feat: add SCIM 2.0 user provisioning (EE)

CHANGELOG.md

@@ -51,6 +51,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added the ability to configure email code and credentials login from the security settings. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
 - Added a list of configured SSO providers from the security settings. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
+- [EE] Added a SCIM 2.0 server for automated user provisioning and deprovisioning from identity providers (Okta, Entra). [#1306](https://github.com/sourcebot-dev/sourcebot/pull/1306)
 
 ### Fixed
 - Validated that `SOURCEBOT_ENCRYPTION_KEY` is exactly 32 characters at startup, failing fast with an actionable message instead of a runtime encryption error. [#1305](https://github.com/sourcebot-dev/sourcebot/pull/1305)

docs/api-reference/sourcebot-public.openapi.json

@@ -1148,6 +1148,11 @@
               "MEMBER"
             ]
           },
+          "suspendedAt": {
+            "type": "string",
+            "nullable": true,
+            "format": "date-time"
+          },
           "createdAt": {
             "type": "string",
             "format": "date-time"
@@ -1163,6 +1168,7 @@
           "name",
           "email",
           "role",
+          "suspendedAt",
           "createdAt",
           "lastActivityAt"
         ]

docs/docs.json

@@ -113,6 +113,7 @@
                                 "root": "docs/configuration/auth/authentication",
                                 "pages": [
                                     "docs/configuration/auth/providers",
+                                    "docs/configuration/auth/scim",
                                     "docs/configuration/auth/access-settings",
                                     "docs/configuration/auth/roles-and-permissions",
                                     "docs/configuration/auth/faq"

docs/docs/configuration/auth/authentication.mdx

@@ -13,6 +13,9 @@ Sourcebot's built-in authentication system gates your deployment, and allows adm
     <Card horizontal title="Access settings" icon="user" href="/docs/configuration/auth/access-settings">
         Learn how to configure how members join your deployment.
     </Card>
+    <Card horizontal title="SCIM provisioning" icon="users" href="/docs/configuration/auth/scim">
+        Provision and deprovision organization members from your identity provider.
+    </Card>
     <Card horizontal title="Roles and permissions" icon="shield" href="/docs/configuration/auth/roles-and-permissions">
         Learn more about the different roles and permissions in Sourcebot.
     </Card>
@@ -33,4 +36,4 @@ A session is guaranteed to remain valid for at least its configured lifetime. Th
 # Troubleshooting
 
 - If you experience issues logging in, logging out, or accessing an organization you should have access to, try clearing your cookies & performing a full page refresh (`Cmd/Ctrl + Shift + R` on most browsers).
-- Still not working? Reach out to us on our [discord](https://discord.gg/HDScTs3ptP) or [GitHub](https://github.com/sourcebot-dev/sourcebot/issues/new/choose)
+- Still not working? Reach out to us on our [discord](https://discord.gg/HDScTs3ptP) or [GitHub](https://github.com/sourcebot-dev/sourcebot/issues/new/choose)

