Stitchflow
Back to directory
Splunk logo

Splunk SCIM guide

Native SCIM

How to automate Splunk user provisioning, and what it actually costs

Native SCIM requires Enterprise plan

Summary and recommendation

Splunk supports SCIM, but only for automatic user deprovisioning—not the full lifecycle management most IT teams need. Available on Splunk Cloud 9.1+ (Enterprise tier required), the SCIM integration syncs user deletions from your IdP but won't create new accounts or update user attributes. This means IT teams still handle onboarding manually while only getting automated offboarding, and even that can take up to an hour to process.

This creates a significant operational gap. While SSO handles authentication, you're left manually provisioning every new security analyst, DevOps engineer, or IT administrator who needs Splunk access. Given Splunk's volume-based pricing (starting around $36,500/year for 10GB/day), manual account management becomes a costly bottleneck as teams scale. The compliance risk is equally concerning—without automated provisioning, there's no systematic way to ensure consistent role assignments or track who has access to sensitive security data.

The strategic alternative

Splunk gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.

Quick SCIM facts

SCIM available?Yes
SCIM tier requiredEnterprise
SSO required first?Yes
SSO available?Yes
SSO protocolSAML 2.0
DocumentationOfficial docs

Supported identity providers

IdPSSOSCIMNotes
OktaOIN app with full provisioning
Microsoft Entra IDSSO only
Google WorkspaceJIT onlySAML SSO with just-in-time provisioning
OneLoginSupported

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Splunk accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees
Orphaned accounts (ex-employees with access)7
Unused licenses12
IT hours spent on manual management/year101 hours
Unused license cost/year$3,925
IT labor cost/year$6,088
Cost of compliance misses/year$1,741
Total annual financial impact$11,754

The Splunk pricing problem

Splunk gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

PlanPriceSSOSCIM
Splunk Cloud$1,800/year (1GB/day)
Deprovisioning only
Enterprise volumes$50,000-$90,000/year (50GB/day)
Deprovisioning only

Plan Structure

PlanPriceSCIM
Splunk Cloud$1,800/year (1GB/day)Deprovisioning only
Enterprise volumes$50,000-$90,000/year (50GB/day)Deprovisioning only

Note: SCIM functionality is identical across all Splunk Cloud tiers—limited to user deletion sync from your IdP.

What this means in practice

Manual onboarding required: Every new user must be manually created in Splunk, even with SCIM enabled. The integration only automates the removal of users when they're deprovisioned from your IdP.

Attribute drift: User profile changes (role updates, team moves, permission changes) don't sync automatically. IT teams must manually update Splunk user attributes when changes occur in the source system.

Delayed deprovisioning: Delete operations can take up to 1 hour to process, creating a security window where terminated users may still have access.

Additional constraints

IdP-specific setup
SCIM configuration is documented primarily for Okta, with limited guidance for other identity providers.
Complex implementation
Multiple customers report that SCIM setup is not straightforward, often requiring new SAML app configurations.
SHA-256 requirement
Splunk Cloud requires SHA-256 signature algorithm, which may necessitate SAML app reconfiguration.
Version dependency
Requires Splunk Cloud 9.1 or later for SCIM support.

Summary of challenges

  • Splunk supports SCIM but only at Enterprise tier (custom pricing)
  • Google Workspace users get JIT provisioning only, not full SCIM
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What the upgrade actually includes

Splunk doesn't sell SCIM as a standalone feature. It's bundled with Splunk Cloud Enterprise pricing, which starts around $1,800/year for minimal usage (1GB/day):

SCIM automated deprovisioning (Okta only)
SAML single sign-on (SSO)
Cloud-native data platform capabilities
Advanced security and compliance features
Enterprise-grade SLA and support
Multi-site deployment options
Federated search across deployments

The catch: Splunk's SCIM only handles user deprovisioning, not full lifecycle management. You can't create users or update attributes automatically—just remove access when someone leaves. Delete operations can take up to an hour to process.

Stitchflow Insight

If you're already using Splunk for SIEM/observability and need the enterprise features, the upgrade makes sense. But if you just want complete automated provisioning, you're paying enterprise prices for a half-implemented SCIM solution. We estimate ~80% of Enterprise features are irrelevant for teams that only need full user lifecycle automation.

What IT admins are saying

Community sentiment on Splunk's SCIM implementation reveals significant frustration with its limited scope and complex setup. Common complaints:

  • SCIM only handles deprovisioning, not full user lifecycle management
  • Setup process is confusing and not straightforward in Okta
  • Delete operations can take up to an hour to process
  • May require creating entirely new SAML apps just to enable SCIM support

SCIM setup not straightforward

Splunk Community

Confusing Okta UI for SCIM setup

IT Admin feedback

The recurring theme

Splunk's SCIM feels like an afterthought - it only handles the bare minimum (user deletion) while creating unnecessary complexity for what should be basic identity automation.

