Here's a sentence you'll never see on a SaaS pricing page: "We charge extra for security." But that's exactly what happens when a vendor gates SCIM provisioning behind their enterprise tier.
SCIM (System for Cross-domain Identity Management) is the protocol that lets your identity provider automatically create, update, and remove user accounts when someone joins, moves roles, or leaves your company. It's not a luxury feature. It's the baseline of responsible identity management. Yet vendor after vendor locks it behind their most expensive plan - forcing you to pay up or manage access manually.
The IT community calls this the SCIM tax. And once you run the actual numbers across a typical SaaS stack of 50-100 apps, the bill is staggering.
What the SCIM Tax Actually Means
The SCIM tax isn't one payment. It's a pricing strategy applied per app, per year, compounding across your entire stack.
The pattern is always the same:
- You buy a tool on a Business or Professional plan
- That plan includes SSO (authentication)
- But automated user provisioning - the thing that actually keeps access clean - is locked to Enterprise
- Enterprise means custom pricing, a sales negotiation, and a significant per-user premium
- You either pay it or manage that app manually forever
The gap between "SSO included" and "SCIM included" isn't a technical limitation. It's a deliberate monetization decision. You're paying a premium for something that should be table stakes.
The Per-App Price Tag: Six Tools, Real Numbers
Let's drop the abstractions. Here's what the SCIM tax actually costs for six tools that sit in nearly every SaaS-heavy company's stack.
Notion
Notion gates SCIM provisioning behind its Enterprise plan, with custom pricing typically ranging from $18-$25 per user per month. The Business plan - at $20/user/month - already includes SAML SSO. SCIM is locked at the next tier up1SCIM is locked at the next tier up, meaning you get authentication but no lifecycle automation. For a 100-person team, that jump means $1,800-$5,000 per month in Enterprise licensing costs just to unlock basic user provisioning.
The frustrating part? Notion's Business plan includes SAML SSO but artificially excludes SCIM provisioning, forcing organizations to negotiate custom Enterprise pricing for automated user management. You're paying a premium to add provisioning to authentication you already bought.
Figma
Figma has one of the sharpest SCIM cliffs in the market. Figma's Enterprise plan starts at $90 per full seat annually, and includes SCIM provisioning, SSO, and advanced admin controls. The Professional plan sits at $16/user/month. That's a jump of $74/user/month just to get automated seat management. For a 100-person Professional team, accessing full SCIM seat management means paying an extra $88,800 per year.
There's a nuance worth knowing: Figma's Organization plan provides basic SCIM (create/update/deactivate users) but all provisioned users receive View-only seats by default - upgrading to Editor or Admin requires manual intervention. So even the intermediate plan gives you only partial automation. For full seat management via SCIM, Enterprise is effectively required.
Slack
Slack is the communication layer for most companies - and gets missed by many IT teams when auditing SCIM coverage. Slack's Business+ plan at $15/user/month (billed annually) includes SAML SSO and SCIM provisioning, while the Pro plan at $8.75/user/month does not. For a 200-person team, that's an additional $14,700/year to unlock automated user lifecycle management in what is, for most companies, their single most-used daily tool.
The pricing jump from Pro to Business+ represents a 107% price increase. And unlike some enterprise upgrades, Business+ is a real jump you'll feel.
Linear
Linear is the project tracker of choice for product and engineering teams. Linear supports SCIM 2.0 for automated user provisioning, but only on its Enterprise plan with custom pricing typically ranging from $192-$240 per user per year. Teams on the Business plan at $9.60/user/month face a roughly 20x price increase just to unlock basic provisioning automation.
There's an added dependency: Linear requires SAML SSO to be enabled before SCIM can be configured, meaning you can't use automated provisioning without also implementing single sign-on.
GitHub
For engineering teams, GitHub is where your most sensitive assets live - source code, repositories, deployment credentials. Yet GitHub supports SCIM provisioning only through Enterprise Managed Users (EMU) on the Enterprise plan at $21/user/month. The catch is severe: your entire GitHub Enterprise organization must be configured as EMU from inception - you cannot simply enable SCIM on your existing Enterprise organization. Standard Enterprise organizations get a SCIM implementation that only sends invitations - not true automated provisioning.
For most teams, this means an architectural restructure just to get a basic feature - or continued manual access management on one of your most critical platforms.
Jira / Atlassian
Atlassian takes a different approach: instead of hiding SCIM in a tier, they sell it as a separate add-on. Atlassian Guard Standard costs $3-4 per user per month additional, meaning a 100-person organization pays $3,600-$4,800 per year extra just for provisioning capabilities, on top of their existing Jira and Confluence licenses. And the complexity doesn't stop there: as of January 2025, SCIM API keys now expire after one year, requiring mandatory annual rotation.
Miro
Miro gates SCIM provisioning behind its Enterprise plan, which requires custom pricing for teams of 30 or more members. Teams on Business at $16/user/month have SSO - but no automated provisioning. The result: a 50-person team on Miro Business pays $9,600 per year but cannot automate user lifecycle management. They're either forced to upgrade or forced to manage access manually - which means orphaned accounts the moment someone leaves.
