Summary and recommendation
ThreatQ, the threat intelligence platform used by enterprise security teams, does not support SCIM provisioning on any plan. While ThreatQ offers SAML SSO integration with identity providers like Okta and Entra, this only handles authentication through just-in-time (JIT) provisioning—users are automatically created on first login but cannot be managed through your IdP afterward. With 78% of ThreatQ's user base being large enterprises handling sensitive threat intelligence data, this creates a significant gap in user lifecycle management for security-conscious IT teams.
This JIT-only approach means IT administrators lose control over user provisioning, deprovisioning, and attribute management after the initial login. When security analysts leave the organization or change roles, their ThreatQ access must be manually revoked—a critical compliance risk in security operations where former employees retain access to threat intelligence platforms. The inability to centrally manage user attributes and group memberships also complicates role-based access control for different security functions.
The strategic alternative
ThreatQ has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | ThreatQ supports SAML SSO. No Okta OIN app with SCIM provisioning. |
| Microsoft Entra ID | ✓ | ❌ | ThreatQ supports SP-initiated SAML SSO with Entra. JIT user provisioning enabled by default (users created on first login). No SCIM-based provisioning. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages ThreatQ accounts manually. Here's what that costs:
The ThreatQ pricing problem
ThreatQ gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | Not disclosed | ||
| Business | Not disclosed | ||
| Enterprise | Custom quote |
Pricing structure
| Plan | Pricing | SCIM | SSO |
|---|---|---|---|
| Pro | Not disclosed | ❌ | ❌ |
| Business | Not disclosed | ❌ | ❌ |
| Enterprise | Custom quote | ❌ | ✓ SAML |
Market reality: ThreatQ's enterprise pricing is completely opaque, with 78% of users being large enterprises who need formal procurement processes and budget planning.
What this means in practice
JIT provisioning limitations
Security implications for a threat intelligence platform
Additional constraints
Summary of challenges
- ThreatQ does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What ThreatQ actually offers for identity
SAML SSO (All Plans)
ThreatQ provides SAML 2.0 single sign-on integration with major identity providers:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 SP-initiated |
| Supported IdPs | Entra ID, Okta, Google Workspace, OneLogin |
| User provisioning | JIT (Just-in-Time) only |
| Configuration | Standard SAML attribute mapping |
| Access control | Role-based permissions within ThreatQ |
Critical limitation: ThreatQ only supports JIT provisioning, where users are automatically created during their first SAML login. No SCIM-based provisioning means no centralized user lifecycle management.
Okta Integration Status
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Yes (custom app) |
| SCIM provisioning | ❌ No |
| Create users | ❌ No (JIT only) |
| Update users | ❌ No |
| Deactivate users | ❌ No |
| Group push | ❌ No |
Entra ID Integration
ThreatQ has documented Entra ID integration via the Enterprise Applications gallery:
| Feature | Supported? |
|---|---|
| SAML SSO | ✓ Yes |
| SCIM provisioning | ❌ No |
| Automatic provisioning | ❌ No (JIT only) |
| User deprovisioning | ❌ No |
The reality: Despite ThreatQ's 200+ product integrations and enterprise focus (78% of users are large enterprises), the platform lacks any SCIM provisioning capabilities. IT teams must rely on JIT provisioning or manual user management, creating security gaps when employees leave or change roles.
What IT admins are saying
ThreatQ's lack of automated provisioning creates operational overhead for security teams managing threat intelligence platforms:
- Manual user creation required even with SAML SSO configured
- No centralized way to manage user lifecycle through identity providers
- JIT provisioning creates users automatically but can't remove them when employees leave
- Enterprise-only pricing makes automation features expensive for smaller security teams
ThreatQ supports SP-initiated SAML SSO with Entra. JIT user provisioning enabled by default (users created on first login). No SCIM-based provisioning.
Users created automatically on first SAML login
The recurring theme
While ThreatQ can create users on first login through JIT provisioning, IT teams have no automated way to deprovision users or manage ongoing access changes. This creates security risks in threat intelligence platforms where access control is critical.
The decision
| Your Situation | Recommendation |
|---|---|
| Small security team (<20 users) with stable membership | Manual user management is workable |
| Medium security operations (20-50 users) | Use Stitchflow: JIT provisioning creates audit gaps |
| Large enterprise security program (50+ users) | Use Stitchflow: automation essential for compliance |
| Multi-team threat intelligence sharing | Use Stitchflow: coordinated provisioning across teams |
| Strict SOC/audit requirements | Use Stitchflow: manual processes don't scale for compliance |
The bottom line
ThreatQ offers robust threat intelligence capabilities but relies on basic JIT provisioning through SAML SSO—users are created automatically on first login with no centralized control. For security teams that need proper user lifecycle management and audit trails, Stitchflow delivers the SCIM-level automation that ThreatQ's enterprise pricing doesn't include.
Make ThreatQ workflows AI-native
ThreatQ has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No SCIM provisioning - only JIT provisioning via SAML SSO
- Users created automatically on first SAML login
- Enterprise pricing not publicly disclosed
- 78% of users are large enterprises
- 200+ product integrations but no SCIM
Documentation not available.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Where to enable
ThreatQ supports SP-initiated SAML SSO with Entra. JIT user provisioning enabled by default (users created on first login). No SCIM-based provisioning.
Use Stitchflow for automated provisioning.
Unlock SCIM for
ThreatQ
ThreatQ has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
