Summary and recommendation
RudderStack supports SCIM 2.0 for automated user provisioning, but only on Enterprise plans with custom pricing (starting well above their $750/month Starter tier). While the SCIM implementation covers core functionality—creating users, updating attributes, and deactivating accounts—it requires contacting their team to enable and has notable restrictions: users can only be deactivated (not deleted), email addresses can't be updated via SCIM, and SSO is limited to SP-initiated flows only.
For customer data platform teams on Starter or Growth plans, this creates a significant provisioning gap. Manual user management becomes unwieldy as data engineering and marketing teams scale, especially when onboarding contractors or managing cross-functional access to sensitive customer data pipelines. SSO with JIT provisioning helps with authentication, but leaves IT teams manually managing user lifecycle events—a compliance risk when handling customer PII across data warehouse connections.
The strategic alternative
RudderStack gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages RudderStack accounts manually. Here's what that costs:
The RudderStack pricing problem
RudderStack gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Starter | From $750/month | ||
| Growth | Custom pricing | ||
| Enterprise | Custom pricing |
Note: SCIM includes user creation, attribute updates, and deactivation (deletion not supported). Email addresses cannot be updated via SCIM after initial provisioning.
What this means in practice
RudderStack's custom pricing model makes it difficult to calculate exact upgrade costs, but the jump from Starter ($750/month minimum) to Enterprise represents a significant increase. Based on typical customer data platform pricing:
The lack of transparent pricing means teams must engage in lengthy sales processes just to understand SCIM costs.
Additional constraints
Summary of challenges
- RudderStack supports SCIM but only at Enterprise tier (Custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
RudderStack doesn't sell SCIM à la carte. It's bundled with Enterprise-tier features:
The bigger issue: RudderStack requires manual intervention from their team to enable SCIM, even after you upgrade. This creates deployment friction and ongoing dependency on their support process.
Stitchflow Insight
If you need enterprise-grade data infrastructure controls anyway, the upgrade may make sense. If you just want automated user provisioning for your customer data platform, you're paying for a comprehensive enterprise bundle you won't fully use. We estimate ~80% of Enterprise features are irrelevant for teams that only need SCIM.
What IT admins are saying
Community sentiment on RudderStack's SCIM implementation is mixed, with frustration centered on the manual enablement process and Enterprise tier requirements. Common complaints:
- Having to contact the RudderStack team to enable SCIM after purchasing Enterprise
- Cannot update user email addresses through SCIM provisioning
- SP-initiated SSO only - no IdP-initiated login support
- SCIM deactivates users but cannot delete them entirely
Why do we have to contact support to enable a feature we're already paying for? Just give us a toggle in the admin panel.
The email update limitation is annoying when people change names or departments. We have to manually update those in RudderStack.
The recurring theme
RudderStack has solid SCIM functionality but creates unnecessary friction with manual enablement requirements and missing standard features like email updates.
The decision
| Your Situation | Recommendation |
|---|---|
| On Starter plan, need SCIM | Use Stitchflow: avoid the Enterprise upgrade and custom pricing |
| Already on Enterprise tier | Use native SCIM: you're paying for it and it's fully featured |
| Need Enterprise features beyond SCIM | Evaluate Enterprise upgrade: SCIM comes bundled |
| Small team, willing to contact support for setup | Native SCIM may work: if you can handle the manual enablement process |
| Want immediate deployment without vendor coordination | Use Stitchflow: no need to contact RudderStack's team for enablement |
The bottom line
RudderStack's SCIM is locked behind Enterprise pricing and requires contacting their team for enablement, creating barriers for teams on lower tiers. For organizations that need automated provisioning without the Enterprise commitment or support dependency, Stitchflow delivers immediate deployment at predictable pricing.
Make RudderStack workflows AI-native
RudderStack gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Contact team to enable SCIM
- Cannot update email via SCIM
- SP-initiated SSO only
- Does not support user deletion (deactivates only)
- Does not support IdP-initiated authentication
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM provisioning via OIN app. Push users, update attributes, deactivate/reactivate users. Cannot update email via SCIM. Contact team to enable SCIM. SP-initiated SSO only.
RudderStack gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Microsoft Azure Entra ID SSO and SCIM documented. Contact team to enable SCIM. Does not support IdP-initiated authentication. Does not support removing users (deactivates only).
RudderStack gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
RudderStack
RudderStack gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
