Stitchflow
Back to directory
Tessian logo

Tessian SCIM guide

Connector Only

How to automate Tessian user provisioning, and what it actually costs

Summary and recommendation

Tessian (now Proofpoint) does not offer SCIM provisioning, and with the acquisition by Proofpoint completed in December 2023, the integration landscape remains unclear. While Tessian supports SAML 2.0 SSO through major identity providers like Okta and Azure AD, provisioning documentation is not publicly available. The platform integrates with Okta for identity-based risk visibility in email security workflows, but this integration focuses on risk assessment rather than user lifecycle management. Enterprise customers must contact Proofpoint directly for any provisioning capabilities.

This creates a significant operational gap for IT teams managing email security across large organizations. Email security platforms like Tessian require accurate user provisioning to ensure comprehensive protection coverage—when users can't be automatically provisioned or deprovisioned, security gaps emerge as employees join, change roles, or leave the company. Manual user management in email security tools increases the risk of both under-protection (new users without coverage) and over-licensing (departed users still consuming licenses).

The strategic alternative

Tessian has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.

Quick SCIM facts

SCIM available?No
SCIM tier requiredN/A
SSO required first?No
SSO available?Yes
SSO protocolSAML 2.0
DocumentationNot available

Supported identity providers

IdPSSOSCIMNotes
OktaTessian + Okta integration for identity-based risk visibility. Uses Okta directory information and groups with Tessian Risk Hub.
Microsoft Entra IDAzure AD supported for SSO. Contact Proofpoint for provisioning options.
Google WorkspaceVia third-partyNo native support
OneLoginVia third-partyNo native support

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Tessian accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees
Orphaned accounts (ex-employees with access)7
Unused licenses12
IT hours spent on manual management/year101 hours
Unused license cost/year$3,925
IT labor cost/year$6,088
Cost of compliance misses/year$1,741
Total annual financial impact$11,754

The Tessian pricing problem

Tessian gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

PlanPriceSSOSCIM
EnterpriseContact Proofpoint for pricing

Pricing structure

PlanPriceSCIM
EnterpriseContact Proofpoint for pricing❌ Not available

Market reality

No public pricing since Proofpoint acquisition
Enterprise-only SSO via SAML 2.0
Limited IdP support (Okta and Azure AD only)

What this means in practice

Without native SCIM, your IT team faces these manual processes:

New hire onboarding
Create accounts individually in Tessian admin console
Role changes
Update user permissions manually when employees change departments
Offboarding
Remember to deactivate Tessian access separately from your main deprovisioning workflow
Compliance auditing
Export user lists manually to verify access matches your source of truth

For a 500-person company with 15% annual turnover, this creates ~90 manual provisioning tasks per year just for Tessian.

Additional constraints

Acquisition uncertainty
Tessian's roadmap now follows Proofpoint priorities - SCIM may not be developed
Limited IdP coverage
No support for Google Workspace or OneLogin
Documentation gaps
Integration guides are outdated or missing during the Proofpoint transition
Vendor lock-in
Okta integration focuses on risk visibility, not true provisioning automation
Enterprise-only access
SSO and advanced integrations require top-tier contracts

Summary of challenges

  • Tessian does not provide native SCIM at any price tier
  • Organizations must rely on third-party tools or manual provisioning
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What Tessian actually offers for identity

SAML SSO (Enterprise tier)

Following Tessian's acquisition by Proofpoint in December 2023, identity features are now managed through Proofpoint Core Email Protection:

SettingDetails
ProtocolSAML 2.0
Supported IdPsOkta, Azure AD/Entra ID, generic SAML providers
PricingContact Proofpoint for enterprise pricing
DocumentationIn transition - contact vendor directly

Key limitation: No public documentation exists for Tessian's identity capabilities. The acquisition means integration details must be obtained directly from Proofpoint sales.

Okta Partnership (Identity-based risk)

Tessian's Okta integration focuses on risk management rather than traditional provisioning:

FeaturePurpose
Directory syncPulls user and group data for risk analysis
Risk Hub integrationIdentifies high-risk users based on Okta signals
Identity contextEnhances email security with user behavior data

Translation: This isn't SCIM provisioning. It's a data feed that helps Tessian understand user risk profiles based on your Okta directory.

What's actually missing

No SCIM provisioning documented anywhere
No automated user lifecycle management
No public pricing for identity features
Documentation in flux due to Proofpoint transition

For IT teams evaluating email security with proper identity integration, Tessian's current state creates significant uncertainty around provisioning capabilities.

