Summary and recommendation
Ramp offers excellent native SCIM support across all plans, including their free tier. Users are automatically created, updated, and deactivated through standard SCIM protocols with major IdPs like Okta and Microsoft Entra. However, several operational limitations create gaps: SCIM deactivation doesn't actually delete users (they remain as "inactive"), corporate card termination requires manual intervention, and you can't run both SCIM and HRIS integrations simultaneously.
These limitations matter most for financial compliance and offboarding workflows. When employees leave, their Ramp accounts stay in the system indefinitely, and any active corporate cards remain functional until manually terminated. For finance teams managing hundreds of users and cards, this creates audit trail concerns and potential security exposure from dormant accounts.
The strategic alternative
Ramp has native SCIM. Provisioning is only one part of the job. Offboarding, access reviews, and license cleanup still break across the rest of the stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Free |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Ramp accounts manually. Here's what that costs:
The Ramp pricing problem
Ramp gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 | ||
| Plus | $15/user/mo | ||
| Enterprise | Custom |
Note: While SCIM is technically available on all plans, role assignments and advanced provisioning features are limited to the full Ramp suite configuration.
What this means in practice
Despite "free" SCIM access, Ramp's implementation creates several operational bottlenecks:
Card management gaps: SCIM can deactivate users but cannot automatically terminate their corporate cards. IT teams must manually revoke card access during offboarding, creating security exposure windows.
Attribute limitations: Email address changes cannot be processed via SCIM, requiring manual user management for common directory updates.
HRIS conflict: Organizations cannot run both SCIM and HRIS integrations simultaneously, forcing IT teams to choose between automated user provisioning and automated expense categorization.
Additional constraints
Summary of challenges
- Ramp supports SCIM but only at Free tier (Custom)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Ramp doesn't require any upgrade for SCIM—it's included on all plans, even the free tier. Here's what you get:
The catch? While SCIM is free, several limitations make it less useful than it appears. Email address changes aren't supported via SCIM, deprovisioning only deactivates users (doesn't delete them), and card termination requires manual intervention after user deactivation. Most importantly, you cannot integrate both SCIM and HRIS systems simultaneously—forcing you to choose between automated provisioning and expense data sync.
What IT admins are saying
Community sentiment on Ramp's SCIM implementation is cautiously positive, though several operational limitations create friction for IT teams:
- Card termination still requires manual intervention after user deactivation
- Email address changes aren't supported through SCIM provisioning
- Cannot run SCIM and HRIS integrations simultaneously
- Deactivation only disables accounts rather than full deletion
- Role assignments limited to full Ramp suite deployments
The SCIM integration works well for basic provisioning, but we still have to manually handle card cancellations when someone leaves. It's not truly hands-off.
Having to choose between SCIM and our HRIS integration was frustrating - we need both for proper automation.
The recurring theme
While Ramp offers solid SCIM basics at no extra cost, the operational gaps mean IT teams still can't achieve fully automated employee lifecycle management for corporate card provisioning.
The decision
| Your Situation | Recommendation |
|---|---|
| Free plan, need SCIM automation | Use Stitchflow: get provisioning without upgrading to Plus |
| Plus plan, want automated provisioning | Use Stitchflow: avoid Enterprise upgrade costs |
| Already on Enterprise with SCIM | Use native SCIM: you're paying for it, role assignments work well |
| Need role-based provisioning for finance workflows | Consider Enterprise: SCIM + role assignments streamline expense management |
| Small team, low employee turnover | Manual provisioning may work: but card termination still requires manual steps |
The bottom line
Ramp has native SCIM, but the workflow still spans more than one system. Provisioning is only one part of the job.
Close the Ramp workflow gap
Ramp has native SCIM, but the workflow still spans more than one system. Stitchflow builds and maintains the full workflow across the rest of your stack.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Free
Prerequisites
None
Key limitations
- Role assignments only for full Ramp suite
- Deprovisioning deactivates, doesn't delete
- Card termination requires manual action
- Email changes not currently supported via SCIM
- Cannot integrate SCIM and HRIS at the same time
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM support including user creation, updates, deactivation, and role assignments
Ramp has native SCIM, but the workflow still spans more than one system. Provisioning is only one part of the job.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Early Access feature. Supports individual and group provisioning from Entra.
Ramp has native SCIM, but the workflow still spans more than one system. Provisioning is only one part of the job.
Close the workflow gap in
Ramp
Ramp has native SCIM, but the workflow still spans more than one system. Provisioning is only one part of the job.
Start with the free gap diagnostic
