Stitchflow
Back to directory
WhiteSource logo

WhiteSource SCIM guide

Connector Only

How to automate WhiteSource user provisioning, and what it actually costs

Summary and recommendation

Mend.io (formerly WhiteSource), the software composition analysis platform, does not support SCIM provisioning on any plan, including their Enterprise tier that starts at $15,000 minimum. While Mend.io offers SAML-based single sign-on with just-in-time (JIT) provisioning, this creates significant operational overhead for IT teams managing developer access to security tooling. Users can be created automatically on first login via JIT, but there's no automated way to update user attributes, manage group memberships, or deactivate users when they leave the organization—critical gaps for a security tool that needs to be tightly integrated with developer workflows.

This limitation becomes particularly problematic given Mend.io's role in the software development lifecycle. Security engineers and DevSecOps teams need precise control over who has access to vulnerability data and security policies, but without proper provisioning automation, IT admins must manually manage user lifecycle events. This manual process increases security risks and compliance gaps, especially when developers change roles or leave the company but retain access to sensitive security findings.

The strategic alternative

WhiteSource has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.

Quick SCIM facts

SCIM available?No
SCIM tier requiredN/A
SSO required first?Yes
SSO available?Yes
SSO protocolSAML 2.0
DocumentationNot available

Supported identity providers

IdPSSOSCIMNotes
OktaNo SCIM available
Microsoft Entra IDNo SCIM available
Google WorkspaceVia third-partyNo native support
OneLoginVia third-partyNo native support

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages WhiteSource accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees
Orphaned accounts (ex-employees with access)7
Unused licenses12
IT hours spent on manual management/year101 hours
Unused license cost/year$3,925
IT labor cost/year$6,088
Cost of compliance misses/year$1,741
Total annual financial impact$11,754

The WhiteSource pricing problem

WhiteSource gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

PlanPriceSSOSCIM
EnterpriseCustom (~$15K minimum, ~$18K for 50 users)

Pricing structure

PlanPricingSCIMSSO
EnterpriseCustom (~$15K minimum, ~$18K for 50 users)❌ Not available✓ SAML only

Market data on Mend.io costs

Minimum purchase
$15,000 (20 developer minimum)
Per-developer pricing
$800-1,000 depending on features
200 users
$12.5K-26.8K annually
1,000+ users
$40.5K-86.8K annually

What this means in practice

With no SCIM support, IT teams managing Mend.io face significant operational overhead:

New hire delays
Each developer needs manual account creation before accessing security scans
Offboarding risks
No automated deprovisioning when developers leave
Attribute management
Role changes require manual updates in both your IdP and Mend.io
Audit complications
No centralized provisioning logs for compliance reviews

For a security tool that needs to integrate across your entire development pipeline, manual user management creates the exact type of access control gaps that Mend.io is supposed to help you avoid.

Additional constraints

Support dependency
SAML configuration values must be obtained through Mend.io support tickets
High minimum commitment
$15K minimum spend locks out smaller security teams
JIT limitations
SAML JIT provisioning only works for initial account creation, not ongoing attribute updates
Limited IdP support
No documented support for Google Workspace or OneLogin beyond generic SAML

Summary of challenges

  • WhiteSource does not provide native SCIM at any price tier
  • Organizations must rely on third-party tools or manual provisioning
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What WhiteSource actually offers for identity

SAML SSO Only (Enterprise tier)

Mend.io provides basic SAML 2.0 integration but no automated provisioning:

FeatureEnterprise Tier
SAML SSO✓ Yes
OIDC SSO❌ No
JIT provisioning✓ Yes (SAML attributes)
SCIM provisioning❌ No
User lifecycle management❌ No
Group synchronization❌ No

Critical setup requirement: You must contact Mend.io support to obtain SAML configuration values - there's no self-service portal for SSO setup.

What you're actually paying for

The $15,000 minimum Enterprise tier includes security scanning features that most teams buying purely for identity management won't use:

Software Composition Analysis (SCA)
OSS vulnerability scanning
Static Application Security Testing (SAST)
Code analysis
Container scanning
Image vulnerability detection
License compliance
Open source license management
Remediation workflows
Automated fix suggestions

The reality: 90% of these security features are irrelevant if you just need user provisioning for your development team.

Why JIT provisioning falls short

Just-in-time provisioning via SAML creates users on first login, but provides no ongoing lifecycle management:

Users remain active indefinitely after offboarding
No automated role or group updates
No bulk user management capabilities
Manual cleanup required when team members leave

For a security tool that developers access daily, this creates significant administrative overhead and potential security gaps.

What IT admins are saying

Community sentiment on Mend.io's (formerly WhiteSource) provisioning options reveals significant friction for IT teams managing developer security tools:

  • High minimum purchase requirements make it cost-prohibitive for smaller development teams
  • Manual user provisioning required despite enterprise pricing - no SCIM automation available
  • SSO configuration requires contacting support for basic setup values
  • JIT provisioning via SAML is the only automated option, limiting control over user lifecycle

Minimum purchase requirement prohibitive for small teams

IT admin feedback on pricing barriers

Must contact support for SSO configuration values

Community complaint about basic setup requirements

Configuration values require support team contact

Documentation noting manual intervention needed for SSO

The recurring theme

Despite charging enterprise-level prices with a $15,000 minimum commitment, Mend.io forces IT teams into manual user management workflows that don't scale with developer team growth.

