Summary and recommendation
Stripe supports SCIM 2.0 for automated user provisioning, but only for accounts with SSO enabled—which typically requires a custom enterprise agreement. The SCIM implementation is currently in private preview and limited to basic user lifecycle (create/deactivate), with role management handled separately through SAML attribute statements rather than SCIM groups.
This creates a critical gap for payment teams: while users can be provisioned automatically, their Dashboard permissions must be managed through SAML attributes, and deactivated users aren't immediately locked out due to SAML session limitations. For financial systems handling sensitive payment data, this delay in access revocation poses a real compliance risk—especially problematic given PCI requirements for immediate access control.
The strategic alternative
Stripe gates SCIM behind Enterprise / Custom. Skip the Enterprise / Custom plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Stripe accounts manually. Here's what that costs:
The Stripe pricing problem
Stripe gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | 2.9% + $0.30 per transaction | ||
| Enterprise | Custom pricing |
What this means in practice
Enterprise pricing is negotiated case-by-case, but typically involves:
For payment platforms handling sensitive financial data, this creates a difficult choice: pay enterprise rates for proper access controls, or manage Stripe access manually despite PCI compliance requirements.
Additional constraints
Summary of challenges
- Stripe supports SCIM but only at Enterprise tier (Custom (SSO/SCIM included))
- Lower tiers may include SSO but exclude SCIM provisioning
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Stripe doesn't sell SCIM standalone. It's bundled with Enterprise SSO features and requires a custom agreement:
The catch: Stripe's SCIM is essentially incomplete. Role management happens through SAML attributes, not SCIM attributes. User revocation isn't immediate—Stripe only learns about deactivated users when they attempt to log in again. For instant access removal, you still need to manually delete users from the Dashboard.
If you're already paying for Stripe's enterprise agreement for other reasons, the SSO features are included. But if you just want proper automated provisioning, you're paying enterprise prices for a half-finished SCIM implementation that still requires manual intervention for security-critical deprovisioning.
What IT admins are saying
Community sentiment on Stripe's SCIM implementation reveals frustration with the technical limitations and access control gaps. Common complaints:
- SCIM being in private preview with limited functionality
- Role management handled through SAML attributes instead of SCIM groups
- Delayed user revocation due to SAML dependency (only detected on next login)
- Manual user deletion required for immediate access removal
The biggest issue is that Stripe isn't notified when a user is revoked in the IdP until they try to log in again. For payment systems, that's a serious compliance gap.
Having to manage roles through SAML attributes while provisioning through SCIM creates this weird split-brain situation. It's not clean.
The recurring theme
Stripe's hybrid approach creates operational complexity and security gaps that are particularly problematic for financial systems requiring immediate access revocation.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but not on Enterprise | Use Stitchflow: avoid the custom enterprise pricing jump |
| Have enterprise agreement, SCIM included | Use native SCIM: you're already paying for it |
| Critical payment systems requiring instant deprovisioning | Use Stitchflow: we handle immediate revocation unlike SAML's login-dependent delays |
| Small finance team with low turnover | Manual may work: but monitor closely given payment dashboard sensitivity |
| Need granular role management with provisioning | Evaluate both: Stripe's SAML role attributes vs Stitchflow's unified approach |
The bottom line
Stripe's SCIM requires enterprise-level agreements and comes with SAML revocation delays that create compliance gaps for payment systems. For teams needing immediate deprovisioning and enterprise-grade automation without custom pricing, Stitchflow delivers the security financial operations demand.
Make Stripe workflows AI-native
Stripe gates SCIM behind Enterprise / Custom. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Roles managed via SAML attributes, not SCIM
- SAML limitations mean Stripe isn't notified of IdP user revocation until next login attempt
- Azure AD has fixed 40-minute provisioning interval
- RSA-SHA256 signature algorithm required
- SCIM in private preview - limited to User provisioning (no groups)
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Okta integration supports SSO, SCIM, entitlements, universal logout, workflows, and ISPM. Group Linking and Schema Discovery available.
Stripe gates SCIM behind Enterprise / Custom. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Azure AD SCIM provisioning available. Fixed 40-minute sync interval. Copy SCIM endpoint URL and API key to configure.
Stripe gates SCIM behind Enterprise / Custom. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Stripe
Stripe gates SCIM behind Enterprise / Custom plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
