Stitchflow
Back to directory
Strapi logo

Strapi SCIM guide

Connector Only

How to automate Strapi user provisioning, and what it actually costs

Summary and recommendation

Strapi, the popular open-source headless CMS, does not support SCIM provisioning on any plan. While Strapi offers SSO via SAML 2.0 and OIDC on their Enterprise plan (or as an add-on), this only handles authentication—not the automated creation, updating, or deprovisioning of user accounts. IT teams must manually create and manage user accounts in Strapi before employees can authenticate via SSO, creating a significant operational burden for organizations managing content teams across developers, editors, and marketers.

This manual provisioning approach creates serious gaps in user lifecycle management. When employees join, change roles, or leave the organization, IT teams must remember to manually update Strapi access separately from their identity provider changes. For a platform that often handles sensitive content workflows and API access, this manual process introduces compliance risks and leaves former employees with potential access to content management systems.

The strategic alternative

Strapi has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.

Quick SCIM facts

SCIM available?No
SCIM tier requiredN/A
SSO required first?Yes
SSO available?Yes
SSO protocolSAML 2.0 / OIDC
DocumentationNot available

Supported identity providers

IdPSSOSCIMNotes
OktaStrapi supports Okta SSO via SAML/OIDC on Enterprise plan. JIT provisioning available. No SCIM.
Microsoft Entra IDStrapi supports Azure AD SSO via SAML/OIDC on Enterprise plan. JIT provisioning available. No SCIM.
Google WorkspaceVia third-partyNo native support
OneLoginVia third-partyNo native support

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Strapi accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees
Orphaned accounts (ex-employees with access)7
Unused licenses12
IT hours spent on manual management/year101 hours
Unused license cost/year$3,925
IT labor cost/year$6,088
Cost of compliance misses/year$1,741
Total annual financial impact$11,754

The Strapi pricing problem

Strapi gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

PlanPriceSSOSCIM
Essential Cloud$15-18/month
Self-hostedFree
Enterprise EditionCustom pricing (user-based)

Pricing structure

PlanPricingSSOSCIM
Essential Cloud$15-18/month❌ Not included❌ Not available
Self-hostedFree❌ Community plugin only❌ Not available
Enterprise EditionCustom pricing (user-based)✓ SAML/OIDC❌ Not available

SSO pricing: Enterprise Edition or add-on to Cloud plans (~$15/month per additional admin seat)

What this means in practice

No automated user management: Every Strapi user must either be manually created or provision themselves through SSO login. There's no way to:

Pre-provision users before they need access
Automatically assign roles based on IdP group membership
Bulk update user permissions across your content management team
Remove access when employees leave (beyond SSO session termination)

JIT provisioning limitations: While JIT works for basic access, you can't control:

Which content types new users can access
Default role assignments for different departments
Project-specific permissions for multi-tenant setups

Additional constraints

Open source complexity
Self-hosted Strapi relies on community SSO plugins with varying quality and support
Manual role management
Content editor permissions and admin roles must be configured individually in Strapi
No deprovisioning
Terminated employees retain their Strapi user accounts indefinitely unless manually removed
Multi-project friction
Each Strapi project requires separate user management - no centralized provisioning across instances

Summary of challenges

  • Strapi does not provide native SCIM at any price tier
  • Organizations must rely on third-party tools or manual provisioning
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What Strapi actually offers for identity

SSO (Enterprise plan or paid add-on)

Strapi supports federated authentication through multiple protocols:

SettingDetails
ProtocolSAML 2.0 and OIDC (OIDC recommended)
Supported IdPsOkta, Auth0, Azure AD, Keycloak, Google, AWS Cognito
JIT Provisioning✓ Yes - creates accounts on first login
ConfigurationManual setup via provider configuration files
AvailabilityEnterprise plan or paid add-on for Cloud plans

What you get with Enterprise SSO:

Just-in-time (JIT) provisioning
Users created automatically on first SSO login
Multi-protocol support
Both SAML 2.0 and OIDC available
Broad IdP compatibility
Works with major enterprise identity providers
SP and IdP-initiated flows
Flexible login patterns

What's missing entirely:

SCIM provisioning
No automated user lifecycle management
Group/role synchronization
No way to map IdP groups to Strapi roles
Automated deprovisioning
Users remain active when removed from IdP
Bulk user management
All user changes require manual intervention

The reality: Strapi's SSO with JIT provisioning handles initial user creation, but you're still managing the entire user lifecycle manually. When employees leave or change roles, you'll need to update Strapi permissions by hand.

What IT admins are saying

Strapi's manual provisioning approach creates ongoing headaches for IT teams managing content management access:

  • Manual user creation required - No SCIM means every content editor and developer must be manually added to Strapi projects
  • SSO paywall - Single sign-on requires Enterprise plan or paid add-ons, making basic identity integration expensive
  • Per-seat costs add up - Additional admin seats cost $15/month each, making user management both manual and costly
  • Project-by-project complexity - Multi-project environments require separate user management for each Strapi instance

Additional admin seat $15/mo

Strapi Cloud pricing documentation

SSO on Enterprise plan or as add-on

Strapi feature matrix

The recurring theme

Strapi treats user provisioning as an afterthought, forcing IT teams to choose between expensive Enterprise plans or time-consuming manual user management across multiple content projects.