docs/docs/configuration/auth/scim.mdx

@@ -0,0 +1,111 @@
+---
+title: SCIM
+sidebarTitle: SCIM
+---
+
+import LicenseKeyRequired from '/snippets/license-key-required.mdx'
+
+SCIM, or _System for Cross-domain Identity Management_ allows for the automation of user provisioning for your Sourcebot organization.
+
+<Frame>
+  <img src="/images/scim_provisioning_settings.png" alt="SCIM provisioning settings in Sourcebot showing the enable toggle, connector base URL, and SCIM token list" />
+</Frame>
+
+<LicenseKeyRequired feature="SCIM provisioning" />
+
+## Overview
+
+SCIM provisioning lets your identity provider manage Sourcebot organization membership automatically. When enabled, your identity provider becomes the source of truth for who should have access to your Sourcebot organization.
+
+Sourcebot supports SCIM 2.0 user provisioning for identity providers such as Okta and Microsoft Entra ID.
+
+## Configure
+
+1. Navigate to **Settings -> Security**.
+2. Under the "SCIM provisioning" section, toggle the option to enable SCIM.
+3. You can now get your **SCIM connector base URL** and generate a **SCIM Bearer auth token**. These values will be needed to configure SCIM in your identity provider.
+
+<Note>
+When SCIM provisioning is enabled, Admins will **not** be able to manage users from within Sourcebot as they will be kept up to date through your identity provider. Role assignments can still be managed within Sourcebot.
+</Note>
+
+### IdP-specific configuration notes
+
+<Tabs>
+    <Tab title="Okta">
+        <Note>
+        Okta does not support SCIM in an OIDC app integration. To work around this, two apps need to be created:
+        1. An OIDC app used for SSO.
+        2. A SAML provisioning-only app. The SSO portion of the app should not need to be functional.
+
+        [Learn more](https://support.okta.com/help/s/article/configure-scim-for-a-custom-oidc-app).
+        </Note>
+
+        - Follow [these instructions](/docs/configuration/idp#okta) to setup a Okta OIDC app and configure it as a SSO provider in Sourcebot.
+        - In Okta admin pages, create a SAML 2.0 application. This app will be used for provisioning-only and will not be used for SSO. The sign-on URL and audience URI can be set to the base URL of your deployment.
+        - In the General tab, click Edit and choose SCIM in the Provisioning section and Save.
+        - In the Provisioning tab, enter the SCIM Base connector URL from Sourcebot.
+        - For the Unique identifier field for users section enter **userName**
+        - For Supported provisioning actions, enable "Push New Users" and "Push Profile Updates"
+        - For Authentication mode field, choose HTTP Header and enter your SCIM token generated in Sourcebot. You can now test the configuration and save
+        - Lastly, return to the Provisioning tab in Okta and edit your settings under “To App” to enable the SCIM functionality needed for your Sourcebot application (Create, Update and Deactivate users)
+
+        <Frame>
+          <img src="/images/okta_scim_to_app_provisioning.png" alt="Okta provisioning To App settings showing Create Users, Update User Attributes, and Deactivate Users enabled" />
+        </Frame>
+    </Tab>
+</Tabs>
+
+## User lifecycle
+
+Sourcebot represents organization users with three membership states:
+
+| Sourcebot state | Access | Billing |
+| --- | --- | --- |
+| Pending | Can access the organization after signing in | Not billed |
+| Active | Can access the organization | Billed |
+| Suspended | Cannot access the organization | Not billed |
+
+When a user is provisioned through SCIM, Sourcebot creates or restores their organization membership. New SCIM-provisioned users appear as **Pending** until they sign in and access the organization for the first time.
+
+When a pending user signs in, Sourcebot moves them to **Active** and they count toward billing. On deployments with a hard seat cap, the user can only become active if a seat is available.
+
+When your identity provider deactivates a user by sending `active: false`, Sourcebot marks the user as **Suspended**. Suspended users cannot access the organization, and Sourcebot revokes their active sessions, API keys, and OAuth tokens.
+
+If your identity provider reactivates the user by sending `active: true`, Sourcebot restores their membership. Users who had already become active return to active access; users who had never signed in return to pending.
+
+
+## Roles
+
+SCIM does not assign Sourcebot [roles](/docs/configuration/auth/roles-and-permissions). Users created through SCIM are added with the **Member** role.
+
+Owners can promote active members to owner, or demote owners to member, from **Settings -> Members**. Sourcebot prevents changes that would leave the organization without an active owner.
+
+## Supported attributes
+
+Sourcebot stores this subset of SCIM user attributes:
+
+| SCIM attribute | Sourcebot behavior |
+| --- | --- |
+| `userName` | User email address |
+| `emails` | User email address; the primary email is preferred |
+| `name.formatted` | Display name |
+| `displayName` | Display name fallback |
+| `active` | Unsuspended or suspended membership state |
+| `externalId` | Stored IdP external identifier |
+
+Additional attributes may be sent by your identity provider, but Sourcebot ignores attributes it does not use.
+
+## FAQ
+
+<AccordionGroup>
+    <Accordion title="What identity providers do you support?">
+        SCIM provisioning should work with most identity providers that support SCIM user provisioning, but it has only been tested with Okta.
+    </Accordion>
+    <Accordion title="What version of SCIM do you support?">
+        Sourcebot supports SCIM 2.0.
+    </Accordion>
+    <Accordion title="When do SCIM-created users become billable seats?">
+        SCIM-created users become billable seats after they sign in and access the organization for the first time. Until then, they appear as pending and do not count toward billing. Suspended users also do not count toward billing.
+    </Accordion>
+</AccordionGroup>

packages/db/prisma/migrations/20260619214548_add_scim_users_support/migration.sql

