Secureframe SCIM guide

Amplitude supports SCIM provisioning, but only on Growth plans (starting around $36K/year) or Enterprise plans with custom pricing. While Amplitude's SCIM implementation covers the core functionality—creating, updating, and deactivating users—it requires SCIM to be specifically enabled for your organization, and regenerating the SCIM key immediately invalidates existing integrations without warning. For product teams on Plus plans ($49/month), upgrading to Growth just to unlock SCIM means jumping from under $600/year to $36,000+/year—a 60x increase. That's often more than the entire analytics budget for smaller product teams. The gap becomes particularly problematic for cross-functional product teams where analysts, PMs, and engineers need varying levels of access to user behavior data, but manual provisioning creates security risks around sensitive analytics permissions.

Bill.com offers inconsistent SCIM provisioning support that varies dramatically by identity provider. While Okta users can access SCIM provisioning through the OIN integration, Bill.com doesn't publish native SCIM documentation, and other IdPs like Entra ID are limited to SAML SSO only. This fragmented approach means your provisioning capabilities depend entirely on your IdP choice rather than Bill.com's platform features. For finance teams managing sensitive AP/AR workflows where user access directly impacts invoice approvals and payment processing, this inconsistency creates operational gaps—especially when onboarding new controllers, AP clerks, or accountants requires manual role assignment tied to spending limits and approval hierarchies. The real problem is that Bill.com gates all SSO functionality behind Enterprise plans with custom pricing (typically 2-3x their Corporate plan at $79/user/month), yet still provides no clear path to automated provisioning for most customers. Since financial systems require precise role-based access controls for SOX compliance and segregation of duties, manual user management creates both security risks and administrative overhead. When employees change departments or leave the company, orphaned accounts in payment systems pose significant financial and compliance risks that manual processes often miss.

Bitwarden supports SCIM 2.0 provisioning, but only on Teams ($4/user/month) and Enterprise ($6/user/month) plans. While this pricing is reasonable compared to other password managers, the real challenge lies in Bitwarden's zero-knowledge architecture: SCIM can provision user accounts, but users still need to manually accept vault invitations and set up their encryption keys before gaining access to shared passwords. This creates a critical security gap. Your identity provider shows users as "provisioned," but they can't actually access company passwords until they complete manual setup steps. When employees leave, SCIM deprovisioning removes their account, but any locally cached vault data remains accessible until they next sync. For security teams managing hundreds of shared credentials, this manual friction undermines the entire purpose of automated provisioning.