Stitchflow
Back to directory
Puppet logo

Puppet SCIM guide

Connector Only

How to automate Puppet user provisioning, and what it actually costs

Summary and recommendation

Puppet Enterprise, the configuration management platform for infrastructure automation, does not offer SCIM provisioning on any plan. While Puppet Enterprise provides SAML 2.0 SSO integration with major identity providers like Okta and PingID, this only handles authentication for existing users. User accounts must be manually created and managed within Puppet Enterprise's Role-Based Access Control (RBAC) system, requiring IT teams to maintain separate user lifecycle processes outside their centralized identity management workflows.

This creates a significant operational gap for DevOps and IT operations teams managing infrastructure at scale. Without automated provisioning, new engineers joining infrastructure teams require manual account creation in Puppet Enterprise, and departing team members need manual deprovisioning—a critical security risk when dealing with production infrastructure access. The lack of group-based provisioning also means IT cannot automatically assign appropriate roles based on team membership, forcing administrators to manually configure permissions for each user's infrastructure management responsibilities.

The strategic alternative

Puppet has no native SCIM. That leaves a workflow gap in offboarding, access reviews, and license cleanup unless your team handles the app another way. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.

Quick SCIM facts

SCIM available?No
SCIM tier requiredN/A
SSO required first?No
SSO available?Yes
SSO protocolSAML 2.0
DocumentationNot available

Supported identity providers

IdPSSOSCIMNotes
OktaSAML SSO documented. No SCIM or provisioning support found. Manual user management required.
Microsoft Entra IDSAML SSO likely supported (any SAML 2.0 IdP). No SCIM or provisioning documented.
Google WorkspaceVia third-partyNo native support
OneLoginVia third-partyNo native support

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Puppet accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees
Orphaned accounts (ex-employees with access)7
Unused licenses12
IT hours spent on manual management/year101 hours
Unused license cost/year$3,925
IT labor cost/year$6,088
Cost of compliance misses/year$1,741
Total annual financial impact$11,754

The Puppet pricing problem

Puppet gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

PlanPriceSSOSCIM
SCIM❌ Not available
SAML JIT❌ Not supported
Users must be pre-created
Manual✓ Available
Requires PE admin access
APIUnknown

Provisioning options

MethodAvailabilityUser ManagementLimitations
SCIM❌ Not availableN/ANo automated provisioning
SAML JIT❌ Not supportedManual account creation requiredUsers must be pre-created
Manual✓ AvailableAdmin consoleRequires PE admin access
APIUnknownPotential custom integrationNo documented provisioning API

What this means in practice

For a 500-node Puppet deployment ($60K+/year)

IT admins must manually create/remove user accounts
No automated role assignments or group memberships
Offboarding requires manual cleanup across Puppet environments
User access reviews become spreadsheet exercises

The workflow reality

1. New hire request comes in → IT creates Puppet account manually 2. Role change → Admin logs into Puppet to modify permissions 3. Termination → Hope someone remembers to disable the Puppet account 4. Audit time → Export user lists and cross-reference with HR systems

Additional constraints

No centralized user lifecycle management
Each Puppet environment requires separate administration
Attribute mapping limitations
SAML attributes must be manually configured and maintained
Version dependency
SAML SSO requires Puppet Enterprise v2021.2.0 or later
Role-based access complexity
Puppet's RBAC system requires manual role assignments per user
Multi-environment overhead
Development, staging, and production environments need separate user management

Summary of challenges

  • Puppet does not provide native SCIM at any price tier
  • Organizations must rely on third-party tools or manual provisioning
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What Puppet actually offers for identity

SAML SSO (Enterprise plans)

Puppet Enterprise provides SAML 2.0 authentication starting with version 2021.2.0+:

SettingDetails
ProtocolSAML 2.0
Supported IdPsOkta, PingID, Salesforce, any SAML 2.0 provider
ConfigurationAccess control > SSO settings with attribute binding
User requirementManual user creation required before SSO login

Critical limitation: Puppet's SAML implementation requires manual user provisioning. There's no just-in-time (JIT) provisioning or automated account creation.

No SCIM Provisioning

Puppet Enterprise has no documented SCIM support whatsoever:

FeatureSupported?
SCIM provisioning❌ No
Create users❌ Manual only
Update users❌ Manual only
Deactivate users❌ Manual only
Group sync❌ Manual only

The Manual Reality

Without SCIM, your IT team faces:

Manual account creation for every new DevOps engineer
No automated deprovisioning when team members leave
Manual role assignment and permission updates
No group synchronization between your IdP and Puppet

For infrastructure automation software, the lack of user provisioning automation is particularly ironic.

What IT admins are saying

Puppet Enterprise's lack of automated provisioning forces IT teams into manual user management workflows:

  • No SCIM provisioning support documented anywhere in Puppet's official documentation
  • Manual user creation required even after configuring SAML SSO
  • Configuration complexity with attribute binding requirements for proper SSO setup
  • Enterprise-level pricing required just to get basic SSO functionality

SAML SSO with Okta, PingID, Salesforce. Configure in Access control > SSO. Attribute binding maps PE attributes to IdP.

