Summary and recommendation
ThreatConnect, the threat intelligence platform and SOAR solution, does not support SCIM provisioning on any plan. While ThreatConnect offers SAML 2.0 SSO integration with identity providers like Okta and Entra ID, this only handles authentication for existing users. All user account creation, role assignments, and lifecycle management must be handled manually within ThreatConnect's interface. This creates a significant operational burden for security teams managing access to this critical security infrastructure.
The lack of automated provisioning is particularly problematic for ThreatConnect given its role as a central security platform. Security teams need rapid onboarding for incident responders and threat analysts, especially during security events when time is critical. Manual user management creates delays in granting access to essential threat intelligence and SOAR capabilities. Additionally, without automated deprovisioning, former employees may retain access to sensitive threat data and security playbooks, creating compliance and security risks that directly contradict ThreatConnect's security-focused mission.
The strategic alternative
ThreatConnect has no native SCIM. That leaves a workflow gap in offboarding, access reviews, and license cleanup unless your team handles the app another way. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | ThreatConnect supports SAML SSO with Okta via custom SAML app configuration. No OIN app with SCIM provisioning. |
| Microsoft Entra ID | ✓ | ❌ | ThreatConnect supports SAML SSO. Integrates with Microsoft Sentinel for threat intelligence. No SCIM provisioning. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages ThreatConnect accounts manually. Here's what that costs:
The ThreatConnect pricing problem
ThreatConnect gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | Not disclosed | ||
| Business | Not disclosed | ||
| Enterprise | Custom quote |
Pricing and provisioning availability
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | Not disclosed | ||
| Business | Not disclosed | ||
| Enterprise | Custom quote |
What this means in practice
IT teams managing ThreatConnect face a complete provisioning gap:
This creates significant overhead for security teams who need rapid onboarding for incident response scenarios and reliable offboarding for access control.
Additional constraints
Summary of challenges
- ThreatConnect does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What ThreatConnect actually offers for identity
SAML SSO (Enterprise only)
ThreatConnect supports SAML 2.0 authentication through custom configuration:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, Entra ID, custom SAML providers |
| Configuration | Custom SAML app setup required |
| User requirement | Manual user creation in ThreatConnect |
Critical limitation: ThreatConnect provides no automated user provisioning. Every user must be manually created in the platform before they can authenticate via SSO.
Okta Integration Status
ThreatConnect has no official Okta Integration Network (OIN) listing:
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Via custom app |
| OIDC SSO | ❌ No |
| Create users | ❌ No |
| Update users | ❌ No |
| Deactivate users | ❌ No |
| Group push | ❌ No |
Microsoft Entra Integration
ThreatConnect integrates with Microsoft's security ecosystem but offers limited identity management:
| Feature | Details |
|---|---|
| SSO support | SAML 2.0 via enterprise app |
| Sentinel integration | ✓ Threat intelligence feeds |
| User provisioning | ❌ Manual only |
| Group sync | ❌ Not supported |
The reality: ThreatConnect is a threat intelligence platform (TIP) and SOAR solution, not an identity-aware application. Identity management capabilities are minimal - you get basic SAML authentication and nothing else. Teams need manual processes for user lifecycle management across all pricing tiers.
What IT admins are saying
ThreatConnect's lack of automated provisioning creates operational headaches for security teams managing user access:
- Manual user provisioning required despite SSO implementation
- No visibility into who has access without logging into ThreatConnect directly
- Delayed onboarding for new security analysts and threat intelligence teams
- Risk of orphaned accounts when team members leave or change roles
We have SSO working but still have to manually create every user account in ThreatConnect. For a security platform, you'd expect better identity management capabilities.
The platform is powerful for threat intel but the user management is stuck in the past. Everything has to be done manually in their interface.
The recurring theme
While ThreatConnect excels as a threat intelligence platform, IT teams struggle with basic user lifecycle management, creating security risks and administrative overhead for the very teams responsible for organizational security.
The decision
| Your Situation | Recommendation |
|---|---|
| Small security team (<10 analysts) | Manual management acceptable for core team |
| Threat intelligence focused deployment | Manual management with SSO for authentication |
| Large SOC with frequent analyst turnover | Use Stitchflow: automation essential for rapid onboarding |
| Multi-tenant MSSP operations | Use Stitchflow: automation critical for scale |
| Enterprise with strict compliance requirements | Use Stitchflow: automated provisioning ensures audit trail |
The bottom line
ThreatConnect has no native SCIM. That means one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.
Close the ThreatConnect workflow gap
ThreatConnect is one gap in a broader workflow. Stitchflow builds and maintains the offboarding, access review, or license workflow across every app in your environment.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No SCIM provisioning support
- SSO via SAML 2.0 only
- Manual user management required
- Enterprise pricing not publicly disclosed
- Focus is on threat intelligence platform (TIP) and SOAR, not identity management
Documentation not available.
Close the workflow gap in
ThreatConnect
ThreatConnect has no native SCIM. That leaves one more workflow gap in offboarding, access reviews, and license cleanup unless your team handles it another way.
Start with the free gap diagnostic
