Summary and recommendation
Smarsh offers native SCIM support, but only on Enterprise plans (up to $50/user/month for 1000+ users). The implementation has significant limitations: it uses outdated SCIM 1.1 for some integrations, requires immutable configuration decisions (unique identifiers and custom attributes must be locked in before setup), and completely prevents manual user management once provisioning is enabled. For organizations on Pro plans ($15/user/month), upgrading to Enterprise represents a 3x+ cost increase purely for provisioning capabilities.
These restrictions create operational headaches for IT teams. The inability to modify user data manually after enabling SCIM means any configuration mistakes require starting over. The SCIM 1.1 protocol limitation reduces compatibility with modern identity providers that prefer SCIM 2.0. Combined with no free trial to test the integration, IT teams face significant risk and cost commitment upfront.
The strategic alternative
Smarsh gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Smarsh accounts manually. Here's what that costs:
The Smarsh pricing problem
Smarsh gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | From $15/user/mo | ||
| Business | Custom | ||
| Enterprise | Up to $50/user/mo |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Pro | From $15/user/mo | ❌ |
| Business | Custom | ❌ |
| Enterprise | Up to $50/user/mo | ✓ |
What this means in practice
Using the pricing range (Pro → Enterprise for SCIM access):
| Team Size | Annual Upgrade Cost |
|---|---|
| 50 users | Up to $21,000/year |
| 100 users | Up to $42,000/year |
| 200 users | Up to $84,000/year |
Calculation: ($50 - $15) × users × 12 months (maximum pricing scenario)
Additional constraints
Summary of challenges
- Smarsh supports SCIM but only at Enterprise tier (Up to $50/user/month (1000+ users))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Smarsh doesn't sell SCIM à la carte. It's bundled with Enterprise-level compliance and archiving features:
Additionally, Smarsh's SCIM implementation has rigid requirements - the Unique Identifier must be set before configuration and cannot be changed later, and once provisioning is enabled, manual user modifications are blocked entirely.
Stitchflow Insight
The upgrade makes sense if you need enterprise-grade compliance archiving anyway. But if you just want automated user provisioning for a smaller compliance use case, you're paying Enterprise prices (up to $50/user/month) for advanced archiving features you likely don't need. We estimate ~80% of Enterprise features are overkill for teams that only need basic user provisioning and compliance.
What IT admins are saying
Community sentiment on Smarsh's SCIM implementation reveals frustration with outdated standards and inflexible configuration. Common complaints:
- Being locked into SCIM 1.1 (a decade-old standard) for Okta integrations
- Permanent configuration decisions that can't be changed after setup
- Loss of manual user management once SCIM is enabled
- Enterprise-tier requirement blocking smaller compliance teams
Once you enable SCIM provisioning, you lose the ability to manually modify user data in Smarsh. That's a pretty significant limitation when you need flexibility.
The fact that they're still using SCIM 1.1 in 2024 is concerning. Most modern platforms moved to 2.0 years ago for good reason.
The recurring theme
Smarsh forces expensive Enterprise upgrades for basic provisioning, then locks you into inflexible configurations using outdated SCIM standards.
The decision
| Your Situation | Recommendation |
|---|---|
| On Pro/Business plans, need SCIM | Use Stitchflow: avoid the Enterprise upgrade that can cost $35-50/user/month |
| Already on Enterprise with native SCIM | Use native SCIM: you're paying for it, despite the SCIM 1.1 limitations |
| Using PingFederate or complex IdP setup | Use Stitchflow: skip the custom configuration headaches |
| Need provisioning but locked into SCIM 1.1 constraints | Use Stitchflow: get modern SCIM 2.0-level automation without protocol limitations |
| Small team with infrequent user changes | Manual may work: but watch for compliance gaps in archiving access |
The bottom line
Smarsh's Enterprise-only SCIM requirement forces a costly tier upgrade, and even then you're stuck with outdated SCIM 1.1 protocol and inflexible configuration constraints. For organizations needing reliable user provisioning without the Enterprise price tag or technical limitations, Stitchflow delivers modern automation at <$5K/app/year.
Make Smarsh workflows AI-native
Smarsh gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
None
Key limitations
- Uses SCIM 1.1 (older standard) for some integrations
- Unique Identifier must be determined before setup - cannot be changed later
- Once provisioning is enabled, user data cannot be manually modified
- Custom attributes must be identified before implementation
- PingFederate specific configuration may be required
- No free trial available
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Docs
Smarsh supports SCIM 1.1 (not 2.0) for user provisioning
Smarsh gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Capture Mobile uses SCIM 2.0 with Entra ID non-gallery application
Smarsh gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Smarsh
Smarsh gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade, avoiding a 233% markup.
See how it works
