You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Document multi-tenant SCIM support in SCIM overview (#627)
* Update SCIM_overview.mdx
* Address Copilot review on SCIM multi-tenant URL examples
Reframe URL examples as base URLs with resource paths appended by the
SCIM client, align placeholder names with sibling Okta/Entra docs
({permit_project_id}, {permit_env_id}, {tenant_id}), and clarify that
the second /v2/ segment is the multi-tenant routing prefix rather than
a SCIM protocol version.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Address review: EU host, tenant pre-existence, normalized role key
Address Zeev's three inline review comments on PR #627:
- Add EU regional host (scim.eu-central-1.permit.io) variant for both
legacy and tenant-aware base URLs, mirroring OKTA.mdx and EntraID.mdx.
- Note that the target Permit tenant must already exist; the SCIM server
validates {tenant_id} format but does not auto-create tenants.
- Clarify that group reuse matches on the normalized role key, so two
different display names that normalize to the same key are rejected
rather than merged.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: David Shoen <dbshoen@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Zeev Manilovich <zeevmoney@users.noreply.github.com>
Co-authored-by: dshoen619 <107557675+dshoen619@users.noreply.github.com>
Copy file name to clipboardExpand all lines: docs/integrations/SCIM/SCIM_overview.mdx
+39-1Lines changed: 39 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ SCIM streamlines and secures user account management by automating tasks such as
18
18
-**Efficiency:** Manages increasing numbers of user accounts efficiently and handles provisioning and permissions without manual intervention.
19
19
-**Consistency:** Standardizes how user data is stored and communicated, ensuring information remains consistent across applications.
20
20
-**Error Reduction:** Minimizes the risk of mistakes from manual data entry or custom integrations.
21
-
-**Security:** Reduces risks by ensuring users don’t need multiple passwords and keeps data synchronized, aiding in policy enforcement.
21
+
-**Security:** Reduces risks by ensuring users don't need multiple passwords and keeps data synchronized, aiding in policy enforcement.
22
22
23
23
### How SCIM Works
24
24
@@ -27,3 +27,41 @@ SCIM operates over REST and JSON protocols, involving:
27
27
-**Service Providers (SPs):** Applications such as Slack or Box that require user data from IdPs.
28
28
29
29
When changes occur in the IdP (e.g., user profiles created or updated), these changes are automatically synced to the SP, keeping user information up-to-date and providing seamless access to applications and resources.
30
+
31
+
### Multi-tenant SCIM
32
+
33
+
The SCIM server supports a tenant-aware URL form so a single Permit environment can back multiple isolated customer tenants. Two **base URL** shapes are supported — the SCIM client (Okta, Entra) appends the resource path (`/Users`, `/Groups`, etc.) to whichever base URL you configure:
34
+
35
+
-**Legacy (single-tenant) base URL:**`https://scim.permit.io/scim/v2/{permit_project_id}/{permit_env_id}`
36
+
- Resource endpoints: `.../Users`, `.../Groups`.
37
+
- All role assignments land in the `default` tenant. Existing integrations continue to work unchanged.
38
+
-**Tenant-aware base URL:**`https://scim.permit.io/scim/v2/{permit_project_id}/{permit_env_id}/v2/{tenant_id}`
39
+
- Resource endpoints: `.../Users`, `.../Groups`.
40
+
- The `{tenant_id}` segment is required — there is no tenant-less `/v2/Users`. SCIM clients bake the tenant into their endpoint configuration, so each tenant points its IdP at its own base URL.
41
+
42
+
Replace `{permit_project_id}` and `{permit_env_id}` with your Permit project ID/Key and environment ID/Key respectively, and `{tenant_id}` with the target Permit tenant key.
43
+
44
+
**EU users** replace the `scim.permit.io` host with `scim.eu-central-1.permit.io` in either shape — e.g. `https://scim.eu-central-1.permit.io/scim/v2/{permit_project_id}/{permit_env_id}` (legacy) or `https://scim.eu-central-1.permit.io/scim/v2/{permit_project_id}/{permit_env_id}/v2/{tenant_id}` (tenant-aware).
45
+
46
+
:::note
47
+
The second `/v2/` segment in the tenant-aware URL is a routing prefix that selects the multi-tenant SCIM API; it is **not** a SCIM protocol version. The SCIM 2.0 protocol version is the earlier `/scim/v2/` segment.
48
+
:::
49
+
50
+
`{tenant_id}` must match `[A-Za-z0-9_-]{1,64}` (1–64 chars: alphanumerics, underscore, hyphen). Invalid values return a 404 at the routing layer before any handler runs.
51
+
52
+
#### How users, groups, and tenants relate
53
+
54
+
-**Users are environment-scoped.** A SCIM User created via any tenant URL is provisioned once in the Permit environment. The `{tenant_id}` segment is accepted in the URL but does not partition users — `userName` remains globally unique within the environment.
55
+
-**Groups (roles) are environment-scoped definitions.** A Group with `displayName: "Engineering"` resolves to a single role in the environment. If two tenants both create a Group with the same `displayName`, they share the same underlying role definition; the second `POST /Groups` reuses the existing role rather than failing. Matching is by the normalized role key (non-alphanumeric characters other than `-` and `_` are stripped), not the raw `displayName` — so two *different* display names that normalize to the same key (e.g. `Eng Team` and `EngTeam` both → `EngTeam`) are rejected rather than merged.
56
+
-**Group membership (role assignment) is tenant-scoped.** Adding a user to a Group via `/v2/{tenant_id}/Groups/...` grants that user the role *within that tenant*. The same user can hold the `Engineering` role in tenant `acme` and not in tenant `globex`. Membership in one tenant has no effect on membership in another.
57
+
58
+
This matches Permit's data model: roles are defined per environment, and assignments carry a tenant. It avoids duplicating role definitions per tenant while keeping each tenant's user-to-role bindings fully independent.
59
+
60
+
#### Choosing between the two URLs
61
+
62
+
- Use the **legacy URL** for existing single-tenant integrations or when all users share one logical tenant.
63
+
- Use the **tenant-aware URL** when one Permit environment serves multiple customers and each must have its own isolated set of role assignments. Provision one SCIM connection per tenant in your IdP, each pointing at its own `/v2/{tenant_id}/...` endpoint.
64
+
65
+
:::caution
66
+
The target Permit tenant must already exist before you provision the SCIM connection. The SCIM server validates the `{tenant_id}` format but does **not** create the tenant — it auto-creates missing *users*, but there is no equivalent tenant auto-creation. Pointing a SCIM client at a `{tenant_id}` that does not yet exist in the environment causes the role-assignment call to fail and surfaces as an error to your IdP.
0 commit comments