feat(SCIM): SCIM configuration management UI (#7528)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: talissoncosta

frontend/common/services/useScimConfiguration.ts

@@ -0,0 +1,132 @@
+import { Res } from 'common/types/responses'
+import { Req } from 'common/types/requests'
+import { service } from 'common/service'
+
+export const scimConfigurationService = service
+  .enhanceEndpoints({
+    addTagTypes: ['ScimConfiguration'],
+  })
+  .injectEndpoints({
+    endpoints: (builder) => ({
+      createScimConfiguration: builder.mutation<
+        Res['scimConfigurationWithToken'],
+        Req['createScimConfiguration']
+      >({
+        invalidatesTags: (_res, _err, query) => [
+          { id: query.organisation_id, type: 'ScimConfiguration' },
+        ],
+        query: (query: Req['createScimConfiguration']) => ({
+          method: 'POST',
+          url: `organisations/${query.organisation_id}/scim/`,
+        }),
+      }),
+      deleteScimConfiguration: builder.mutation<
+        void,
+        Req['deleteScimConfiguration']
+      >({
+        invalidatesTags: (_res, _err, query) => [
+          { id: query.organisation_id, type: 'ScimConfiguration' },
+        ],
+        query: (query: Req['deleteScimConfiguration']) => ({
+          method: 'DELETE',
+          url: `organisations/${query.organisation_id}/scim/`,
+        }),
+      }),
+      getScimConfiguration: builder.query<
+        Res['scimConfiguration'],
+        Req['getScimConfiguration']
+      >({
+        providesTags: (_res, _err, query) => [
+          { id: query.organisation_id, type: 'ScimConfiguration' },
+        ],
+        query: (query: Req['getScimConfiguration']) => ({
+          url: `organisations/${query.organisation_id}/scim/`,
+        }),
+      }),
+      regenerateScimToken: builder.mutation<
+        Res['scimConfigurationWithToken'],
+        Req['regenerateScimToken']
+      >({
+        invalidatesTags: (_res, _err, query) => [
+          { id: query.organisation_id, type: 'ScimConfiguration' },
+        ],
+        query: (query: Req['regenerateScimToken']) => ({
+          method: 'POST',
+          url: `organisations/${query.organisation_id}/scim/regenerate-token/`,
+        }),
+      }),
+      // END OF ENDPOINTS
+    }),
+  })
+
+export async function createScimConfiguration(
+  store: any,
+  data: Req['createScimConfiguration'],
+  options?: Parameters<
+    typeof scimConfigurationService.endpoints.createScimConfiguration.initiate
+  >[1],
+) {
+  return store.dispatch(
+    scimConfigurationService.endpoints.createScimConfiguration.initiate(
+      data,
+      options,
+    ),
+  )
+}
+export async function deleteScimConfiguration(
+  store: any,
+  data: Req['deleteScimConfiguration'],
+  options?: Parameters<
+    typeof scimConfigurationService.endpoints.deleteScimConfiguration.initiate
+  >[1],
+) {
+  return store.dispatch(
+    scimConfigurationService.endpoints.deleteScimConfiguration.initiate(
+      data,
+      options,
+    ),
+  )
+}
+export async function getScimConfiguration(
+  store: any,
+  data: Req['getScimConfiguration'],
+  options?: Parameters<
+    typeof scimConfigurationService.endpoints.getScimConfiguration.initiate
+  >[1],
+) {
+  return store.dispatch(
+    scimConfigurationService.endpoints.getScimConfiguration.initiate(
+      data,
+      options,
+    ),
+  )
+}
+export async function regenerateScimToken(
+  store: any,
+  data: Req['regenerateScimToken'],
+  options?: Parameters<
+    typeof scimConfigurationService.endpoints.regenerateScimToken.initiate
+  >[1],
+) {
+  return store.dispatch(
+    scimConfigurationService.endpoints.regenerateScimToken.initiate(
+      data,
+      options,
+    ),
+  )
+}
+// END OF FUNCTION_EXPORTS
+
+export const {
+  useCreateScimConfigurationMutation,
+  useDeleteScimConfigurationMutation,
+  useGetScimConfigurationQuery,
+  useRegenerateScimTokenMutation,
+  // END OF EXPORTS
+} = scimConfigurationService
+
+/* Usage examples:
+const { data, isLoading } = useGetScimConfigurationQuery({ organisation_id: 2 }) //get hook
+const [createScimConfiguration, { isLoading, data, isSuccess }] = useCreateScimConfigurationMutation() //create hook
+scimConfigurationService.endpoints.getScimConfiguration.select({organisation_id: 2})(store.getState()) //access data from any function
+*/

frontend/common/types/requests.ts

@@ -734,6 +734,10 @@ export type Req = {
       idp_attribute_name: string
     }
   }
+  getScimConfiguration: { organisation_id: number }
+  createScimConfiguration: { organisation_id: number }
+  deleteScimConfiguration: { organisation_id: number }
+  regenerateScimToken: { organisation_id: number }
   updateIdentity: {
     environmentId: string
     data: Identity

frontend/common/types/responses.ts

@@ -864,6 +864,16 @@ export type SAMLAttributeMapping = {
   idp_attribute_name: string
 }
 
