Summary and recommendation
Segment supports SCIM provisioning, but only on Business tier plans with custom pricing that typically runs $983-3,500/month for 50K MTU. Beyond the pricing barrier, Segment requires SSO to be configured first before enabling SCIM, and workspace owners must handle all configuration manually. JIT provisioning creates read-only members by default, leaving IT teams with incomplete automation for a customer data platform handling sensitive information.
For data teams managing customer data pipelines, this creates a significant access control gap. SSO alone doesn't solve workspace-level permissions for sources and destinations—you need proper SCIM to ensure data engineers get appropriate pipeline access while marketers and analysts get reporting access. Without automated role mapping, IT teams face manual provisioning for every data platform user, creating compliance risks in environments processing customer PII.
The strategic alternative
Segment gates SCIM behind Business. Skip the Business plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Business |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Segment accounts manually. Here's what that costs:
The Segment pricing problem
Segment gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 | ||
| Team | $120/mo (10K MTU) | ||
| Business | ~$983-3,500/mo (50K MTU) | ||
| Enterprise | Custom |
Note: Business tier pricing is negotiated based on Monthly Tracked Users (MTU) volume, with typical discounts of 72-80% off list prices. SCIM requires SSO to be configured first.
What this means in practice
The jump from Team to Business represents an 8-29x price increase, depending on negotiated rates:
| Current Team Plan | Business Upgrade (Low End) | Business Upgrade (High End) |
|---|---|---|
| $120/mo | +$863/mo (+$10,356/year) | +$3,380/mo (+$40,560/year) |
This pricing gap creates a significant barrier for mid-market companies that need SCIM but don't require the advanced analytics and governance features bundled in Business tier.
Additional constraints
Summary of challenges
- Segment supports SCIM but only at Business tier (Custom)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Segment doesn't sell SCIM separately. It's bundled with Business tier and higher, which includes:
The catch: SSO must be configured first before you can even set up SCIM. This means you're locked into both features whether you need SSO or not.
Stitchflow Insight
If you're already paying for Business tier for Segment's advanced CDP features, adding SCIM is straightforward. But if you're on the Team plan ($120/month) and only need user provisioning, you're looking at a ~8-30x price jump to custom Business pricing just to automate user management. We estimate ~60% of Business tier features are irrelevant for teams that simply want automated provisioning without the full enterprise identity stack.
What IT admins are saying
Community sentiment on Segment's SCIM implementation centers on the prerequisite requirements and tier restrictions. Common complaints:
- Business tier requirement creating significant cost barriers for smaller data teams
- SSO connection must be configured before SCIM can be enabled
- Only workspace owners can set up SSO/SCIM, creating bottlenecks
- JIT provisioning defaults to read-only access, requiring manual role adjustments
Having to set up SSO first just to get SCIM working adds unnecessary complexity - especially when you're just trying to automate user provisioning.
The Business tier pricing jump is brutal when all you need is basic user provisioning for your data pipeline team.
The recurring theme
Segment treats SCIM as an enterprise add-on rather than a standard identity management feature, forcing teams into expensive tiers and complex prerequisite configurations for basic automation.
The decision
| Your Situation | Recommendation |
|---|---|
| On Team plan ($120/mo), need SCIM | Use Stitchflow: avoid the Business tier jump to ~$983-3,500/mo |
| On Business tier but SSO/SCIM setup seems complex | Use Stitchflow: skip the SSO prerequisite and workspace owner requirements |
| Already on Business tier with SSO configured | Use native SCIM: you're paying for it and have the prerequisites |
| Need advanced Segment features beyond SCIM | Consider Business tier: SCIM comes bundled with other capabilities |
| Small data team, infrequent access changes | Manual may work: but monitor customer data access carefully |
The bottom line
Segment gates SCIM behind Business. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Make Segment workflows AI-native
Segment gates SCIM behind Business. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Business
Prerequisites
SSO must be configured first
Key limitations
- Business tier required
- SSO connection must be created before SCIM
- Only workspace owners can configure SSO/SCIM
- JIT creates minimal-access (read-only) members by default
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Business required for SCIM
Segment gates SCIM behind Business. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Business required for SCIM
Segment gates SCIM behind Business. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Segment
Segment gates SCIM behind Business plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