@@ -0,0 +1,29 @@
+-- AlterTable
+ALTER TABLE "Org" ADD COLUMN     "isScimEnabled" BOOLEAN NOT NULL DEFAULT false;
+
+-- AlterTable
+ALTER TABLE "UserToOrg" ADD COLUMN     "suspendedAt" TIMESTAMP(3),
+ADD COLUMN     "scimExternalId" TEXT;
+
+-- CreateTable
+CREATE TABLE "ScimToken" (
+    "name" TEXT NOT NULL,
+    "hash" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "lastUsedAt" TIMESTAMP(3),
+    "orgId" INTEGER NOT NULL,
+
+    CONSTRAINT "ScimToken_pkey" PRIMARY KEY ("hash")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ScimToken_hash_key" ON "ScimToken"("hash");
+
+-- CreateIndex
+CREATE INDEX "ScimToken_orgId_idx" ON "ScimToken"("orgId");
+
+-- CreateIndex
+CREATE INDEX "UserToOrg_orgId_scimExternalId_idx" ON "UserToOrg"("orgId", "scimExternalId");
+
+-- AddForeignKey
+ALTER TABLE "ScimToken" ADD CONSTRAINT "ScimToken_orgId_fkey" FOREIGN KEY ("orgId") REFERENCES "Org"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/db/prisma/migrations/20260624194710_add_lastactiveat_to_usertoorg/migration.sql

@@ -0,0 +1,15 @@
+-- AlterTable
+ALTER TABLE "UserToOrg" ADD COLUMN     "lastActiveAt" TIMESTAMP(3);
+
+-- Backfill per-membership activity from the global User.lastActiveAt. In a
+-- single-tenant deployment a user belongs to exactly one org, so the global
+-- timestamp is exactly the per-org timestamp. In multi-tenant deployments this
+-- seeds every membership with the user's global last-active time as the best
+-- available signal; the per-org value diverges naturally from the next
+-- authenticated action onward. Without this, every existing membership would
+-- read as "never active" (NULL) until each member's next request.
+UPDATE "UserToOrg" AS uto
+SET "lastActiveAt" = u."lastActiveAt"
+FROM "User" AS u
+WHERE uto."userId" = u."id"
+  AND u."lastActiveAt" IS NOT NULL;

packages/db/prisma/schema.prisma

@@ -272,9 +272,12 @@ model Org {
   connections Connection[]
   repos       Repo[]
   apiKeys     ApiKey[]
+  scimTokens  ScimToken[]
   isOnboarded Boolean      @default(false)
   imageUrl    String?
 
+  isScimEnabled Boolean    @default(false)
+
   /// @deprecated This property can be controlled by the environment
   /// variable `REQUIRE_APPROVAL_NEW_MEMBERS`. To ensure that we use
   /// the correct setting, use the helper function `isMemberApprovalRequired`
@@ -397,7 +400,23 @@ model UserToOrg {
 
   role OrgRole @default(MEMBER)
 
+  /// When set, the membership is suspended and the user is treated as a
+  /// non-member for auth purposes (see `getAuthContext`).
+  suspendedAt DateTime?
+
+  /// The IdP-supplied `externalId` for this membership when provisioned via
+  /// SCIM. Null for members that joined through invites or self-serve sign-up.
+  scimExternalId String?
+
+  /// Last time the user performed an authenticated action *in this org*. Unlike
+  /// `User.lastActiveAt` (which is global to the instance), this is scoped to
+  /// the membership, so it distinguishes a member who has been active in this
+  /// org from one who was provisioned but never signed in here. Null means the
+  /// member has never been active in this org.
+  lastActiveAt DateTime?
+
   @@id([orgId, userId])
+  @@index([orgId, scimExternalId])
 }
 
