Summary and recommendation
Shopify supports native SCIM 2.0 provisioning, but only on Shopify Plus—their enterprise tier that starts at $2,300/month (minimum $27,600/year). For merchants on Standard, Shopify, or Advanced plans ($29-$299/month), there's no automated provisioning whatsoever. This creates a massive pricing gap: you either pay $299/month with manual user management, or jump to $2,300/month for automation—an 8x increase that puts SCIM out of reach for most merchants.
For e-commerce businesses, especially during peak seasons, this limitation creates real operational pain. Retailers need to rapidly onboard seasonal staff, manage multi-location access, and ensure former employees immediately lose access to customer data and payment systems. Without SCIM, IT teams manually provision every holiday temp worker and customer service rep—a process that's both time-intensive and creates compliance risks in an industry handling sensitive payment data.
The strategic alternative
Shopify gates SCIM behind Plus. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Shopify accounts manually. Here's what that costs:
The Shopify pricing problem
Shopify gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Basic | $29/mo | ||
| Shopify | $79/mo | ||
| Advanced | $299/mo | ||
| Plus | $2,300-$2,500/mo |
Note: Plus pricing is actually variable based on revenue (0.3-0.4% of monthly sales) with a minimum of $2,300/mo and cap at $40,000/mo. The tier shown reflects the minimum commitment.
What this means in practice
For merchants requiring SCIM access, the upgrade costs are substantial:
| Current Plan | Annual Upgrade to Plus | Cost Increase |
|---|---|---|
| Basic ($29/mo) | +$27,252/year | 970% increase |
| Shopify ($79/mo) | +$26,772/year | 860% increase |
| Advanced ($299/mo) | +$24,012/year | 670% increase |
This represents one of the steepest SCIM upgrade penalties in enterprise software.
Additional constraints
Summary of challenges
- Shopify supports SCIM but only at Enterprise tier ($2,300-$2,500/mo (Plus - 3-year vs 1-year term))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Shopify doesn't sell SCIM à la carte. It's bundled with Shopify Plus features:
The real issue: you're paying $27,600+ annually for features like checkout customization and script editing when you just want automated user provisioning. Plus requires domain verification and SAML setup before SCIM works—a multi-step process that smaller merchants find unnecessarily complex.
Stitchflow Insight
The Plus upgrade delivers powerful e-commerce features, but most are irrelevant if you just need identity management. We estimate ~80% of Plus features focus on advanced storefront customization, multi-store management, and enterprise sales tools that typical IT teams never touch.
What IT admins are saying
Community sentiment on Shopify's SCIM implementation centers on pricing barriers and complexity. Common complaints:
- Plus pricing ($2,300-$2,500/mo) puts SCIM completely out of reach for smaller merchants
- Multi-step setup requiring domain verification and SAML configuration before SCIM
- Complete lack of SSO/SCIM on standard Shopify plans despite managing sensitive customer data
- Revenue-based pricing model that penalizes successful businesses with higher identity costs
Plus pricing puts SCIM out of reach for smaller merchants who still need to manage seasonal staff and protect customer data.
You have to verify your domain AND set up SAML before you can even generate a SCIM token - it's unnecessarily complex for what should be basic identity management.
The recurring theme
Shopify treats identity management as a luxury enterprise feature rather than a security fundamental, forcing smaller e-commerce businesses to manage user access manually despite handling sensitive payment and customer data.
The decision
| Your Situation | Recommendation |
|---|---|
| On Basic/Shopify/Advanced, need SCIM | Use Stitchflow: avoid the $2,300+/month Plus upgrade |
| On Plus but struggling with SAML prerequisite complexity | Use Stitchflow: bypass the multi-step domain verification dance |
| Already on Plus with SAML configured | Use native SCIM: you're paying $27K+/year for it |
| Need Plus features for multi-store management | Evaluate Plus: SCIM comes bundled with expansion stores |
| Small shop with low seasonal staff turnover | Manual may work: but monitor for holiday hiring gaps |
The bottom line
Shopify gates SCIM behind Plus. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Shopify workflow gap
Shopify gates SCIM behind Plus, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM only on Shopify Plus (enterprise tier)
- Domain must be verified before SCIM setup
- SAML must be configured before SCIM token generation
- Only manages users associated with verified domain
- Okta Group Push not supported
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM provisioning with user lifecycle management. Supports Group Linking, Schema Discovery, Attribute Writeback. Role provisioning available.
Shopify gates SCIM behind Plus. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Microsoft Entra provisioning service supports automatic user/group provisioning. Base URL: https://shopifyscim.com/scim/v2/
Shopify gates SCIM behind Plus. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Shopify
Shopify gates SCIM behind Plus plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
