Summary and recommendation
Sanity, the popular headless CMS platform, does not support SCIM provisioning on any plan. Instead, Sanity relies entirely on SAML-based role mapping for user management, where users are automatically provisioned with assigned roles on their first SSO login. While this Just-in-Time (JIT) approach works for initial user creation, it creates significant gaps in user lifecycle management - you cannot centrally deprovision users, update role assignments, or sync organizational changes from your identity provider back to Sanity projects.
This SAML-only approach leaves IT administrators with a critical blind spot: once users are provisioned through SSO, there's no automated way to remove access when employees leave or change roles. For organizations managing multiple Sanity projects with different access requirements, this means manual user management becomes unavoidable, creating both security risks and administrative overhead that scales poorly with team growth.
The strategic alternative
Sanity has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | Via third-party | ❌ | Sanity does NOT support SCIM provisioning. Uses SAML-based role mapping instead. Users are auto-provisioned with roles on first SSO login via JIT. |
| Microsoft Entra ID | Via third-party | ❌ | Sanity does NOT support SCIM provisioning with Azure/Entra. Uses SAML-based role mapping. JIT provisioning creates users on first login. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Sanity accounts manually. Here's what that costs:
The Sanity pricing problem
Sanity gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 | ||
| Growth | $15/user/month | ||
| Enterprise | $5,000-10,000+/month starting |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 | ||
| Growth | $15/user/month | ||
| Enterprise | $5,000-10,000+/month starting |
What this means in practice
Without SCIM, IT admins lose control over the user lifecycle in Sanity:
No proactive provisioning: Users must visit Sanity and trigger SSO login before they appear in the system. You can't pre-provision accounts or set up access before users need it.
No centralized deprovisioning: When someone leaves or changes roles, you can disable their IdP access, but their Sanity account persists with whatever permissions they had. Manual cleanup is required.
Role mapping complexity: User permissions are determined by SAML attribute mapping rules configured in Sanity, not managed through your IdP's group assignments in real-time.
Additional constraints
Summary of challenges
- Sanity does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Sanity actually offers for identity
SAML SSO with Role Mapping (Enterprise or Growth + Add-on)
Sanity provides SAML 2.0 integration with automatic role assignment:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, Azure AD, Google Workspace, PingIdentity |
| User provisioning | Just-in-time (JIT) on first SSO login |
| Role assignment | Maps IdP groups to Sanity project roles |
| Configuration | Custom mapping rules (Enterprise only) |
How it works: Users are automatically created in Sanity when they first authenticate via SSO, with roles assigned based on their IdP group memberships.
What's missing: True SCIM provisioning
| SCIM Feature | Sanity Support |
|---|---|
| Create users | ❌ JIT only (requires login) |
| Update user attributes | ❌ No |
| Deactivate users | ❌ No |
| Sync group memberships | ❌ Role mapping only |
| Bulk operations | ❌ No |
| Real-time sync | ❌ No |
The gap: While SAML role mapping handles basic access control, you can't proactively provision users, update their details, or automatically deactivate accounts when they leave. Users must log in at least once for their accounts to be created, and there's no way to bulk-manage user lifecycles or sync attribute changes.
What IT admins are saying
Sanity's lack of SCIM provisioning forces IT teams into manual user management workflows:
- No automated user provisioning or deprovisioning - all account management is manual
- Must rely on JIT provisioning through SAML, creating security gaps during offboarding
- Role mapping requires Enterprise tier, leaving smaller teams without granular access control
- Users can't be pre-provisioned - they must attempt login before accounts are created
Users auto-provisioned with roles on SSO login
SAML SSO on Enterprise/Growth+addon. Role mapping from IdP groups.
The recurring theme
Without SCIM, IT admins lose the ability to proactively manage user lifecycles. Employees retain access until they actually try to log in and fail, and new hires can't be set up in advance of their start date.
The decision
| Your Situation | Recommendation |
|---|---|
| Small development team (<10 users) | Manual management with SAML SSO is workable |
| Content teams with frequent contractor changes | Use Stitchflow: JIT provisioning creates audit gaps |
| Enterprise with multiple Sanity projects | Use Stitchflow: role mapping across projects gets complex |
| Organizations requiring deprovisioning automation | Use Stitchflow: SAML role mapping can't remove access |
| Teams needing granular role management | Use Stitchflow: native role mapping is limited to basic rules |
The bottom line
Sanity's SAML-based role mapping creates users on first login, but it's a one-way street—there's no automated deprovisioning or sophisticated role management. For teams that need true provisioning automation with proper lifecycle management, Stitchflow eliminates the gaps in Sanity's JIT approach.
Make Sanity workflows AI-native
Sanity has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No SCIM provisioning
- Uses SAML role mapping instead
- Custom mapping rules on Enterprise only
Documentation not available.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Where to enable
Sanity does NOT support SCIM provisioning with Azure/Entra. Uses SAML-based role mapping. JIT provisioning creates users on first login.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Sanity
Sanity has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
