Summary and recommendation
Retool supports SCIM (the protocol that lets your identity provider automatically create, update, and remove user accounts). But Retool gates SCIM functionality behind its Enterprise subscription, which typically costs $94K-$156K/year for a mixed team of 50 standard users and 200 end users. That's a massive jump from Business plans, often representing a 10x+ increase just to unlock automated provisioning.
This Enterprise lock-in is particularly problematic for internal tool teams. Retool applications often span multiple departments—developers building tools, ops teams managing infrastructure, support staff accessing dashboards, and business analysts consuming reports. Without SCIM, IT teams face constant manual provisioning as teams scale and roles change. The alternative of using JIT provisioning alone creates security gaps, as departing employees retain access until someone manually remembers to revoke it.
The strategic alternative
Retool gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Retool accounts manually. Here's what that costs:
The Retool pricing problem
Retool gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Team | $10/user/mo | ||
| Business | Custom | ||
| Enterprise | Custom (typical: $94K-$156K/yr for 50 standard + 200 end users) |
Note: Retool uses differentiated pricing between "standard users" (developers/builders) and "end users" (app consumers), with Enterprise typically running $94K-$156K annually for mixed user bases.
What this means in practice
The Enterprise requirement creates a substantial cost barrier since Business pricing is already custom. Based on typical Enterprise implementations:
| User Mix | Estimated Enterprise Cost | vs. Team Plan ($10/user/mo) |
|---|---|---|
| 25 standard + 100 end users | ~$75K/year | +$60K/year |
| 50 standard + 200 end users | ~$125K/year | +$95K/year |
| 100 standard + 300 end users | ~$200K/year | +$152K/year |
These represent order-of-magnitude increases from self-serve pricing.
Additional constraints
Summary of challenges
- Retool supports SCIM but only at Enterprise tier (Custom (typical: $94K-$156K/yr for 50 standard + 200 end users))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Retool doesn't sell SCIM separately. It's exclusively bundled with Enterprise subscriptions that include extensive platform features:
Stitchflow Insight
The Enterprise tier is designed for large organizations building complex internal tooling ecosystems. If you're primarily seeking automated user provisioning for a smaller development team, you're paying for enterprise-grade features like custom branding, audit compliance, and dedicated support that may be overkill. We estimate ~60% of Enterprise features are irrelevant for teams that simply need SCIM to manage developer and ops staff access to internal tools.
What IT admins are saying
Community sentiment on Retool's SCIM requirements centers around Enterprise lock-in and Azure integration complexity. Common complaints:
- Being forced into Enterprise subscriptions just for SSO and SCIM access
- Azure AD requiring obscure URL modifications (aadOptscim062020 flag) for SCIM compliance
- No middle-tier option between Business and Enterprise for basic identity features
- Custom pricing making it difficult to budget for essential security features
Enterprise lock-in for SSO/SCIM is frustrating when you just need basic identity management
The Azure SCIM setup requiring URL modifications feels unnecessarily complex compared to other apps
The recurring theme
Retool gates essential identity management behind Enterprise tiers with custom pricing, while adding technical complexity that shouldn't exist for standard SCIM implementations.
The decision
| Your Situation | Recommendation |
|---|---|
| On Team/Business, need SCIM | Use Stitchflow: avoid the $94K+ Enterprise upgrade |
| Already on Enterprise | Use native SCIM: you're paying for it |
| Self-hosted with technical team | Consider native SCIM: configure SCIM 2.0 endpoints |
| Need both SCIM and advanced Enterprise features | Evaluate Enterprise: SCIM comes bundled with governance tools |
| Small development team, low turnover | Manual may work: but watch for developer access sprawl |
The bottom line
Retool gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Retool workflow gap
Retool gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Enterprise subscription required for custom auth
- Azure requires aadOptscim062020 in Tenant URL for SCIM 2.0 compliance
- Bearer token authentication required
- Group Push requires self-hosted v2.94+
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM support with user creation, updates, deactivation, and Group Push. Retool domain required during setup (without https:// prefix).
Retool gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Requires aadOptscim062020 flag in Tenant URL for SCIM 2.0 compliance. Some users report issues with name attribute updates.
Retool gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Retool
Retool gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
