Summary and recommendation
SAP SuccessFactors supports SCIM provisioning through SAP Cloud Identity Services, but there's a critical timing issue: basic authentication is deprecated as of November 2026, requiring migration to X.509 certificates. This creates immediate technical debt for IT teams who must coordinate both the SCIM implementation and authentication migration within existing SAP infrastructure complexity.
The real challenge isn't just the technical migration—it's that SuccessFactors typically serves as an HR source system, meaning you're often provisioning from SuccessFactors to other applications rather than into it. This reverses the normal provisioning flow and requires specialized expertise in SAP's identity ecosystem, including Identity Authentication Service and Identity Provisioning Service components.
The strategic alternative
SAP SuccessFactors gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages SAP SuccessFactors accounts manually. Here's what that costs:
The SAP SuccessFactors pricing problem
SAP SuccessFactors gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Professional | $8/user/mo (1-100 users) | ||
| Performance & Goals | $14/user/mo | ||
| Full Suite | $28-38/user/mo | ||
| Enterprise | Custom pricing |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Professional | $8/user/mo (1-100 users) | ❌ |
| Performance & Goals | $14/user/mo | ❌ |
| Full Suite | $28-38/user/mo | ❌ |
| Enterprise | Custom pricing | ✓ (via SAP Cloud Identity Services) |
Note: SCIM provisioning requires Enterprise tier and must be implemented through SAP Cloud Identity Services, not directly with SuccessFactors.
What this means in practice
Implementation complexity: You can't provision directly to SuccessFactors. The required architecture involves: 1. Your IdP → SAP Cloud Identity Services 2. SAP Cloud Identity Services → SuccessFactors 3. Additional licensing and configuration for the intermediary service
Cost opacity: Enterprise pricing is custom and typically includes implementation fees of 100-125% of annual software costs. For a 500-person organization upgrading from Full Suite ($28/user/mo):
Additional constraints
Summary of challenges
- SAP SuccessFactors supports SCIM but only at Enterprise tier (Custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What SAP SuccessFactors actually offers for identity
SAP SuccessFactors provides SCIM through SAP Cloud Identity Services, but this requires Enterprise pricing and SAP's broader identity ecosystem:
The challenge: you're not just buying SuccessFactors identity features—you're buying into SAP's entire Cloud Identity Services stack. Implementation fees typically run 100-125% of annual software costs, and you need Enterprise pricing to access SCIM at all. Basic authentication is deprecated in November 2026, forcing a migration to X.509 certificates.
For organizations just wanting straightforward SCIM provisioning, ~80% of SAP's identity bundle is enterprise overhead you don't need.
What IT admins are saying
Community sentiment on SAP SuccessFactors's SCIM implementation centers around SAP ecosystem complexity and authentication challenges. Common complaints:
- Confusion over requiring SAP Cloud Identity Services for proper SCIM support
- Frustration with the upcoming Basic authentication deprecation in November 2026
- Complex implementation requirements with high consulting fees (100-125% of software costs)
- Difficulty navigating SAP's overlapping identity services and documentation
SAP's identity stack is a maze - you need Identity Authentication, Identity Provisioning, and then figure out how it all connects to SuccessFactors. The documentation assumes you already know the SAP ecosystem.
Basic auth is getting killed off next year and we have to migrate to X.509 certificates. Just another SAP complexity tax on top of everything else.
The recurring theme
SAP SuccessFactors SCIM works, but the SAP identity ecosystem complexity and mandatory migrations create unnecessary operational overhead for IT teams.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but not on Enterprise tier | Use Stitchflow: avoid complex SAP ecosystem and Enterprise upgrade costs |
| Using basic auth, need to migrate before Nov 2026 | Use Stitchflow: skip X.509 certificate migration complexity |
| Already on Enterprise with SAP Cloud Identity Services | Consider native SCIM: you have the infrastructure |
| HR-driven provisioning to other apps | Use Stitchflow: simpler than SAP Identity Provisioning Service setup |
| Small HR team, minimal user changes | Manual may work: but plan for auth migration deadline |
The bottom line
SAP SuccessFactors gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the SAP SuccessFactors workflow gap
SAP SuccessFactors gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Use SAP Cloud Identity Services for SCIM
- Basic auth deprecated Nov 2026 - migrate to X.509
- Contact SuccessFactors support to enable SAML SSO
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Enterprise required for SCIM
SAP SuccessFactors gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Enterprise required for SCIM
SAP SuccessFactors gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
SAP SuccessFactors
SAP SuccessFactors gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
