feat: add SCIM 2.0 user provisioning (EE)#1306
Conversation
Adds a SCIM 2.0 server so an IdP (Okta, Entra) can provision, update, and deprovision org members. Users-only scope; deprovisioning soft-deactivates the membership (forces logout + revokes tokens) rather than deleting it, and JIT auto-join is suppressed when SCIM is enabled. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| /// SCIM soft-deactivation flag. When false, the membership is suspended by | ||
| /// the IdP: the user is treated as a non-member for auth purposes (see | ||
| /// `getAuthContext`) but the row is preserved so the IdP can reactivate it. | ||
| isActive Boolean @default(true) |
There was a problem hiding this comment.
tbd: do we actually need to store a isActive field here?
Adds a SCIM 2.0 server (EE, gated by the new
scimentitlement) so an identity provider (Okta, Entra) can provision and deprovision Sourcebot members.Scope
/scim/v2Users endpoints: discovery, list+filter, create, get, replace, PATCH (activetoggle), delete. Groups deferred.UserToOrg.isActive): forces logout viasessionVersionand revokes API/OAuth tokens, but preserves the row so the IdP can reactivate.ScimToken(bearer auth viawithScimAuth); managed under Settings → Security.Note: the
scimentitlement must be added to the lighthouse entitlements list and deployed before online licenses will grant it.🤖 Generated with Claude Code