Enterprise with compliance requirements | Use Stitchflow: comprehensive audit trail and SOC 2 certification |
The bottom line
Pleo offers solid SCIM provisioning, but only through Okta's integration on Enterprise plans. If you're not on Okta or need provisioning flexibility across multiple IdPs, Stitchflow provides the automation you need without vendor lock-in.
Automate Pleo without third-party complexity
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Pleo at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Not specifiedPlan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- Bookkeepers cannot use SAML SSO
- Exclusions list for SSO bypass
- Schema discovery for custom attributes
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Enterprise required for SCIM
Use Stitchflow for automated provisioning.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Enterprise required for SCIM
Use Stitchflow for automated provisioning.
Unlock SCIM for
Pleo
Pleo doesn't offer SCIM. Get an enterprise-grade SCIM endpoint in your IdP, even without native support.
See how it works