The decision

Your SituationRecommendation
Need full user lifecycle managementUse Stitchflow: Splunk's SCIM only handles deprovisioning
Want automated provisioning without Enterprise costsUse Stitchflow: avoid the $50K-90K/year Enterprise requirement
Already on Splunk Cloud EnterpriseUse native SCIM: you're paying for it, though it's limited
Using Azure AD or other non-Okta IdPsUse Stitchflow: native SCIM only documented for Okta
Small security team, infrequent user changesManual may work: but monitor for orphaned accounts

The bottom line

Splunk gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.

Make Splunk workflows AI-native

Splunk gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.

No Enterprise upgrade required
Less than a week, start to finish (~2 hours of your time)
We maintain the integration layer underneath
Book a Demo

Technical specifications

SCIM Version

2.0

Supported Operations

Create, Update, Deactivate, Groups

Supported Attributes

Not specified

Plan requirement

Enterprise

Prerequisites

SSO must be configured first

Key limitations

  • SCIM primarily for deprovisioning only
  • Delete operations can take up to 1 hour
  • Some Okta apps may not support SCIM
  • Requires SHA-256 signature
  • May need new SAML app for SCIM support
View Official Documentation

Configuration for Okta

Integration type

Okta Integration Network (OIN) app with SCIM provisioning

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Okta Admin Console → Applications → Splunk → Provisioning

Required credentials

SCIM endpoint URL and bearer token (generated in app admin console).

Configuration steps

Enable Create Users, Update User Attributes, and Deactivate Users.

Provisioning trigger

Okta provisions based on app assignments (users or groups).

Docs

Okta integrationSplunk SCIM setup

SCIM integration primarily for automatic user deprovisioning. Delete operations can take up to 1 hour. May require new SAML app for SCIM support.

Splunk gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.

Unlock SCIM for
Splunk

Splunk gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.

See how it works
Admin Console
Directory
Applications
Splunk logo
Splunk
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

Amplitude logo

Amplitude

SCIM Tax

Product Analytics

SCIM StatusIncluded
Manual Cost$11,754/yr

Amplitude supports SCIM provisioning, but only on Growth plans (starting around $36K/year) or Enterprise plans with custom pricing. While Amplitude's SCIM implementation covers the core functionality—creating, updating, and deactivating users—it requires SCIM to be specifically enabled for your organization, and regenerating the SCIM key immediately invalidates existing integrations without warning. For product teams on Plus plans ($49/month), upgrading to Growth just to unlock SCIM means jumping from under $600/year to $36,000+/year—a 60x increase. That's often more than the entire analytics budget for smaller product teams. The gap becomes particularly problematic for cross-functional product teams where analysts, PMs, and engineers need varying levels of access to user behavior data, but manual provisioning creates security risks around sensitive analytics permissions.

View full guide
Bill.com logo

Bill.com

SCIM Tax

Accounts Payable / Receivable Automation

SCIM StatusIncluded
Manual Cost$11,754/yr

Bill.com offers inconsistent SCIM provisioning support that varies dramatically by identity provider. While Okta users can access SCIM provisioning through the OIN integration, Bill.com doesn't publish native SCIM documentation, and other IdPs like Entra ID are limited to SAML SSO only. This fragmented approach means your provisioning capabilities depend entirely on your IdP choice rather than Bill.com's platform features. For finance teams managing sensitive AP/AR workflows where user access directly impacts invoice approvals and payment processing, this inconsistency creates operational gaps—especially when onboarding new controllers, AP clerks, or accountants requires manual role assignment tied to spending limits and approval hierarchies. The real problem is that Bill.com gates all SSO functionality behind Enterprise plans with custom pricing (typically 2-3x their Corporate plan at $79/user/month), yet still provides no clear path to automated provisioning for most customers. Since financial systems require precise role-based access controls for SOX compliance and segregation of duties, manual user management creates both security risks and administrative overhead. When employees change departments or leave the company, orphaned accounts in payment systems pose significant financial and compliance risks that manual processes often miss.

View full guide
Bitwarden logo

Bitwarden

SCIM Tax

Password Manager / Secrets Management

SCIM StatusIncluded
Manual Cost$11,754/yr

Bitwarden supports SCIM 2.0 provisioning, but only on Teams ($4/user/month) and Enterprise ($6/user/month) plans. While this pricing is reasonable compared to other password managers, the real challenge lies in Bitwarden's zero-knowledge architecture: SCIM can provision user accounts, but users still need to manually accept vault invitations and set up their encryption keys before gaining access to shared passwords. This creates a critical security gap. Your identity provider shows users as "provisioned," but they can't actually access company passwords until they complete manual setup steps. When employees leave, SCIM deprovisioning removes their account, but any locally cached vault data remains accessible until they next sync. For security teams managing hundreds of shared credentials, this manual friction undermines the entire purpose of automated provisioning.

View full guide