Summary and recommendation
Spacelift, the infrastructure-as-code management platform, does not support SCIM provisioning on any plan despite user requests for this functionality. While Spacelift offers SAML 2.0 and OIDC SSO integration with identity providers like Okta and Azure AD, SSO is only available on Enterprise plans and requires custom pricing. More critically, SSO only handles authentication - IT teams must still manually create, update, and deactivate user accounts within Spacelift. IdP group memberships can be referenced in login policies, but users aren't automatically provisioned based on those groups.
This creates a significant operational burden for IT teams managing infrastructure access. Unlike typical SaaS applications, Spacelift controls access to critical infrastructure resources and deployment pipelines. Manual user management means delayed onboarding for new developers, potential security gaps when team members change roles, and compliance risks when departing employees aren't promptly deprovisioned from infrastructure management tools. The lack of automated group-based provisioning is particularly problematic given Spacelift's role-based access model for different infrastructure environments and deployment workflows.
The strategic alternative
Spacelift has no native SCIM. That leaves a workflow gap in offboarding, access reviews, and license cleanup unless your team handles the app another way. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | No Okta OIN app. Supports SSO via SAML 2.0 or OIDC with Okta. SSO is Enterprise plan only. |
| Microsoft Entra ID | ✓ | ❌ | Supports Azure AD via SAML or OIDC for SSO. No SCIM provisioning available. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Spacelift accounts manually. Here's what that costs:
The Spacelift pricing problem
Spacelift gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | $399/mo (up to 10 users) | ||
| Business | Custom pricing | ||
| Enterprise | Custom pricing |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | $399/mo (up to 10 users) | ||
| Business | Custom pricing | ||
| Enterprise | Custom pricing |
What this means in practice
Without SCIM, Spacelift user management creates operational overhead:
Additional constraints
Summary of challenges
- Spacelift does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Spacelift actually offers for identity
SSO (Enterprise plan required)
Spacelift provides federated authentication through standard protocols:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 or OIDC |
| Supported IdPs | Okta, Entra ID, Google Workspace, any SAML/OIDC provider |
| Plan requirement | Enterprise tier only |
| User management | Manual or JIT provisioning |
Critical gap: While SSO handles authentication, there's no automated user lifecycle management. Users must be manually added to Spacelift before they can access resources.
What's missing entirely
Spacelift has no SCIM endpoint or automated provisioning capabilities:
| Feature | Supported? |
|---|---|
| Create users | ❌ Manual only |
| Update user attributes | ❌ Manual only |
| Deactivate users | ❌ Manual only |
| Group synchronization | ❌ No |
| Role assignment automation | ❌ Manual only |
Real-world impact: IT teams manage Spacelift access through manual processes. When employees join, change roles, or leave, someone must remember to update Spacelift permissions separately from your IdP.
IdP Integration Status
Neither Okta nor Entra ID offer native Spacelift provisioning apps:
This leaves teams with SSO for authentication but manual user management for everything else.
What IT admins are saying
Community sentiment on Spacelift's provisioning reveals frustration with manual user management:
- Users must be manually added to Spacelift workspaces even after SSO is configured
- No automated deprovisioning when employees leave the organization
- SSO requires expensive Enterprise plan, blocking automation for smaller teams
- IdP group memberships can inform login policies but don't trigger user creation
We've been asking for SCIM support for a while now. Having to manually manage users in Spacelift when we have everything automated through Okta is a pain point.
SSO works great but you still have to go into Spacelift and manually add each user to the right spaces. Defeats the purpose of having centralized identity management.
The recurring theme
Spacelift forces IT teams to maintain a separate user management process outside their identity provider, creating operational overhead and security gaps when user access isn't automatically revoked.
The decision
| Your Situation | Recommendation |
|---|---|
| Small infrastructure team (<10 users) | Manual management acceptable for now |
| Growing DevOps team (10-50 users) | Use Stitchflow: automation prevents bottlenecks |
| Enterprise with compliance requirements | Use Stitchflow: automated provisioning essential for audit trails |
| Multi-team infrastructure access | Use Stitchflow: centralized user management critical |
| High developer turnover environment | Use Stitchflow: instant deprovisioning reduces security risk |
The bottom line
Spacelift has no native SCIM. That means one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.
Close the Spacelift workflow gap
Spacelift is one gap in a broader workflow. Stitchflow builds and maintains the offboarding, access review, or license workflow across every app in your environment.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No SCIM support - feature requested by users but not implemented
- Users must be manually added/removed or rely on SSO JIT
- SSO (SAML/OIDC) requires Enterprise plan
- IdP group memberships can be used in login policies but not auto-provisioned
Documentation not available.
Close the workflow gap in
Spacelift
Spacelift has no native SCIM. That leaves one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.
Start with the free gap diagnostic
