Summary and recommendation
Tableau supports SCIM 2.0 for automated user provisioning across all Tableau Cloud tiers, starting at $75/user/month for Creator licenses. However, SCIM requires SAML SSO to be configured first—you cannot enable SCIM provisioning without SSO. Once SCIM is active, any changes made directly in Tableau Cloud get overwritten by your identity provider, and you cannot disable SAML configuration while SCIM remains enabled.
This creates operational friction for IT teams managing mixed authentication scenarios or organizations that need flexibility in user management approaches. The SAML prerequisite means you're locked into a specific authentication flow, and the overwrite behavior can disrupt workflows when users or admins make direct changes in Tableau that then get reverted during the next sync cycle.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Tableau Cloud without the SAML prerequisite or sync conflicts. Works with any Tableau Cloud tier and any identity provider (Okta, Entra, Google Workspace, OneLogin). Flat pricing under $5K/year with 24/7 human-in-the-loop support.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Free |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC (Salesforce) |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Tableau accounts manually. Here's what that costs:
The Tableau pricing problem
Tableau gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard (Creator) | $75/user/mo | ||
| Standard (Explorer) | $42/user/mo | ||
| Standard (Viewer) | $15/user/mo | ||
| Enterprise (Creator) | $115/user/mo | ||
| Enterprise (Explorer) | $70/user/mo | ||
| Enterprise (Viewer) | $35/user/mo |
Note: SCIM is available on all Tableau Cloud tiers, but SAML SSO configuration is a hard prerequisite for activation.
What this means in practice
The SAML dependency creates several operational challenges:
Additional constraints
Summary of challenges
- Tableau supports SCIM but only at Free tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Tableau Cloud includes SCIM 2.0 provisioning across all pricing tiers, but it's not standalone—it requires SAML SSO configuration first and comes bundled with other enterprise identity features:
The SAML SSO requirement creates vendor lock-in—you can't disable SAML while SCIM is active, and any changes made directly in Tableau Cloud get overwritten by your IdP sync. This rigid coupling means you're paying for authentication infrastructure you might not want.
Stitchflow Insight
For teams that just need automated user provisioning without the SSO dependency, you're locked into Tableau's specific identity architecture. We estimate ~60% of these bundled identity features are constraints rather than benefits for organizations with existing SSO solutions.
What IT admins are saying
Community sentiment on Tableau's SCIM implementation is mixed, with most concerns centering on the SAML prerequisite and sync conflicts. Common complaints:
- Having to set up SAML SSO before SCIM can be enabled
- Direct changes made in Tableau Cloud being overwritten by IdP sync
- SAML configuration becoming locked once SCIM is active
- Difficulty troubleshooting when provisioning changes conflict with manual user management
We had users complaining that their site roles kept getting reset after we enabled SCIM. Turns out our manual changes in Tableau were conflicting with what Okta was pushing.
The SAML requirement isn't a deal-breaker, but it does add complexity to the initial setup. Would be nice if SCIM could work standalone.
The recurring theme
While Tableau's SCIM works well once properly configured, the SAML prerequisite and potential for sync conflicts create implementation headaches that require careful planning and ongoing management.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but don't want SAML SSO | Use Stitchflow: bypass Tableau's SAML prerequisite |
| Already have SAML configured | Use native SCIM: it's included in all Tableau Cloud tiers |
| Have mixed user sources (some non-SSO) | Use Stitchflow: avoid conflicts with direct Tableau changes |
| Need to maintain SAML flexibility | Use Stitchflow: SAML can't be disabled while native SCIM is active |
| Small BI team with stable users | Manual may work: but consider growth and compliance needs |
The bottom line
While Tableau Cloud includes SCIM 2.0 across all tiers, the mandatory SAML prerequisite and rigid coupling creates operational constraints many IT teams want to avoid. Stitchflow provides SCIM automation without forcing your SSO architecture decisions.
Automate Tableau without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Tableau at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Free
Prerequisites
SSO must be configured first
Key limitations
- SAML SSO must be configured before SCIM
- Changes made in Tableau Cloud directly may be overwritten by IdP
- SAML configuration cannot be disabled while SCIM is active
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Free required for SCIM
Native SCIM is available on Free. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Free required for SCIM
Native SCIM is available on Free. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
Tableau
Tableau gates automation behind Tableau Cloud (any tier) plan. Stitchflow delivers the same SCIM outcomes for a flat fee.
See how it works