The Cumulative Stack Math
Now add it all up. Here's what a 100-person company running a standard modern SaaS stack actually pays to unlock SCIM provisioning:
| App | Working Plan | Base Price (per user/mo) | Plan Required for SCIM | SCIM Plan Price (per user/mo) | Annual Upgrade Tax (100 users) |
|---|---|---|---|---|---|
| Notion | Business | $20 | Enterprise (custom) | ~$25+ | ~$6,000+ |
| Figma | Professional | $16 | Enterprise | $90 | ~$88,800 |
| Slack | Pro | $8.75 | Business+ | $15 | ~$7,500 |
| Linear | Business ($9.60/user) | $9.60 | Enterprise (custom) | ~$16-20 | ~$7,680-$12,480 |
| Miro | Business | $16 | Enterprise (custom) | Custom (30+ users) | Significant uplift |
| GitHub | Team | $4 | Enterprise (EMU only) | $21 | ~$20,400 |
| Jira / Atlassian | Standard | $9.05 | Standard + Guard add-on | +$3-4/user/mo | ~$3,600-$4,800 |
These numbers aren't theoretical. A team of 100 paying the SCIM tax across just Figma, GitHub, Notion, Slack, and Jira is looking at over $120,000 per year in forced enterprise upgrades - just to automate user lifecycle management. On tools they're already using and paying for.
That's before any IGA platform costs. That's just the vendor upgrade tax.
Try the Calculator: What's Your SCIM Tax?
The costs above are based on list pricing. Your stack is different. Use this calculator to estimate your own SCIM tax based on your team size and app mix:
The Deeper Problem: SCIM Covers Maybe 30% of Your Stack
Here's what makes the SCIM tax particularly absurd: even if you pay it on every app that supports SCIM, you still don't have complete identity governance.
The 30% Coverage Trap: Even if you pay the SCIM tax on every app that supports it, you still only automate 20-40% of your actual SaaS stack. The other 60-80% - legacy tools, niche SaaS, internal apps, OT systems - have no SCIM endpoint at all. The SCIM tax is the price of partial governance.
The average company running 50-100 SaaS tools finds that only 20-40% have accessible SCIM endpoints - and "accessible" often means "only after paying the enterprise upgrade." The other 60-80% - legacy tools, niche vertical apps, internal systems, OT environments, anything without a modern API - have no SCIM endpoint at all.
So the honest picture looks like this:
- You pay the SCIM tax -> You get automated provisioning for 20-40% of your stack
- The remaining 60-80% stays manual: spreadsheets, tickets, and hope
- You still have identity blindspots, orphaned accounts, and compliance gaps across the majority of your apps
- Auditors who ask "who has access to what, and since when?" still get an incomplete answer
This is the 30% coverage trap - and it's where most IGA implementations stall.
There's another layer most IT teams don't talk about openly: zombie licenses. Former employees whose access was never fully revoked because deprovisioning was manual, inconsistent, or only covered SCIM-enabled apps. Every orphaned account is a paid license burning budget and a security gap waiting to be noticed - by an auditor, or by someone with bad intentions.
On average, Iden finds 47 orphaned accounts at a 100-person company during initial setup. The SaaS spend recovered from reclaiming those licenses often offsets a significant share of governance platform costs.
SCIM Also Has a Control Ceiling
Even where SCIM works, it doesn't deliver fine-grained governance. The SCIM data model is intentionally simple: users, groups, and a handful of attributes. That's by design - it's a synchronization protocol, not a governance engine.
What SCIM can do:
- Add a user to an "Engineering" group in GitHub
- Deactivate an account when someone leaves your identity provider
What SCIM can't do:
- Control which specific repositories, branches, or environments that user can access
- Set per-channel permissions in Slack
- Enforce project-level access rules in Notion or Linear
- Run continuous access reviews that flag overprovisioned accounts in real time
- Detect that a contractor still has edit access to a design file two months after their contract ended
For companies approaching SOC 2, ISO 27001, or DORA compliance - where auditors want evidence of least-privilege access and timely deprovisioning across your entire stack - SCIM-only coverage creates exactly the kind of gaps that generate audit findings.
The Alternative: Universal Connectors, No SCIM Tax
The SCIM tax is a vendor pricing strategy, not a technical inevitability. Companies pay it because most IGA tools are built around SCIM - so if an app doesn't support SCIM, or only supports it on an enterprise tier you can't afford, the tool simply doesn't cover that app.
Universal connectors work differently. Instead of requiring a SCIM endpoint, they connect to any app through its API, its web interface, or purpose-built connectors - regardless of what plan you're on. The result: Iden's universal connectors work with 175+ apps and growing, connecting to any application in your stack whether it supports SCIM, has an API, or neither.
