feat(scim-for-entra): BEE-866 / Add documentation for SCIM with Microsoft Entra ID

[kostas-localstack]

Context & Motivation

LocalStack now supports SCIM provisioning with Microsoft Entra ID in addition to Okta. The existing SCIM documentation was a single page written around Okta only. This PR restructures the SCIM docs into a per-IdP layout and adds full Entra ID coverage, so customers integrating either provider get parity instructions.

Related items

• Jira: BEE-866
• Companion to the SCIM-for-Entra backend work (role groups, Entra PATCH compatibility, last-admin protection).

Implementation Description

Restructure: one page → a SCIM section with per-IdP pages

The monolithic sso/scim.mdx is split into a directory:

sso/scim/
├── index.md   — "SCIM" overview: what it is, enabling it, base setup,
│                 web-app roles/permissions, limitations, API reference
├── okta.mdx   — "SCIM with Okta"
└── entra.md   — "SCIM with Entra ID"

• The overview page holds everything IdP-agnostic (prerequisites, enabling SCIM, obtaining the Base Connector URL + Bearer token, the API reference, and global limitations) and links out to the two IdP pages.
• Each IdP page owns its provider-specific setup and operational guidance.

New: SCIM with Microsoft Entra ID

Full Entra ID walkthrough with screenshots, structured to mirror the Okta page:

• Configuring SCIM — Enterprise Application setup, Bearer auth + Tenant URL, scope, start provisioning. Includes a caution to not enable the aadOptscim062020 feature flag (causes destructive single-user member replacements).
• User Management — provisioning individual users, updating, deprovisioning (incl. accountEnabled = false), provisioning/deprovisioning groups of users, and migrating an existing Enterprise Application.
• Role Management — role-group naming convention (case-insensitive admin/member substring match), creating a role group, moving a user between roles (with the 409 mutual-exclusion sequencing caution), and last-admin protection.
• A note clarifying that license assignment via SCIM is not supported with Entra ID (Okta only), with a pointer to manage licenses in the web app.

Okta page parity + cleanup

• Restructured to the same User Management / Role Management / License Management hierarchy as Entra.
• Group sections flattened (Provisioning Groups of Users, Deprovisioning Groups of Users as peers; dropped the redundant "Assigning a Group" sub-subheader).
• "Moving a User Between Roles" rewritten to use Okta's Push Groups mechanism for committing the removal before the add, avoiding the transient 409.
• Renamed the SAML-migration screenshots from SCIM-SAML-provisioning-*.png to descriptive SCIM_okta_*.png names, matching the SCIM_entra_*.png convention.

Last-admin protection documented in both contexts

Last-admin protection fires in two distinct operations, and both are now documented on both IdP pages:

• User Management → Deprovisioning Users — deactivating/removing the only admin (active=false) is rejected with 409 Cannot remove the last workspace admin.
• Role Management → Last-Admin Protection — removing the only admin from the admin role group is rejected with the same 409.

Both call-outs include the remediation (assign another admin in LocalStack first, then retry).

Consistency pass

Both IdP pages now have identical heading structure section-for-section. Remaining differences are intentional and reflect genuine IdP behavior (Okta "push" / Push Groups vs Entra "sync" / sync cycle; Entra-only scope/start-provisioning steps; the aadOptscim062020 caution).

Assets + styling

• Added Entra ID screenshots (SCIM_entra_*.png) and the role-group screenshots.
• Converted shared SCIM images from .jpg to .png (SCIM-configuration, SCIM-permissions).
• astro.config.mjs: sidebar entry for the new SCIM subsection (Overview → SCIM with Okta → SCIM with Entra ID).
• custom.css / global.css: minor sidebar/heading sizing tweaks for the nested SCIM group.

How Has This Been Tested?

• Built locally with the Astro dev server; verified all three pages render and the sidebar nests correctly under Single Sign-On → SCIM.
• Confirmed all image references resolve (no broken SCIM-SAML-provisioning-* references remain after the rename).
• Verified internal cross-links resolve (Entra → Okta #license-management, Entra "Migrating" → #configuring-scim-with-microsoft-entra-id).
• Manual structural diff between okta.mdx and entra.md to confirm heading parity.

Follow up PRs, future Todos

• Entra ID license assignment is not yet supported; once validated, add a License Management section to the Entra page to fully close parity.

[cloudflare-workers-and-pages]

Deploying localstack-docs with    Cloudflare Pages

Latest commit:	8170972
Status:	✅  Deploy successful!
Preview URL:	https://2f8db969.localstack-docs.pages.dev
Branch Preview URL:	https://bee-866.localstack-docs.pages.dev

View logs