What IT admins are saying

Tessian's recent acquisition by Proofpoint has left IT admins in limbo regarding provisioning capabilities:

  • Documentation is in transition after the Proofpoint acquisition - unclear what features remain
  • No public SCIM documentation or clear provisioning path
  • Enterprise-only access requires going through Proofpoint sales for basic integration info
  • Limited IdP support compared to modern email security platforms

SSO/SCIM not publicly documented

Current state of Tessian integration resources

Contact vendor for enterprise features

Standard response for provisioning questions

The recurring theme

The Proofpoint acquisition has created a documentation black hole. IT teams can't evaluate provisioning options without entering a sales process, and it's unclear which Tessian features will survive the integration into Proofpoint's platform.

The decision

Your SituationRecommendation
Small security team (<20 users)Manual management acceptable given limited scope
Stable IT team with infrequent changesManual provisioning with SAML SSO for authentication
Growing organization (50+ users)Use Stitchflow: automation essential as you scale
Enterprise with compliance requirementsUse Stitchflow: automation critical for audit trails
Multi-department email security deploymentUse Stitchflow: manual provisioning becomes unmanageable

The bottom line

Tessian has no native SCIM. Stitchflow automates complete workflows across every app, including the ones without APIs.

Make Tessian workflows AI-native

Tessian has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.

Covers apps without native SCIM, including the ones without APIs
Less than a week, start to finish (~2 hours of your time)
Built with your team; extend to anything else in the company
Book a Demo

Technical specifications

SCIM Version

Not specified

Supported Operations

Not specified

Supported Attributes

SSO/SCIM not publicly documentedAcquired by Proofpoint - documentation in transitionContact vendor for enterprise features

Plan requirement

Not specified

Prerequisites

Not specified

Key limitations

  • SSO/SCIM not publicly documented
  • Acquired by Proofpoint - documentation in transition
  • Contact vendor for enterprise features

Documentation not available.

Unlock SCIM for
Tessian

Tessian has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.

See how it works
Admin Console
Directory
Applications
Tessian logo
Tessian
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

Mimecast logo

Mimecast

SCIM Tax

Email Security

SCIM StatusIncluded
Manual Cost$11,754/yr

Mimecast supports SCIM 2.0 for automated user provisioning, but only on Enterprise plans with custom pricing. While SCIM functionality is comprehensive (create, update, deactivate users, plus group sync), Mimecast requires separate configuration for SCIM and SSO - meaning IT teams must manage two different integration setups instead of one unified process. For email security platforms like Mimecast that protect your entire organization, manual user management creates significant security gaps. Without automated provisioning, new employees may lack email protection on day one, while departed employees retain access longer than necessary. SSO alone only handles authentication - it doesn't automatically provision accounts or assign appropriate security policies based on group membership.

View full guide
6sense logo

6sense

No SCIM

B2B Revenue Intelligence / ABM

ProvisioningNot Supported
Manual Cost$11,754/yr

6sense, the B2B revenue intelligence platform, has paused SCIM provisioning for new customers until Q4 2026. While existing customers with SCIM enabled can continue using it, new implementations are limited to JIT (Just-In-Time) provisioning through SAML SSO. This creates a significant gap for IT teams managing revenue intelligence access, as JIT only creates users on first login and provides minimal attribute mapping (email, first name, last name only). For an enterprise platform with typical pricing of $55,000-$130,000 annually, the absence of automated user lifecycle management is a substantial limitation. The lack of SCIM until Q4 2026 forces IT teams into manual provisioning workflows for a platform handling sensitive revenue data. While SAML SSO handles authentication, it doesn't address user lifecycle events like role changes, department transfers, or offboarding. This creates compliance risks in revenue teams where access to prospect data and sales intelligence must be tightly controlled. The nearly two-year wait for SCIM restoration means organizations implementing 6sense today face manual user management for the foreseeable future.

View full guide
ActiveCampaign logo

ActiveCampaign

No SCIM

Marketing Automation / Email

ProvisioningNot Supported
Manual Cost$11,754/yr

ActiveCampaign, the marketing automation platform, does not offer native SCIM provisioning on any plan. While the Enterprise plan ($145+/month) includes SAML 2.0 SSO with just-in-time (JIT) provisioning, this only creates user accounts on first login—there's no automated deprovisioning when employees leave or change roles. New SSO users are automatically added to a generic "SSO Users" group with configurable permissions, but IT teams have no way to programmatically manage user lifecycles or enforce granular access controls based on department or role changes. This creates a significant gap for marketing teams that need to manage access to customer data and campaign tools. When employees leave the company or change departments, their ActiveCampaign access must be manually revoked, creating compliance risks and potential data exposure. The lack of automated deprovisioning means former employees could theoretically retain access to sensitive marketing data and customer information until someone manually removes them from the platform.

View full guide