Summary and recommendation
Retool supports SCIM (the protocol that lets your identity provider automatically create, update, and remove user accounts). But Retool gates SCIM functionality behind its Enterprise subscription, which typically costs $94K-$156K/year for a mixed team of 50 standard users and 200 end users. That's a massive jump from Business plans, often representing a 10x+ increase just to unlock automated provisioning.
This Enterprise lock-in is particularly problematic for internal tool teams. Retool applications often span multiple departments—developers building tools, ops teams managing infrastructure, support staff accessing dashboards, and business analysts consuming reports. Without SCIM, IT teams face constant manual provisioning as teams scale and roles change. The alternative of using JIT provisioning alone creates security gaps, as departing employees retain access until someone manually remembers to revoke it.
The strategic alternative
Retool gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Retool accounts manually. Here's what that costs:
The Retool pricing problem
Retool gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Team | $10/user/mo | ||
| Business | Custom | ||
| Enterprise | Custom (typical: $94K-$156K/yr for 50 standard + 200 end users) |
Note: Retool uses differentiated pricing between "standard users" (developers/builders) and "end users" (app consumers), with Enterprise typically running $94K-$156K annually for mixed user bases.
What this means in practice
The Enterprise requirement creates a substantial cost barrier since Business pricing is already custom. Based on typical Enterprise implementations:
| User Mix | Estimated Enterprise Cost | vs. Team Plan ($10/user/mo) |
|---|---|---|
| 25 standard + 100 end users | ~$75K/year | +$60K/year |
| 50 standard + 200 end users | ~$125K/year | +$95K/year |
| 100 standard + 300 end users | ~$200K/year | +$152K/year |
These represent order-of-magnitude increases from self-serve pricing.
Additional constraints
Summary of challenges
- Retool supports SCIM but only at Enterprise tier (Custom (typical: $94K-$156K/yr for 50 standard + 200 end users))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Retool doesn't sell SCIM separately. It's exclusively bundled with Enterprise subscriptions that include extensive platform features:
Stitchflow Insight
The Enterprise tier is designed for large organizations building complex internal tooling ecosystems. If you're primarily seeking automated user provisioning for a smaller development team, you're paying for enterprise-grade features like custom branding, audit compliance, and dedicated support that may be overkill. We estimate ~60% of Enterprise features are irrelevant for teams that simply need SCIM to manage developer and ops staff access to internal tools.
What IT admins are saying
Community sentiment on Retool's SCIM requirements centers around Enterprise lock-in and Azure integration complexity. Common complaints:
- Being forced into Enterprise subscriptions just for SSO and SCIM access
- Azure AD requiring obscure URL modifications (aadOptscim062020 flag) for SCIM compliance
- No middle-tier option between Business and Enterprise for basic identity features
- Custom pricing making it difficult to budget for essential security features
Enterprise lock-in for SSO/SCIM is frustrating when you just need basic identity management
The Azure SCIM setup requiring URL modifications feels unnecessarily complex compared to other apps
The recurring theme
Retool gates essential identity management behind Enterprise tiers with custom pricing, while adding technical complexity that shouldn't exist for standard SCIM implementations.
The decision
| Your Situation | Recommendation |
|---|---|
| On Team/Business, need SCIM | Use Stitchflow: avoid the $94K+ Enterprise upgrade |
| Already on Enterprise | Use native SCIM: you're paying for it |
| Self-hosted with technical team | Consider native SCIM: configure SCIM 2.0 endpoints |
| Need both SCIM and advanced Enterprise features | Evaluate Enterprise: SCIM comes bundled with governance tools |
| Small development team, low turnover | Manual may work: but watch for developer access sprawl |
The bottom line
Retool gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Make Retool workflows AI-native
Retool gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Enterprise subscription required for custom auth
- Azure requires aadOptscim062020 in Tenant URL for SCIM 2.0 compliance
- Bearer token authentication required
- Group Push requires self-hosted v2.94+
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM support with user creation, updates, deactivation, and Group Push. Retool domain required during setup (without https:// prefix).
Retool gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Requires aadOptscim062020 flag in Tenant URL for SCIM 2.0 compliance. Some users report issues with name attribute updates.
Retool gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Retool
Retool gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