The decision

Your SituationRecommendation
Small security team (<20 developers)Consider manual management, but budget constraints make this expensive
Mid-size engineering team (20-100 developers)Use Stitchflow: bypass the $15K minimum and high per-developer costs
Enterprise with existing Mend contractManual JIT provisioning acceptable if SSO is sufficient
Growing DevSecOps team with frequent onboardingUse Stitchflow: automation essential for cost-effective scaling
Organizations requiring audit trails for security toolsUse Stitchflow: proper provisioning logs for compliance

The bottom line

Mend.io (WhiteSource) offers no SCIM provisioning and requires a $15K minimum purchase with costly per-developer licensing. For teams that need security scanning without enterprise-level costs or want proper user lifecycle management, Stitchflow provides automated provisioning at a fraction of Mend's pricing model.

Make WhiteSource workflows AI-native

WhiteSource has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.

Covers apps without native SCIM, including the ones without APIs
Less than a week, start to finish (~2 hours of your time)
Built with your team; extend to anything else in the company
Book a Demo

Technical specifications

SCIM Version

Not specified

Supported Operations

Not specified

Supported Attributes

No documented SCIM supportJIT provisioning via SAML onlyConfiguration values require support team contactMinimum 20 developer license requirement

Plan requirement

Not specified

Prerequisites

Not specified

Key limitations

  • No documented SCIM support
  • JIT provisioning via SAML only
  • Configuration values require support team contact
  • Minimum 20 developer license requirement

Documentation not available.

Configuration for Entra ID

Integration type

Microsoft Entra Gallery app

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Entra admin center → Enterprise applications → WhiteSource → Single sign-on

Docs

Microsoft Entra integration

Enterprise required for SCIM

Use Stitchflow for automated provisioning.

Unlock SCIM for
WhiteSource

WhiteSource has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.

See how it works
Admin Console
Directory
Applications
WhiteSource logo
WhiteSource
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

6sense logo

6sense

No SCIM

B2B Revenue Intelligence / ABM

ProvisioningNot Supported
Manual Cost$11,754/yr

6sense, the B2B revenue intelligence platform, has paused SCIM provisioning for new customers until Q4 2026. While existing customers with SCIM enabled can continue using it, new implementations are limited to JIT (Just-In-Time) provisioning through SAML SSO. This creates a significant gap for IT teams managing revenue intelligence access, as JIT only creates users on first login and provides minimal attribute mapping (email, first name, last name only). For an enterprise platform with typical pricing of $55,000-$130,000 annually, the absence of automated user lifecycle management is a substantial limitation. The lack of SCIM until Q4 2026 forces IT teams into manual provisioning workflows for a platform handling sensitive revenue data. While SAML SSO handles authentication, it doesn't address user lifecycle events like role changes, department transfers, or offboarding. This creates compliance risks in revenue teams where access to prospect data and sales intelligence must be tightly controlled. The nearly two-year wait for SCIM restoration means organizations implementing 6sense today face manual user management for the foreseeable future.

View full guide
ActiveCampaign logo

ActiveCampaign

No SCIM

Marketing Automation / Email

ProvisioningNot Supported
Manual Cost$11,754/yr

ActiveCampaign, the marketing automation platform, does not offer native SCIM provisioning on any plan. While the Enterprise plan ($145+/month) includes SAML 2.0 SSO with just-in-time (JIT) provisioning, this only creates user accounts on first login—there's no automated deprovisioning when employees leave or change roles. New SSO users are automatically added to a generic "SSO Users" group with configurable permissions, but IT teams have no way to programmatically manage user lifecycles or enforce granular access controls based on department or role changes. This creates a significant gap for marketing teams that need to manage access to customer data and campaign tools. When employees leave the company or change departments, their ActiveCampaign access must be manually revoked, creating compliance risks and potential data exposure. The lack of automated deprovisioning means former employees could theoretically retain access to sensitive marketing data and customer information until someone manually removes them from the platform.

View full guide
Adyen logo

Adyen

No SCIM

Payments / Fintech

ProvisioningNot Supported
Manual Cost$11,754/yr

Adyen offers SCIM 2.0 provisioning, but only through Okta's integration—there's no native SCIM endpoint. This creates a significant vendor lock-in scenario where your provisioning capabilities are entirely dependent on using Okta as your identity provider. Teams using Azure Entra, Google Workspace, or OneLogin are left with manual user management despite Adyen supporting SAML SSO with these platforms. The Okta integration itself requires maintaining a company account (not just a merchant account) and keeping at least one non-SSO admin for troubleshooting, adding operational complexity. For payment platforms handling sensitive financial data, this provisioning gap creates serious compliance risks. Your finance team, payment operations staff, and developers need timely access to process transactions and manage risk controls, but without automated provisioning, you're stuck with manual onboarding that can delay critical payment operations. The requirement to maintain non-SSO admin accounts also creates a security backdoor that compliance auditors will flag.

View full guide