What that means in practice:
- Notion on Business plan? Fully automated provisioning and deprovisioning. No enterprise upgrade required.
- Figma on Professional? Same. No $90/seat Enterprise plan needed.
- An internal tool with no API? Covered through agentic connectors that work at the workflow level.
- A legacy system with no SCIM endpoint? Connected.
You stay on the plans you're already paying for. The SCIM tax drops to zero.
Beyond coverage, universal connectors go deeper than SCIM. Where SCIM assigns users to groups, Iden's fine-grained connectors handle channel-level permissions in Slack, repository-level access in GitHub, project-level controls in Linear and Notion. That's the difference between group governance and actual least-privilege enforcement.
Lifecycle automation - onboarding, role changes, offboarding - runs as policy-driven, AI-driven workflows (agentic workflows) across 100% of your stack, not just the SCIM-friendly 20-40%. When someone leaves, automated license reclamation sweeps every connected app, reclaiming seats that would otherwise accumulate as zombie accounts.
Companies running Iden typically see up to 80% fewer manual access tickets, complete lifecycle automation from day one, and SaaS spend reductions of up to 30% from automated license reclamation alone - often paying back a significant share of the platform cost in recovered zombie licenses.
Who This Matters to Most
The SCIM tax hits hardest at companies in the 200-1,000 employee range: large enough to have a complex SaaS stack, but not large enough to absorb six-figure annual upgrade costs across every tool. These are typically companies where:
- IT is a lean team of one to ten people managing provisioning for the entire organization
- SSO is in place (Okta, Entra ID) but there's no real governance layer on top
- Compliance is becoming real - SOC 2, ISO 27001, DORA - but "throw bodies at it" isn't an option
- The SaaS stack includes plenty of apps with no SCIM support at any tier
If you're in this position, the SCIM tax isn't just a budget problem. It's a governance gap. Every app you can't automate is an app where access sprawls, deprovisioning fails, and zombie accounts accumulate. And if your auditors start asking hard questions, the honest answer is usually: "We automate the easy apps. The rest, we manage by hand."
That's not a posture you want going into a SOC 2 audit - or a board-level conversation about security spend. If you want to see how this stacks up from a compliance angle, the SCIM-only vs. universal coverage comparison breaks it down across governance frameworks. For teams preparing for specific compliance milestones, the complete regulatory-ready identity governance guide covers HIPAA, NIS2, DORA, and SOC 2 requirements in detail.
Frequently Asked Questions
What exactly is SCIM and why does it matter for identity governance?
SCIM (System for Cross-domain Identity Management) is an open standard that lets your identity provider automatically create, update, and deactivate user accounts in connected apps. When it works, onboarding and offboarding become hands-free. The problem: most vendors lock SCIM behind their most expensive enterprise tier, forcing you to pay a significant premium just to automate basic lifecycle operations.
Is the SCIM tax really that significant for a mid-sized company?
Yes - and it compounds fast. A 200-person company running a typical SaaS stack of Notion, Figma, Slack, GitHub, and Jira could easily spend $30,000-$50,000+ per year in forced enterprise upgrades just to unlock SCIM provisioning. That's before you factor in the 60-80% of your stack that has no SCIM support at all, which you'd still be managing manually.
What's the alternative to paying the SCIM tax?
Universal connectors - like those in Iden - automate provisioning and deprovisioning for any app, whether it supports SCIM, has an API, or has neither. You stay on your current SaaS plans and skip the forced enterprise upgrades entirely. The result: complete lifecycle automation across 100% of your stack, not just the SCIM-friendly 20-40%.
Does SCIM actually give you complete governance once you pay for it?
No. Even on apps where SCIM is available, it operates at the group/role level - not the fine-grained permission level. SCIM can add a user to a 'Engineering' group in GitHub, but it can't control which specific repositories, branches, or environments they can access. For real governance, you need fine-grained control that goes beyond what SCIM provides.
What are zombie licenses and how do they relate to the SCIM tax?
Zombie licenses are paid SaaS seats assigned to employees who have already left your company. They survive because offboarding is incomplete - typically because the app isn't covered by SCIM provisioning and nobody manually removed the account. On average, Iden finds 47 orphaned accounts at a 100-person company during initial setup. Eliminating them can reduce SaaS spend by up to 30%.
The Takeaway
The SCIM tax is real, significant, and cumulative. A single forced enterprise upgrade might seem manageable. But across five, ten, or twenty tools in a typical stack, you're looking at tens of thousands of dollars per year - paid to unlock provisioning that should be standard, covering at best a third of your apps.
The math doesn't improve when you factor in what SCIM doesn't do: it leaves most of your stack unautomated, delivers only coarse-grained group-level access control, and still leaves zombie accounts in apps with no SCIM support at all.
Universal connectors are the way out. Automate every app, on the plans you already pay for, with fine-grained control that goes beyond groups and roles - and lifecycle automation that actually keeps access clean, not just synchronized.
The SCIM tax is a choice. You don't have to pay it.
