Summary and recommendation
Veracode, the application security testing platform used by security and development teams, does not offer native SCIM provisioning despite being an enterprise-focused security tool with pricing starting at ~$15,000/year. While Veracode supports SAML SSO through identity providers like Okta and Entra ID, user provisioning relies entirely on just-in-time (JIT) provisioning or manual admin API calls. Critically, Veracode support must manually provision each account before SAML authentication can be used, creating a significant bottleneck for organizations trying to onboard developers across multiple security scanning projects.
This creates a substantial operational burden for IT teams managing security tooling across development organizations. With no automated deprovisioning capabilities, terminated employees retain access until manually removed, creating compliance gaps in a security-critical application. The reliance on JIT provisioning means IT has limited visibility and control over user lifecycle management, while the manual account creation requirement by Veracode support introduces delays that slow developer onboarding for security scanning workflows.
The strategic alternative
Veracode has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | No SCIM available |
| Microsoft Entra ID | ✓ | ❌ | No SCIM available |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Veracode accounts manually. Here's what that costs:
The Veracode pricing problem
Veracode gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Enterprise | Custom (starting ~$15,000/year for SAST) |
Pricing and provisioning availability
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Enterprise | Custom (starting ~$15,000/year for SAST) |
Market data on Veracode costs
What this means in practice
Without native SCIM, Veracode provisioning creates several operational challenges:
Manual account creation required: Every new developer or security engineer needs their account manually provisioned by Veracode support before they can use SAML SSO. This creates delays when onboarding team members to security scanning workflows.
No automated deprovisioning: When developers leave projects or the company, their Veracode access must be manually revoked. There's no automated way to remove access when users are deactivated in your IdP.
Limited bulk management: While the Admin API can handle some bulk operations, it requires custom scripting and API key management rather than standardized SCIM protocols.
Additional constraints
Summary of challenges
- Veracode does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Veracode actually offers for identity
SAML SSO Only (Enterprise)
Veracode supports SAML 2.0 integration with enterprise identity providers:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, Azure AD, generic SAML providers |
| Configuration | SP-initiated authentication recommended |
| User requirement | Accounts must be provisioned by Veracode support before SSO use |
| JIT provisioning | Yes, but limited to basic attributes |
Critical limitation: Veracode has no native SCIM endpoint. All user provisioning must be done through their Admin API or by contacting support directly.
Okta Integration Discrepancy
The Okta Integration Network shows provisioning support, but Veracode's own documentation tells a different story:
| Feature | OIN Claims | Reality |
|---|---|---|
| SAML SSO | ✓ Yes | ✓ Yes |
| Create users | ✓ Yes | ❌ Admin API only |
| Update users | ✓ Yes | ❌ Admin API only |
| Deactivate users | ✓ Yes | ❌ Admin API only |
| Group push | ✓ Yes | ❌ Admin API only |
Translation: What Okta calls "SCIM provisioning" is actually bulk operations through Veracode's Admin API, not real-time SCIM automation.
Admin API Alternative
For teams needing automated provisioning, Veracode provides:
The reality: You're paying $15,000+ per year for an application security platform and still need to build your own provisioning automation or manually manage users through support tickets.
What IT admins are saying
Veracode's lack of native SCIM provisioning creates operational overhead for security teams managing developer access:
- Manual user provisioning required despite enterprise pricing starting at $15K+/year
- Must coordinate with Veracode support to provision accounts before SAML can work
- JIT provisioning via SAML only - no automated user lifecycle management
- Need to maintain backup admin credentials outside of SSO for account recovery
Account must be provisioned by support before SAML use... Should keep one admin with username/password as backup
No native SCIM endpoint - uses Admin API for bulk provisioning
The recurring theme
Even at enterprise price points, Veracode requires manual coordination with support for basic user provisioning, forcing IT teams to manage developer access through tickets rather than automated identity workflows.
The decision
| Your Situation | Recommendation |
|---|---|
| Small security team (<10 users) on Okta | Use Okta's SCIM integration - works well for small teams |
| Development teams across multiple projects | Use Stitchflow: complex project-based provisioning needs automation |
| Using Entra ID or Google Workspace | Use Stitchflow: no native provisioning support for these IdPs |
| Enterprise with DevSecOps workflows | Use Stitchflow: automation essential for developer onboarding/offboarding |
| Multi-application security stack | Use Stitchflow: centralized provisioning across all security tools |
The bottom line
Veracode offers solid SCIM support through Okta, but leaves Entra ID and Google Workspace users with manual provisioning only. For organizations running complex DevSecOps workflows or using non-Okta identity providers, Stitchflow provides the automation needed to keep security teams productive without provisioning overhead.
Make Veracode workflows AI-native
Veracode has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No native SCIM endpoint - uses Admin API for bulk provisioning
- JIT provisioning via SAML only
- Account must be provisioned by support before SAML use
- Should keep one admin with username/password as backup
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Docs
Enterprise required for SCIM
Use Stitchflow for automated provisioning.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Enterprise required for SCIM
Use Stitchflow for automated provisioning.
Unlock SCIM for
Veracode
Veracode has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
