Summary and recommendation
SAP Concur supports SCIM 2.0 via its UPS v4 API, but only on Enterprise plans (averaging ~$110,000/year). The bigger problem: Microsoft's Azure AD connector for SAP Concur is deprecated and broken, forcing you to route provisioning through SAP Cloud Identity Services instead of direct integration. This creates a complex multi-hop provisioning chain where Entra provisions to SAP IPS, which then provisions to Concur—adding latency, failure points, and troubleshooting complexity.
For organizations below Enterprise tier or those seeking reliable Azure AD integration, this creates a significant gap. You're either locked out of automated provisioning entirely or forced into SAP's broader ecosystem architecture that may not align with your identity management strategy. Manual user lifecycle management in a travel and expense system used by all employees becomes a compliance and operational burden.
The strategic alternative
SAP Concur gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages SAP Concur accounts manually. Here's what that costs:
The SAP Concur pricing problem
SAP Concur gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Enterprise | ~$110,000/year average |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Enterprise | ~$110,000/year average | ✓ |
Note: SCIM provisioning requires Enterprise tier and must be routed through SAP Cloud Identity Services (SAP IPS). Direct provisioning to Concur is not supported.
What this means in practice
The broken provisioning path creates several operational challenges:
Additional constraints
Summary of challenges
- SAP Concur supports SCIM but only at Enterprise tier (~$110,000/year average)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
SAP Concur doesn't sell SCIM à la carte. It's bundled with Enterprise features at ~$110,000/year average:
The catch: SCIM provisioning requires routing through SAP Cloud Identity Services (SAP IAS), not direct integration. Microsoft's Azure AD gallery connector is deprecated and broken. Okta requires a letter of authorization for SAML setup.
Stitchflow Insight
If you need comprehensive travel and expense management, the Enterprise bundle delivers value. If you just want automated user provisioning for basic expense reporting, you're paying for enterprise travel features most teams never use. We estimate ~60% of Enterprise features are irrelevant for organizations that only need user lifecycle automation.
What IT admins are saying
Community sentiment on SAP Concur's SCIM implementation is frustrated and confused. Common complaints:
- Azure AD gallery app connector is broken and deprecated
- Having to route through SAP Cloud Identity Services adds complexity
- Enterprise-only pricing at ~$110K/year excludes smaller organizations
- Okta requires authorization letters for basic SAML setup
The Azure AD connector for SAP Concur is completely broken. Microsoft's own documentation says to use SAP Cloud Identity Services instead, but that means setting up another system just to provision users.
Why do I need an authorization letter just to set up SAML with Okta? Every other SaaS app handles this automatically.
The recurring theme
SAP Concur forces IT teams into complex enterprise-grade integrations with high costs and administrative overhead, even for basic identity management needs.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but not on Enterprise | Use Stitchflow: avoid the ~$110K/year Enterprise upgrade |
| Already on Enterprise with working SCIM | Use native SCIM: you're paying for it |
| Using Azure AD and hit the broken connector | Use Stitchflow: skip the SAP Cloud Identity Services complexity |
| Need simple provisioning without SAP ecosystem | Use Stitchflow: direct integration with your IdP |
| Small team, infrequent user changes | Manual may work: but watch for access control gaps |
The bottom line
SAP Concur gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Make SAP Concur workflows AI-native
SAP Concur gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Azure AD gallery app connector broken/deprecated
- Use SAP Cloud Identity Services for SCIM
- Letter of authorization required for SAML with Okta
- Must provision via SAP IPS, not directly
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM via UPS v4 API or SAP Cloud Identity Services. Aquera connector available for bi-directional lifecycle management. Letter of authorization required for SAML with Okta.
SAP Concur gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
IMPORTANT: Azure AD gallery app connector DEPRECATED/BROKEN. Use SAP Cloud Identity Services for SCIM provisioning. Entra provisions to SAP IPS, which provisions to Concur.
SAP Concur gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
SAP Concur
SAP Concur gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