 model ApiKey {
@@ -414,6 +433,23 @@ model ApiKey {
   createdById String
 }
 
+/// Org-scoped bearer token presented by an IdP (Okta, Entra) to authenticate
+/// against the SCIM provisioning endpoints. Unlike `ApiKey`, a SCIM token is
+/// not tied to a user — it acts on behalf of the SCIM integration for the
+/// whole org. Only the HMAC hash of the secret is stored.
+model ScimToken {
+  name String
+  hash String @id @unique
+
+  createdAt  DateTime  @default(now())
+  lastUsedAt DateTime?
+
+  org   Org @relation(fields: [orgId], references: [id], onDelete: Cascade)
+  orgId Int
+
+  @@index([orgId])
+}
+
 model Audit {
   id        String   @id @default(cuid())
   timestamp DateTime @default(now())

packages/shared/src/constants.ts

@@ -11,6 +11,7 @@ export const LEGACY_API_KEY_PREFIX = 'sourcebot-';
 export const API_KEY_PREFIX = 'sbk_';
 export const OAUTH_ACCESS_TOKEN_PREFIX = 'sboa_';
 export const OAUTH_REFRESH_TOKEN_PREFIX = 'sbor_';
+export const SCIM_TOKEN_PREFIX = 'sbscim_';
 
 /**
  * Default settings.

packages/shared/src/crypto.ts

@@ -4,7 +4,7 @@ import { z } from 'zod';
 import { env } from './env.server.js';
 import { Token } from '@sourcebot/schemas/v3/shared.type';
 import { SecretManagerServiceClient } from "@google-cloud/secret-manager";
-import { API_KEY_PREFIX, OAUTH_ACCESS_TOKEN_PREFIX, OAUTH_REFRESH_TOKEN_PREFIX } from './constants.js';
+import { API_KEY_PREFIX, OAUTH_ACCESS_TOKEN_PREFIX, OAUTH_REFRESH_TOKEN_PREFIX, SCIM_TOKEN_PREFIX } from './constants.js';
 
 const algorithm = 'aes-256-cbc';
 const ivLength = 16; // 16 bytes for CBC
@@ -56,6 +56,16 @@ export function generateApiKey(): { key: string; hash: string } {
     };
 }
 
+export function generateScimToken(): { token: string; hash: string } {
+    const secret = crypto.randomBytes(32).toString('hex');
+    const hash = hashSecret(secret);
+
+    return {
+        token: `${SCIM_TOKEN_PREFIX}${secret}`,
+        hash,
+    };
+}
+
 export function generateOAuthToken(): { token: string; hash: string } {
     const secret = crypto.randomBytes(32).toString('hex');
     const hash = hashSecret(secret);

packages/shared/src/entitlements.ts

@@ -42,7 +42,8 @@ const ALL_ENTITLEMENTS = [
     "org-management",
     "oauth",
     "ask",
-    "mcp"
+    "mcp",
+    "scim"
 ] as const;
 export type Entitlement = (typeof ALL_ENTITLEMENTS)[number];
 

packages/shared/src/index.server.ts

@@ -58,6 +58,7 @@ export {
     decrypt,
     hashSecret,
     generateApiKey,
+    generateScimToken,
     generateOAuthToken,
     generateOAuthRefreshToken,
     verifySignature,

packages/web/next.config.mjs

@@ -59,6 +59,13 @@ const nextConfig = {
             {
                 source: "/api/mcp",
                 destination: "/api/ee/mcp",
+            },
+            // The SCIM 2.0 server lives under /api/ee/scim/v2 (EE-licensed route
+            // tree) but is exposed at the clean /scim/v2 path that IdPs (Okta,
+            // Entra) are configured to send provisioning requests to.
+            {
+                source: "/scim/v2/:path*",
+                destination: "/api/ee/scim/v2/:path*",
             }
         ];
     },

packages/web/src/__mocks__/prisma.ts

@@ -17,7 +17,7 @@ export const MOCK_ORG: Org = {
     updatedAt: new Date(),
     isOnboarded: true,
     imageUrl: null,
-    metadata: null,
+    isScimEnabled: false,
     memberApprovalRequired: false,
     isCredentialsLoginEnabled: true,
     isEmailCodeLoginEnabled: false,