Summary and recommendation
SAP Concur supports SCIM 2.0 via its UPS v4 API, but only on Enterprise plans (averaging ~$110,000/year). The bigger problem: Microsoft's Azure AD connector for SAP Concur is deprecated and broken, forcing you to route provisioning through SAP Cloud Identity Services instead of direct integration. This creates a complex multi-hop provisioning chain where Entra provisions to SAP IPS, which then provisions to Concur—adding latency, failure points, and troubleshooting complexity.
For organizations below Enterprise tier or those seeking reliable Azure AD integration, this creates a significant gap. You're either locked out of automated provisioning entirely or forced into SAP's broader ecosystem architecture that may not align with your identity management strategy. Manual user lifecycle management in a travel and expense system used by all employees becomes a compliance and operational burden.
The strategic alternative
SAP Concur gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages SAP Concur accounts manually. Here's what that costs:
The SAP Concur pricing problem
SAP Concur gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Enterprise | ~$110,000/year average |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Enterprise | ~$110,000/year average | ✓ |
Note: SCIM provisioning requires Enterprise tier and must be routed through SAP Cloud Identity Services (SAP IPS). Direct provisioning to Concur is not supported.
What this means in practice
The broken provisioning path creates several operational challenges:
Additional constraints
Summary of challenges
- SAP Concur supports SCIM but only at Enterprise tier (~$110,000/year average)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
SAP Concur doesn't sell SCIM à la carte. It's bundled with Enterprise features at ~$110,000/year average:
The catch: SCIM provisioning requires routing through SAP Cloud Identity Services (SAP IAS), not direct integration. Microsoft's Azure AD gallery connector is deprecated and broken. Okta requires a letter of authorization for SAML setup.
Stitchflow Insight
If you need comprehensive travel and expense management, the Enterprise bundle delivers value. If you just want automated user provisioning for basic expense reporting, you're paying for enterprise travel features most teams never use. We estimate ~60% of Enterprise features are irrelevant for organizations that only need user lifecycle automation.
What IT admins are saying
Community sentiment on SAP Concur's SCIM implementation is frustrated and confused. Common complaints:
- Azure AD gallery app connector is broken and deprecated
- Having to route through SAP Cloud Identity Services adds complexity
- Enterprise-only pricing at ~$110K/year excludes smaller organizations
- Okta requires authorization letters for basic SAML setup
The Azure AD connector for SAP Concur is completely broken. Microsoft's own documentation says to use SAP Cloud Identity Services instead, but that means setting up another system just to provision users.
Why do I need an authorization letter just to set up SAML with Okta? Every other SaaS app handles this automatically.
The recurring theme
SAP Concur forces IT teams into complex enterprise-grade integrations with high costs and administrative overhead, even for basic identity management needs.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but not on Enterprise | Use Stitchflow: avoid the ~$110K/year Enterprise upgrade |
| Already on Enterprise with working SCIM | Use native SCIM: you're paying for it |
| Using Azure AD and hit the broken connector | Use Stitchflow: skip the SAP Cloud Identity Services complexity |
| Need simple provisioning without SAP ecosystem | Use Stitchflow: direct integration with your IdP |
| Small team, infrequent user changes | Manual may work: but watch for access control gaps |
The bottom line
SAP Concur gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the SAP Concur workflow gap
SAP Concur gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Azure AD gallery app connector broken/deprecated
- Use SAP Cloud Identity Services for SCIM
- Letter of authorization required for SAML with Okta
- Must provision via SAP IPS, not directly
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM via UPS v4 API or SAP Cloud Identity Services. Aquera connector available for bi-directional lifecycle management. Letter of authorization required for SAML with Okta.
SAP Concur gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
IMPORTANT: Azure AD gallery app connector DEPRECATED/BROKEN. Use SAP Cloud Identity Services for SCIM provisioning. Entra provisions to SAP IPS, which provisions to Concur.
SAP Concur gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
SAP Concur
SAP Concur gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
