Summary and recommendation
ThreatConnect, the threat intelligence platform and SOAR solution, does not support SCIM provisioning on any plan. While ThreatConnect offers SAML 2.0 SSO integration with identity providers like Okta and Entra ID, this only handles authentication for existing users. All user account creation, role assignments, and lifecycle management must be handled manually within ThreatConnect's interface. This creates a significant operational burden for security teams managing access to this critical security infrastructure.
The lack of automated provisioning is particularly problematic for ThreatConnect given its role as a central security platform. Security teams need rapid onboarding for incident responders and threat analysts, especially during security events when time is critical. Manual user management creates delays in granting access to essential threat intelligence and SOAR capabilities. Additionally, without automated deprovisioning, former employees may retain access to sensitive threat data and security playbooks, creating compliance and security risks that directly contradict ThreatConnect's security-focused mission.
The strategic alternative
ThreatConnect has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | ThreatConnect supports SAML SSO with Okta via custom SAML app configuration. No OIN app with SCIM provisioning. |
| Microsoft Entra ID | ✓ | ❌ | ThreatConnect supports SAML SSO. Integrates with Microsoft Sentinel for threat intelligence. No SCIM provisioning. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages ThreatConnect accounts manually. Here's what that costs:
The ThreatConnect pricing problem
ThreatConnect gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | Not disclosed | ||
| Business | Not disclosed | ||
| Enterprise | Custom quote |
Pricing and provisioning availability
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | Not disclosed | ||
| Business | Not disclosed | ||
| Enterprise | Custom quote |
What this means in practice
IT teams managing ThreatConnect face a complete provisioning gap:
This creates significant overhead for security teams who need rapid onboarding for incident response scenarios and reliable offboarding for access control.
Additional constraints
Summary of challenges
- ThreatConnect does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What ThreatConnect actually offers for identity
SAML SSO (Enterprise only)
ThreatConnect supports SAML 2.0 authentication through custom configuration:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, Entra ID, custom SAML providers |
| Configuration | Custom SAML app setup required |
| User requirement | Manual user creation in ThreatConnect |
Critical limitation: ThreatConnect provides no automated user provisioning. Every user must be manually created in the platform before they can authenticate via SSO.
Okta Integration Status
ThreatConnect has no official Okta Integration Network (OIN) listing:
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Via custom app |
| OIDC SSO | ❌ No |
| Create users | ❌ No |
| Update users | ❌ No |
| Deactivate users | ❌ No |
| Group push | ❌ No |
Microsoft Entra Integration
ThreatConnect integrates with Microsoft's security ecosystem but offers limited identity management:
| Feature | Details |
|---|---|
| SSO support | SAML 2.0 via enterprise app |
| Sentinel integration | ✓ Threat intelligence feeds |
| User provisioning | ❌ Manual only |
| Group sync | ❌ Not supported |
The reality: ThreatConnect is a threat intelligence platform (TIP) and SOAR solution, not an identity-aware application. Identity management capabilities are minimal - you get basic SAML authentication and nothing else. Teams need manual processes for user lifecycle management across all pricing tiers.
What IT admins are saying
ThreatConnect's lack of automated provisioning creates operational headaches for security teams managing user access:
- Manual user provisioning required despite SSO implementation
- No visibility into who has access without logging into ThreatConnect directly
- Delayed onboarding for new security analysts and threat intelligence teams
- Risk of orphaned accounts when team members leave or change roles
We have SSO working but still have to manually create every user account in ThreatConnect. For a security platform, you'd expect better identity management capabilities.
The platform is powerful for threat intel but the user management is stuck in the past. Everything has to be done manually in their interface.
The recurring theme
While ThreatConnect excels as a threat intelligence platform, IT teams struggle with basic user lifecycle management, creating security risks and administrative overhead for the very teams responsible for organizational security.
The decision
| Your Situation | Recommendation |
|---|---|
| Small security team (<10 analysts) | Manual management acceptable for core team |
| Threat intelligence focused deployment | Manual management with SSO for authentication |
| Large SOC with frequent analyst turnover | Use Stitchflow: automation essential for rapid onboarding |
| Multi-tenant MSSP operations | Use Stitchflow: automation critical for scale |
| Enterprise with strict compliance requirements | Use Stitchflow: automated provisioning ensures audit trail |
The bottom line
ThreatConnect excels as a threat intelligence platform but offers zero SCIM provisioning capabilities across all plans. For security operations that need automated user lifecycle management without the overhead of manual account creation, Stitchflow delivers the provisioning automation that ThreatConnect simply doesn't provide.
Make ThreatConnect workflows AI-native
ThreatConnect has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No SCIM provisioning support
- SSO via SAML 2.0 only
- Manual user management required
- Enterprise pricing not publicly disclosed
- Focus is on threat intelligence platform (TIP) and SOAR, not identity management
Documentation not available.
Unlock SCIM for
ThreatConnect
ThreatConnect has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