+export type ScimConfiguration = {
+  created_at: string
+  token_rotated_at: string
+  base_url: string
+}
+
+export type ScimConfigurationWithToken = ScimConfiguration & {
+  token: string
+}
+
 export type HealthEventType = 'HEALTHY' | 'UNHEALTHY'
 
 export type FeatureHealthEventReasonTextBlock = {
@@ -1215,6 +1225,8 @@ export type Res = {
     metadata_xml: string
   }
   samlAttributeMapping: PagedResponse<SAMLAttributeMapping>
+  scimConfiguration: ScimConfiguration
+  scimConfigurationWithToken: ScimConfigurationWithToken
   identitySegments: PagedResponse<Segment>
   organisationWebhooks: PagedResponse<Webhook>
   projectChangeRequests: PagedResponse<ChangeRequestSummary>

frontend/common/utils/utils.tsx

@@ -50,6 +50,7 @@ export type PaidFeature =
   | 'METADATA'
   | 'REALTIME'
   | 'SAML'
+  | 'SCIM'
   | 'SCHEDULE_FLAGS'
   | 'CREATE_ADDITIONAL_PROJECT'
   | '2FA'
@@ -221,7 +222,11 @@ const Utils = Object.assign({}, BaseUtils, {
   flagsmithFeatureExists(flag: string) {
     return Object.prototype.hasOwnProperty.call(flagsmith.getAllFlags(), flag)
   },
-  getContentType(contentTypes: ContentType[] | undefined, model: string, type: string) {
+  getContentType(
+    contentTypes: ContentType[] | undefined,
+    model: string,
+    type: string,
+  ) {
     return contentTypes?.find((c: ContentType) => c[model] === type) || null
   },
   getCreateProjectPermission(organisation: Organisation) {
@@ -522,7 +527,8 @@ const Utils = Object.assign({}, BaseUtils, {
       case 'AUDIT':
       case '4_EYES_PROJECT':
       case '4_EYES':
-      case 'SAML': {
+      case 'SAML':
+      case 'SCIM': {
         plan = 'scale-up'
         break
       }

frontend/documentation/components/CopyField.stories.tsx

@@ -0,0 +1,59 @@
+import React from 'react'
+import type { Meta, StoryObj } from 'storybook'
+
+import CopyField from 'components/CopyField'
+
+const meta: Meta = {
+  parameters: {
+    docs: {
+      description: {
+        component:
+          'Read-only input paired with an icon-only Copy button. Pass `value` to copy; render any width by wrapping in a sized container — the input flexes to fill the row.',
+      },
+    },
+    layout: 'padded',
+  },
+  title: 'Components/Forms/CopyField',
+}
+export default meta
+
+type Story = StoryObj
+
+const Container: React.FC<React.PropsWithChildren> = ({ children }) => (
+  <div style={{ width: 480 }}>{children}</div>
+)
+
+export const Default: Story = {
+  render: () => (
+    <Container>
+      <CopyField value='https://app.flagsmith.com/api/v1/scim/organisations/42/scim/v2' />
+    </Container>
+  ),
+}
+
+export const Monospace: Story = {
+  render: () => (
+    <Container>
+      <CopyField
+        value='eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzY2ltLXRva2VuIn0'
+        className='font-monospace'
+      />
+    </Container>
+  ),
+}
+
+export const ShortValue: Story = {
+  render: () => (
+    <Container>
+      <CopyField value='org_42' />
+    </Container>
+  ),
+}
+
+export const LongValue: Story = {
+  render: () => (
+    <Container>
+      <CopyField value='https://very-long-subdomain.example.flagsmith-eu.com/api/v1/auth/saml/configurations/marketing-okta/response/redirect?next=/dashboard' />
+    </Container>
+  ),
+}