The decision

Your SituationRecommendation
Small development team (<10 users)Manual management with SSO for authentication
Stable content team with low turnoverManual management acceptable, add SSO for security
Growing digital agency (20+ users)Use Stitchflow: automation essential for client projects
Enterprise with multiple Strapi instancesUse Stitchflow: automation critical for multi-site management
Organizations with strict compliance requirementsUse Stitchflow: automated audit trail and deprovisioning required

The bottom line

Strapi is an excellent headless CMS, but it lacks any SCIM provisioning capabilities—even on Enterprise plans. While JIT provisioning through SSO helps with onboarding, you're still managing user lifecycle manually. For organizations running multiple Strapi instances or managing large content teams, Stitchflow eliminates the operational overhead.

Make Strapi workflows AI-native

Strapi has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.

Covers apps without native SCIM, including the ones without APIs
Less than a week, start to finish (~2 hours of your time)
Built with your team; extend to anything else in the company
Book a Demo

Technical specifications

SCIM Version

Not specified

Supported Operations

Not specified

Supported Attributes

No SCIM provisioningSSO requires Enterprise or add-onOpen source version has community SSO pluginOIDC recommended over SAML

Plan requirement

Not specified

Prerequisites

Not specified

Key limitations

  • No SCIM provisioning
  • SSO requires Enterprise or add-on
  • Open source version has community SSO plugin
  • OIDC recommended over SAML

Documentation not available.

Unlock SCIM for
Strapi

Strapi has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.

See how it works
Admin Console
Directory
Applications
Strapi logo
Strapi
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

6sense logo

6sense

No SCIM

B2B Revenue Intelligence / ABM

ProvisioningNot Supported
Manual Cost$11,754/yr

6sense, the B2B revenue intelligence platform, has paused SCIM provisioning for new customers until Q4 2026. While existing customers with SCIM enabled can continue using it, new implementations are limited to JIT (Just-In-Time) provisioning through SAML SSO. This creates a significant gap for IT teams managing revenue intelligence access, as JIT only creates users on first login and provides minimal attribute mapping (email, first name, last name only). For an enterprise platform with typical pricing of $55,000-$130,000 annually, the absence of automated user lifecycle management is a substantial limitation. The lack of SCIM until Q4 2026 forces IT teams into manual provisioning workflows for a platform handling sensitive revenue data. While SAML SSO handles authentication, it doesn't address user lifecycle events like role changes, department transfers, or offboarding. This creates compliance risks in revenue teams where access to prospect data and sales intelligence must be tightly controlled. The nearly two-year wait for SCIM restoration means organizations implementing 6sense today face manual user management for the foreseeable future.

View full guide
ActiveCampaign logo

ActiveCampaign

No SCIM

Marketing Automation / Email

ProvisioningNot Supported
Manual Cost$11,754/yr

ActiveCampaign, the marketing automation platform, does not offer native SCIM provisioning on any plan. While the Enterprise plan ($145+/month) includes SAML 2.0 SSO with just-in-time (JIT) provisioning, this only creates user accounts on first login—there's no automated deprovisioning when employees leave or change roles. New SSO users are automatically added to a generic "SSO Users" group with configurable permissions, but IT teams have no way to programmatically manage user lifecycles or enforce granular access controls based on department or role changes. This creates a significant gap for marketing teams that need to manage access to customer data and campaign tools. When employees leave the company or change departments, their ActiveCampaign access must be manually revoked, creating compliance risks and potential data exposure. The lack of automated deprovisioning means former employees could theoretically retain access to sensitive marketing data and customer information until someone manually removes them from the platform.

View full guide
Adyen logo

Adyen

No SCIM

Payments / Fintech

ProvisioningNot Supported
Manual Cost$11,754/yr

Adyen offers SCIM 2.0 provisioning, but only through Okta's integration—there's no native SCIM endpoint. This creates a significant vendor lock-in scenario where your provisioning capabilities are entirely dependent on using Okta as your identity provider. Teams using Azure Entra, Google Workspace, or OneLogin are left with manual user management despite Adyen supporting SAML SSO with these platforms. The Okta integration itself requires maintaining a company account (not just a merchant account) and keeping at least one non-SSO admin for troubleshooting, adding operational complexity. For payment platforms handling sensitive financial data, this provisioning gap creates serious compliance risks. Your finance team, payment operations staff, and developers need timely access to process transactions and manage risk controls, but without automated provisioning, you're stuck with manual onboarding that can delay critical payment operations. The requirement to maintain non-SSO admin accounts also creates a security backdoor that compliance auditors will flag.

View full guide