Which auth providers support SCIM?

If you are building a SaaS app and want to sell to enterprise customers, you must support SCIM. It’s one of the most common asks by enterprises, and without it, you won’t go far.

In the past, we have discussed at length the pros and cons of building vs buying when it comes to SSO and SCIM. If you decide to go with buying instead of building, the second question that arises is: which provider should you choose?

In this article, we will examine which authentication providers support SCIM, which features you should look for, and which providers support each one. We hope this will help you make an informed decision.

Let’s start with a brief introduction to SCIM and why it’s best if you outsource its implementation.

What is SCIM?

‍SCIM is a spec that syncs user accounts and groups across multiple systems. When a user or group is created, updated, or deleted in one system (the directory or identity provider), these changes are propagated automatically to all connected systems.

With SCIM, you can rest assured that new employees will have access to all the systems they need on their first day, terminated employees will be deactivated within seconds, any changes in roles and permissions will be updated in real-time across systems, and you will always have an accurate view of how many seats you are using.

Why use an auth provider for SCIM?

Despite SCIM’s intent to standardize identity management, identity providers often implement SCIM with slight variations. These variations can cause real headaches, especially if you want to support the myriad of identity providers your customers use.

Here are just some of the challenges you will encounter:

• Platform-specific features: As noted, different IdPs might implement SCIM slightly differently. Some IdPs might extend the SCIM schema with custom attributes or extensions to add specific features of their platforms that are not part of the standard SCIM specification. For example, you might see different attributes referring to the same thing across different systems — such as surname and last_name. ‍
• Scaling issues: Large enterprises with tens of thousands of employees may want to provision all these users to your app in just a day. Your SCIM implementation must be able to process these bulk requests and high-frequency updates without going down, as missing even a single request can have huge contractual or security consequences for your customer. ‍
• Onboarding new customers: Because of the different ways IdPs handle SCIM, every time you onboard a new client, you’ll need to map any custom attributes they use to your app’s data model, configure the URLs where they’ll send requests, potentially write custom logic for their SCIM requests, and also make sure you’re properly authenticating these requests. This process is usually tedious and requires constant back and forth with your customer’s IT admin team to ensure everything is working as expected.

Due to these challenges, many companies prefer to use a dedicated SCIM provider that will take care of all these for them.

Which SCIM features are important?

There are several providers out there that offer SCIM support, but not all of them offer the features that make the difference. Let’s see some of the features you should keep an eye out for while evaluating providers:

• Support for multiple directories: There are many directories out there: Okta, Entra ID (Azure AD), Google Workspace, OneLogin, PingFederate, JumpCloud, Rippling; the list goes on and on. Not all of your customers will be using the same one. That’s why finding a provider that supports as many providers as possible out of the box is important. It’s also crucial to be able to sync user and group directories from any custom provider using SCIM v2.0.
• Ease of integration: Evaluate how easily the SCIM solution integrates with your existing infrastructure. Providers offering well-documented APIs, SDKs, or integration guides can significantly reduce the effort and time required for integration.
• Easy customer onboarding: Because of the different ways IdPs handle SCIM, every time you onboard a new client, you’ll need to map any custom attributes they use to your app’s data model, configure the URLs where they’ll send requests, and test the connection. This process is usually tedious and requires constant back and forth with your customer’s IT admin team to ensure everything is working as expected. That’s why it’s important to find a provider that offers a self-serve portal where you can send your customers to configure their SCIM connection themselves and avoid the constant back and forth with their IT team. This will get the word done faster for both sides.
• Scalability: The provider should be able to scale with your needs, handling everything from a few dozen to thousands of requests without significant performance degradation and without bringing your app to its knees. Look for providers that go beyond webhooks support. Do they support event streaming? Can you process requests at your own pace?
• Configurable attribute mappings: Since different systems may use different attribute names or schemas, look for a provider that allows you to configure mappings between these attributes.
• Compliance: Check for compliance with relevant regulations (e.g., GDPR, HIPAA) and industry standards (e.g., ISO/IEC 27001). This is crucial if you operate in regulated industries or handle sensitive data. If this is your case, ensure that the provider you choose offers audit trail,  a feature that can prove invaluable during compliance audits.
• Transparent pricing: Providers generally offer MAU (monthly active users) or per-company pricing. Look for clear, transparent pricing models that align with your budget and scaling expectations. Avoid providers with opaque pricing or significant hidden costs.

Who supports SCIM?

Now, let’s review some of the auth providers that support SCIM.

WorkOS

WorkOS offers Directory Sync, a product that automates user and group provisioning using SCIM. Over three years ago, WorkOS was the first to start offering SCIM and has synced over 5 million users, 385 thousand groups, and 11.6 million group memberships across 3.6 thousand directories to this day.

Key features:

• WorkOS supports any major corporate identity provider (Okta, Google, Microsoft EntraID /Azure AD, etc.) or major HRIS (BambooHR, Workday, Rippling, etc.). It offers out-of-the-box integrations with detailed instructions on how to configure each provider, plus support for any custom SCIM provider. WorkOS is the only auth provider supporting Google Workspace and features like filtering groups.
• SDK support for Node.js, Ruby, Python, Go, Java, PHP, and .NET.
• A self-serve admin portal that significantly simplifies the onboarding process. You can manually or programmatically send it to your customer’s IT team or add it to your app and have them configure their identity provider. The WorkOS Admin Portal also offers pre and post-setup triage resolution with Admin Portal, so if any problems cause sync to fail, your customer’s IT team can address them directly.
• In addition to finding and normalizing the most common attributes from directory providers, WorkOS offers custom attribute mappings and syncing through the dashboard and the Admin Portal.
• Besides webhooks, WorkOS offers an API for streaming real-time ordered events from your customer’s directories. The Events API is a paginated API that returns a strictly ordered list of immutable events. This way, events will never be out of order, and you will avoid spiky throughput (both of which are problems of a webhook implementation).
• Support for periodic audits and data reconciliation use cases via the State API.
• WorkOS offers both standalone and AuthKit-integrated SCIM. It’s the only provider at the moment to offer standalone SCIM.
• WorkOS offers audit logs, which can exist as a paper trail of potentially sensitive actions taken by organization members for compliance and security reasons. The audit logs can be exported to CSV using the dashboard or the API, or streamed directly to your customers’ Security Incident and Event Management (SIEM) providers like Datadog or Splunk and object storage solutions like AWS S3 or Google Cloud Storage.
• Flat-rate pricing of $125/month per connection per month with automatic volume discounts.

Auth0

Auth0 started offering SCIM as a GA feature in July 2024.

Key features:

• Support for Okta and Entra ID directories. No support for custom SCIM.
• No serf-serve onboarding UI, so you will have to do the configuration manual for your customers using the Auth0 dashboard. They also don’t offer any guidance specific to the configuration that will have to be done in the identity provider’s dashboard; your customers will have to figure this out by themselves.
• Support for attribute mapping. Developers can configure attribute mapping between the SCIM user schema and the Auth0 user schema on a per-connection basis.
• Support for session revocation and logout. When Auth0 receives a SCIM message to deactivate a user, it terminates all their Auth0 sessions, revokes refresh tokens, and triggers OpenID Connect back-channel logout for your applications (if configured).
• All SCIM operations can be streamed to external systems using log streaming via webhooks. You can pull logs using their API.
• There is no public information available regarding the pricing. To use SCIM, you have to be on the Enterprise plan, and the only information the pricing page provides is that you should contact the Okta professional services team.

Frontegg

Frontegg supports generic SCIM since Q1 2023.

Key features:

• Support for Okta and Entra ID directories. They also support custom SCIM.
• You can configure an SCIM connection using their dashboard. They also offer a self-serve onboarding UI for your customers.
• No support for syncing custom attributes or standalone SCIM.
• Frontegg offers SDKs for all major frontend and mobile technologies (React, Next.js, iOS Swift, Android Kotlin, etc.). However, its backend SDKs are limited to Node.js and Python.
• Webhooks support for ingesting and handling provisioning events. However, there is no support for pulling events yourself, so you run the risk of events being out of order or having to handle spiky throughput.
• All SCIM activity can be monitored and managed via a centralized dashboard. Logged events can also be streamed to Datadog, AWS EventBridge, Splunk, Sumo Logic, or Coralogix.
• There is no public information available regarding the pricing. To use SCIM, you have to be on the Scale or Enterprise plan, and you should contact their team for more info.

Stytch

Stytch started offering SCIM for users as a GA feature in April 2024, and added support for SCIM groups in September 2024.

Key features:

• Support for Okta, Entra ID, Cyberark, Jumpcloud, OneLogin, PingFederate, Rippling, and custom SCIM.
• You can configure an SCIM connection using the dashboard. They also offer a self-serve onboarding UI, which you can embed into your app if you are using vanilla JS or frameworks like React and Next.js. At the moment, detailed configuration instructions are offered only for Okta and Microsoft Entra (Azure).
• Webhooks support for ingesting and handling provisioning events. However, there is no support for pulling events yourself, so you run the risk of events being out of order or having to handle spiky throughput.
• No support for syncing custom attributes or standalone SCIM.
• SCIM is available in the free tier for up to 5 connections and $125 per connection after that.

Descope

Descope has provided inbound SCIM support since Q3 2023.

Key features:

• Support for Okta, Entra ID, and custom SCIM.
• You can manage SCIM connections using the Descope API or the dedicated integration app if you are using Okta. SCIM configurations are not visible within the Descope UI.
• In order to use SCIM, you must already have SSO enabled and users logging in via SSO within your Descope tenant. Standalone SCIM is not supported.
• You can build a self-serve onboarding UI using Flows, a visual no-code interface.
• Changes to users will be reflected in the user’s session when the user’s JWT is refreshed. Although the documentation is unclear, you could possibly use their Audit Webhook Connector to stream logs to a webhook and thus get SCIM updates delivered sooner to your app.
• SCIM provisioning is available in the Growth plan, which starts at $799 per month. You should contact their team for details.

Conclusion

With product maturity, support for any identity provider, detailed docs, SDK support, audit logs, the ability to use webhooks or pull events using the Events API, and flat-rate pricing, WorkOS offers the most complete solution for SCIM at the moment. It’s also the only provider that supports standalone SCIM and syncing from Google Workspace.

Stytch offers a self-serve UI, SDKs, webhooks support, and a free tier for up to 5 connections. However, it lacks product maturity, audit logs, and the ability to pull updates and thus avoid the problems that webhooks have.

Frontegg offers a self-serve UI, audit logs, and webhooks. However, they are missing strong backend SDK support, detailed docs, the ability to pull events, and clarity on their pricing.

Auth0’s offering is also very new; although it offers attribute mapping, session revocation, and webhooks, it is missing a self-serve UI, clarity on its pricing, and supports only 2 directories.

Descope seems to offer less than the rest, and on top of it, it starts at $799 per month. We didn’t find any docs on attribute mapping, and there is no clear guidance on how you can get the updates besides waiting for the JWT to refresh (it seems possible using audit events, but there is no proper webhook support). Additionally, you should already be using SSO to use SCIM.