frontend/e2e/tests/sso-test.pw.ts

@@ -0,0 +1,64 @@
+import { test } from '../test-setup'
+import { byId, log, createHelpers, visualSnapshot } from '../helpers'
+import { E2E_USER, PASSWORD } from '../config'
+
+test.describe('SCIM Tests', () => {
+  test('SCIM configuration can be created, regenerated, and deleted @enterprise', async ({ page }, testInfo) => {
+    const {
+      click,
+      login,
+      waitForElementVisible,
+    } = createHelpers(page)
+
+    log('Login')
+    await login(E2E_USER, PASSWORD)
+
+    log('Navigate to SSO tab in Organisation Settings')
+    await waitForElementVisible(byId('organisation-link'))
+    await click(byId('organisation-link'))
+    await waitForElementVisible(byId('org-settings-link'))
+    await click(byId('org-settings-link'))
+    await click(byId('sso'))
+
+    log('Ensure clean state')
+    const createBtn = page.locator(byId('scim-create'))
+    const deleteBtn = page.locator(byId('scim-delete'))
+    await createBtn.or(deleteBtn).waitFor({ state: 'visible' })
+    if (await deleteBtn.isVisible()) {
+      await click(byId('scim-delete'))
+      await click('#confirm-btn-yes')
+      await waitForElementVisible(byId('scim-create'))
+    }
+    await visualSnapshot(page, 'scim-empty', testInfo)
+
+    log('Create SCIM configuration')
+    await click(byId('scim-create'))
+
+    log('Token modal shows the bearer token')
+    await waitForElementVisible(byId('scim-token-value'))
+    await visualSnapshot(page, 'scim-token-modal', testInfo)
+
+    log('Close token modal via inline confirmation')
+    await click(byId('scim-token-done'))
+    await click(byId('scim-token-confirm-done'))
+
+    log('Configured state shows base URL')
+    await waitForElementVisible(byId('scim-base-url'))
+    await visualSnapshot(page, 'scim-configured', testInfo)
+
+    log('Regenerate token')
+    await click(byId('scim-regenerate'))
+    await click('#confirm-btn-yes')
+    await waitForElementVisible(byId('scim-token-value'))
+    await click(byId('scim-token-done'))
+    await click(byId('scim-token-confirm-done'))
+    await waitForElementVisible(byId('scim-base-url'))
+
+    log('Delete SCIM configuration')
+    await click(byId('scim-delete'))
+    await click('#confirm-btn-yes')
+
+    log('Back to empty state')
+    await waitForElementVisible(byId('scim-create'))
+  })
+})

frontend/web/components/CopyField.tsx

@@ -0,0 +1,49 @@
+import React, { FC } from 'react'
+import Button from './base/forms/Button'
+import Flex from './base/grid/Flex'
+import Icon from './icons/Icon'
+import Input from './base/forms/Input'
+import Row from './base/grid/Row'
+import Utils from 'common/utils/utils'
+
+// Minimal read-only input + icon-only Copy button pattern. The codebase has
+// half a dozen consumers rolling this inline (CreateSAML's ACS URL, SDK
+// keys, webhook URLs, etc.) — they should all migrate here in a follow-up.
+// Keep the API tight for now to avoid pre-committing to choices that don't
+// fit every existing consumer.
+type CopyFieldProps = {
+  value: string
+  className?: string
+  'data-test'?: string
+}
+
+const CopyField: FC<CopyFieldProps> = ({
+  className,
+  'data-test': dataTest,
+  value,
+}) => {
+  const onCopy = () => Utils.copyToClipboard(value)
+
+  return (
+    <Row className='gap-2 align-items-center'>
+      <Flex>
+        <Input
+          value={value}
+          readOnly
+          className={className}
+          data-test={dataTest}
+        />
+      </Flex>
+      <Button
+        theme='secondary'
+        className='btn-with-icon'
+        onClick={onCopy}
+        aria-label='Copy to clipboard'
+      >
+        <Icon name='copy' width={20} />
+      </Button>
+    </Row>
+  )
+}
+
+export default CopyField

frontend/web/components/PlanBasedAccess.tsx

@@ -93,6 +93,12 @@ export const featureDescriptions: Record<PaidFeature, any> = {
     docs: 'https://docs.flagsmith.com/advanced-use/scheduled-flags',
     title: 'Scheduled Flags',
   },
+  'SCIM': {
+    description:
+      'Provision and de-provision users and groups automatically from your identity provider.',
+    docs: 'https://docs.flagsmith.com/administration-and-security/access-control/scim/',
+    title: 'SCIM user provisioning',
+  },
   'STALE_FLAGS': {
     description:
       'Add automatic stale flag detection, prompting your team to clean up old flags.',