Summary and recommendation
Saleor Commerce, the open-source headless e-commerce platform, does not support SCIM provisioning on any plan. While Saleor offers SSO integration via OpenID Connect (OIDC) with identity providers like Okta and Microsoft Entra ID, this only handles authentication—not user lifecycle management. IT teams must manually provision, deprovision, and manage user accounts in Saleor's dashboard, even when paying $1,500+/month for Enterprise plans. This creates a significant operational burden for organizations scaling their e-commerce operations with multiple developers, merchants, and e-commerce managers who need platform access.
The absence of automated provisioning creates a dangerous security gap. When employees leave or change roles, their Saleor accounts remain active until manually disabled, potentially exposing sensitive customer data, order information, and payment processing capabilities. For organizations subject to PCI-DSS compliance requirements—critical for e-commerce platforms—manual user management introduces audit risks and potential compliance violations.
The strategic alternative
Saleor has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | OIDC |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | Via third-party | ❌ | No native Okta OIN integration. SSO available via OpenID Connect (OIDC) plugin configuration. No SCIM provisioning documented. |
| Microsoft Entra ID | ✓ | ❌ | Microsoft Entra ID SSO available via OIDC configuration. Configure OpenID Connect plugin in Saleor dashboard with Entra OAuth endpoints. No SCIM provisioning. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Saleor accounts manually. Here's what that costs:
The Saleor pricing problem
Saleor gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Open Source | $0 (self-hosted) | ||
| Saleor Cloud | $795/month | ||
| Standard | $950/month | ||
| Enterprise | From $1,500/month + per-order fees |
Pricing and provisioning options
| Plan | Pricing | SCIM | SSO |
|---|---|---|---|
| Open Source | $0 (self-hosted) | ❌ Not available | ✓ OIDC only |
| Saleor Cloud | $795/month | ❌ Not available | ✓ OIDC only |
| Standard | $950/month | ❌ Not available | ✓ OIDC only |
| Enterprise | From $1,500/month + per-order fees | ❌ Not available | ✓ OIDC only |
Key limitation: No native SCIM provisioning exists at any pricing tier. User management must be handled manually or through custom integrations.
What this means in practice
Manual user lifecycle management: IT teams must create, update, and deactivate Saleor user accounts manually when employees join, change roles, or leave. This creates security risks and administrative overhead, especially for e-commerce teams with frequent role changes.
Limited identity protocol support: Saleor only supports OIDC for SSO, not SAML. Many enterprise identity providers require additional configuration or may not support OIDC endpoints, complicating SSO setup.
Development overhead for automation: Organizations wanting automated provisioning must build custom solutions using Saleor's GraphQL API, requiring developer resources and ongoing maintenance.
Additional constraints
Summary of challenges
- Saleor does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Saleor actually offers for identity
OpenID Connect SSO (All Plans)
Saleor supports SSO through OpenID Connect (OIDC) configuration:
| Setting | Details |
|---|---|
| Protocol | OIDC only (no SAML) |
| Supported IdPs | Any OIDC-compliant provider (Entra ID, Google Workspace) |
| Configuration | Manual setup via OpenID Connect plugin in Saleor dashboard |
| JIT Provisioning | Not supported |
Key limitation: Users must be manually created in Saleor before they can authenticate via SSO. The OIDC integration handles authentication only, not account creation or management.
User Provisioning (Manual Only)
As an open-source e-commerce platform, Saleor provides no native provisioning automation:
| Feature | Supported? |
|---|---|
| SCIM API | ❌ No |
| SAML provisioning | ❌ No |
| User creation via SSO | ❌ No |
| Group/role sync | ❌ No |
| Automated deprovisioning | ❌ No |
The reality: Every user account must be manually created through the Saleor dashboard. For teams managing developer access, merchant accounts, or multi-tenant e-commerce setups, this creates significant administrative overhead.
Why This Falls Short
Saleor's open-source architecture prioritizes developer flexibility over enterprise identity management. The OIDC-only approach means:
For e-commerce teams scaling beyond a handful of users, manual provisioning becomes a bottleneck that slows onboarding and increases security risk.
What IT admins are saying
Saleor's open-source nature creates identity management challenges for IT teams managing commercial deployments:
- No native SCIM provisioning documented, requiring custom development work
- Limited to OIDC-only SSO integration, excluding SAML-dependent workflows
- Manual user provisioning necessary even with SSO configured
- Enterprise-grade identity features require significant technical implementation
Configure OpenID Connect plugin in Saleor dashboard with Entra OAuth endpoints. No SCIM provisioning.
May require custom implementation for SCIM
The recurring theme
While Saleor offers powerful e-commerce capabilities, IT teams must build their own identity management solutions or accept manual user lifecycle management, even on higher-tier plans.
The decision
| Your Situation | Recommendation |
|---|---|
| Small development team (<10 users) | Manual management with OIDC SSO is workable |
| Self-hosted open-source deployment | Manual user management unless you build custom SCIM |
| Enterprise with compliance requirements | Use Stitchflow: automation essential for audit trails |
| Multi-tenant e-commerce platform | Use Stitchflow: automation critical for scale |
| Cloud deployment with frequent user changes | Use Stitchflow: no native SCIM means manual overhead |
The bottom line
Saleor is a powerful headless e-commerce platform, but it's built for developers, not IT admins. With only OIDC SSO and no SCIM provisioning, user management becomes a manual process that doesn't scale. For organizations running Saleor at enterprise scale, Stitchflow provides the automated provisioning that the platform itself doesn't offer.
Make Saleor workflows AI-native
Saleor has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- Open-source platform
- SSO via OIDC, not SAML
- No native SCIM documented
- May require custom implementation for SCIM
Documentation not available.
Unlock SCIM for
Saleor
Saleor has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