Puppet Enterprise documentation

SAML SSO requires v2021.2.0+

Puppet Enterprise requirements

The recurring theme

Puppet Enterprise provides enterprise-grade configuration management but treats user provisioning like it's still 2015. IT teams pay enterprise prices for per-node licensing but still manually manage user accounts, creating operational overhead that scales poorly with team growth.

The decision

Your SituationRecommendation
Small DevOps team (<10 nodes)Manual user management is workable with free evaluation
Established infrastructure team with low turnoverManual management with SAML SSO for authentication
Large enterprise deployment (100+ nodes)Use Stitchflow: automation essential for scale
Multi-environment setups with frequent team changesUse Stitchflow: automation strongly recommended
Organizations with compliance requirementsUse Stitchflow: automation essential for audit trail

The bottom line

Puppet has no native SCIM. That means one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.

Close the Puppet workflow gap

Puppet is one gap in a broader workflow. Stitchflow builds and maintains the offboarding, access review, or license workflow across every app in your environment.

Across every app in the workflow, including the ones without APIs
Built in less than a week, with roughly 2 hours from your team
You review the exceptions. Stitchflow maintains the workflow underneath
Start with the free gap diagnostic

Technical specifications

SCIM Version

Not specified

Supported Operations

Not specified

Supported Attributes

No SCIM provisioning documentedSAML SSO requires v2021.2.0+Attribute binding configuration required

Plan requirement

Not specified

Prerequisites

Not specified

Key limitations

  • No SCIM provisioning documented
  • SAML SSO requires v2021.2.0+
  • Attribute binding configuration required

Documentation not available.

Close the workflow gap in
Puppet

Puppet has no native SCIM. That leaves one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.

Start with the free gap diagnostic
Admin Console
Directory
Applications
Puppet logo
Puppet
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

SaltStack logo

SaltStack

No SCIM

IT Automation / Configuration Management

ProvisioningNot Supported
Manual Cost$11,754/yr

SaltStack Config (formerly VMware Aria Automation Config, now part of Broadcom's portfolio) does not support SCIM provisioning on any plan. While the platform offers SAML 2.0 SSO with just-in-time provisioning through identity providers like Okta, Entra ID, and Google Workspace, this creates a significant operational gap: users provisioned via SAML cannot be deleted through the SaltStack UI. This limitation forces IT teams into a hybrid management model where user creation happens automatically but deprovisioning requires manual intervention or API scripting. The lack of proper SCIM support creates compliance risks for organizations managing critical infrastructure automation. When employees leave or change roles, their access to configuration management systems must be revoked immediately—but SaltStack's SAML-only approach leaves IT teams with no clean way to handle lifecycle management. The platform's limit of only 2 SAML providers simultaneously further constrains enterprise identity architecture options.

View full guide
6sense logo

6sense

No SCIM

B2B Revenue Intelligence / ABM

ProvisioningNot Supported
Manual Cost$11,754/yr

6sense, the B2B revenue intelligence platform, has paused SCIM provisioning for new customers until Q4 2026. While existing customers with SCIM enabled can continue using it, new implementations are limited to JIT (Just-In-Time) provisioning through SAML SSO. This creates a significant gap for IT teams managing revenue intelligence access, as JIT only creates users on first login and provides minimal attribute mapping (email, first name, last name only). For an enterprise platform with typical pricing of $55,000-$130,000 annually, the absence of automated user lifecycle management is a substantial limitation. The lack of SCIM until Q4 2026 forces IT teams into manual provisioning workflows for a platform handling sensitive revenue data. While SAML SSO handles authentication, it doesn't address user lifecycle events like role changes, department transfers, or offboarding. This creates compliance risks in revenue teams where access to prospect data and sales intelligence must be tightly controlled. The nearly two-year wait for SCIM restoration means organizations implementing 6sense today face manual user management for the foreseeable future.

View full guide
ActiveCampaign logo

ActiveCampaign

No SCIM

Marketing Automation / Email

ProvisioningNot Supported
Manual Cost$11,754/yr

ActiveCampaign, the marketing automation platform, does not offer native SCIM provisioning on any plan. While the Enterprise plan ($145+/month) includes SAML 2.0 SSO with just-in-time (JIT) provisioning, this only creates user accounts on first login—there's no automated deprovisioning when employees leave or change roles. New SSO users are automatically added to a generic "SSO Users" group with configurable permissions, but IT teams have no way to programmatically manage user lifecycles or enforce granular access controls based on department or role changes. This creates a significant gap for marketing teams that need to manage access to customer data and campaign tools. When employees leave the company or change departments, their ActiveCampaign access must be manually revoked, creating compliance risks and potential data exposure. The lack of automated deprovisioning means former employees could theoretically retain access to sensitive marketing data and customer information until someone manually removes them from the platform.

View full guide