Summary and recommendation
Terraform Cloud does not support SCIM provisioning on any plan, including Enterprise. While HashiCorp provides robust SAML 2.0 and OIDC SSO integration with team membership sync via SAML assertions, this only handles authentication and group assignments—not user lifecycle management. User accounts must still be manually created in Terraform Cloud before team members can access workspaces, even with SSO enabled.
This creates a significant operational gap for DevOps teams managing infrastructure-as-code at scale. Without automated provisioning, IT administrators must manually onboard developers and platform engineers into Terraform Cloud workspaces, then remember to deprovision access when team members leave or change roles. Given Terraform Cloud's role in managing critical infrastructure resources, this manual process introduces both security risks and compliance challenges that scale poorly with team growth.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Terraform Cloud without requiring any custom development work. Works with any Terraform Cloud plan and integrates with Okta, Entra, Google Workspace, and OneLogin. Flat pricing under $5K/year, regardless of team size.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 / OIDC |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | SSO with SAML 2.0 and team sync via SAML assertions. JIT provisioning. No SCIM provisioning. |
| Microsoft Entra ID | ✓ | ❌ | SSO supported via SAML 2.0. No native SCIM provisioning in Entra gallery. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Terraform Cloud accounts manually. Here's what that costs:
The Terraform Cloud pricing problem
Terraform Cloud gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 (up to 500 resources) | ||
| Standard | ~$1/month per 1000 resources | ||
| Plus | Contact sales | ||
| Enterprise | From $15,000/year (self-hosted) |
Pricing structure
| Plan | Price | SCIM |
|---|---|---|
| Free | $0 (up to 500 resources) | ❌ |
| Standard | ~$1/month per 1000 resources | ❌ |
| Plus | Contact sales | ❌ |
| Enterprise | From $15,000/year (self-hosted) | ❌ |
Note: Terraform Cloud moved to resource-based pricing (RUM) in 2023. The free tier ends March 31, 2026.
What this means in practice
Manual account creation for all plans: Even with SSO configured, IT teams must manually create user accounts in Terraform Cloud before employees can authenticate. This applies to all pricing tiers, including Enterprise.
SAML team sync limitations: While team membership can sync via SAML assertions, this doesn't eliminate the initial manual provisioning step. Users still need accounts created before they can be assigned to teams.
Resource-based billing complexity: The shift to resource-based pricing means costs can scale unpredictably with infrastructure growth, but provisioning remains manual regardless of spend level.
Additional constraints
Summary of challenges
- Terraform Cloud does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Terraform Cloud actually offers for identity
SAML/OIDC SSO (all paid plans)
Terraform Cloud provides federated authentication with team synchronization:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 or OIDC |
| Supported IdPs | Okta, Azure AD, ADFS, generic SAML/OIDC |
| Team sync | Via SAML assertions |
| JIT provisioning | Supported |
| User requirement | Accounts must exist before first login |
Critical limitation: While JIT provisioning creates accounts on first login, there's no automated way to pre-provision users or handle deprovisioning when employees leave.
Okta Integration (via OIN)
The official Okta Integration Network listing for Terraform Cloud shows:
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Yes |
| OIDC SSO | ✓ Yes |
| Create users | ❌ No |
| Update users | ❌ No |
| Deactivate users | ❌ No |
| Group push | ✓ Via SAML assertions only |
Microsoft Entra Integration
Similar story with Azure AD - SSO works, but no native provisioning capabilities:
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Yes |
| Automatic provisioning | ❌ No |
| User lifecycle management | ❌ No |
The problem: DevOps teams need automated user lifecycle management as engineers join projects, change teams, or leave the company. Terraform Cloud's current identity features require manual intervention for every user addition, modification, or removal - creating security gaps and administrative overhead for platform teams managing infrastructure access.
What IT admins are saying
Terraform Cloud's lack of SCIM provisioning creates manual overhead for DevOps teams managing infrastructure access:
The infrastructure-as-code space attracts security-conscious organizations, yet Terraform Cloud forces IT teams into manual account management workflows that create compliance gaps.
- Manual user account creation required despite SSO being configured
- Team membership syncing relies on SAML assertions, not proper provisioning
- No automated deprovisioning when engineers leave the organization
- SSO authentication works, but accounts must exist first
SSO doesn't auto-provision user accounts... Uses SAML assertions for team sync
The recurring theme
Even with enterprise-grade SSO configured, every DevOps engineer and platform team member must be manually onboarded to Terraform Cloud. When team members leave, their Terraform access lingers unless IT remembers to clean it up separately.
The decision
| Your Situation | Recommendation |
|---|---|
| Small DevOps team (<10 engineers) | Manual management is workable with SSO |
| Growing platform engineering org (10-50 users) | Use Stitchflow: manual provisioning doesn't scale |
| Enterprise with multiple Terraform workspaces | Use Stitchflow: automation essential for governance |
| High developer turnover or contractor usage | Use Stitchflow: manual onboarding creates bottlenecks |
| Multi-cloud infrastructure with compliance needs | Use Stitchflow: automated provisioning provides audit trail |
The bottom line
Terraform Cloud offers excellent SSO with team sync via SAML assertions, but completely lacks SCIM provisioning—every user account must be created manually. For infrastructure teams managing critical deployments at scale, Stitchflow eliminates the manual bottleneck while maintaining the security and governance you need.
Automate Terraform Cloud without third-party complexity
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Terraform Cloud at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No native SCIM provisioning
- SSO doesn't auto-provision user accounts
- Uses SAML assertions for team sync
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Where to enable
Docs
SSO with SAML 2.0 and team sync via SAML assertions. JIT provisioning. No SCIM provisioning.
Use Stitchflow for automated provisioning.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Where to enable
SSO supported via SAML 2.0. No native SCIM provisioning in Entra gallery.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Terraform Cloud
Terraform Cloud doesn't offer SCIM. Get an enterprise-grade SCIM endpoint in your IdP, even without native support.
See how it works
