diff --git a/contents/docs/settings/activity-logs.mdx b/contents/docs/settings/activity-logs.mdx index a30b9bacf999..91227e102f73 100644 --- a/contents/docs/settings/activity-logs.mdx +++ b/contents/docs/settings/activity-logs.mdx @@ -46,6 +46,12 @@ These events track changes to organization-wide settings and membership. | Domain verified | An authentication domain was verified | | Organization settings changed | Organization name, logo, or other settings were updated | | 2FA enforcement changed | Two-factor authentication requirements were modified | +| SCIM user provisioned | A user was created or added via SCIM | +| SCIM user updated | A user was modified via SCIM | +| SCIM user deprovisioned | A user was removed or deactivated via SCIM | +| SCIM group provisioned | A role was created via SCIM | +| SCIM group updated | A role was modified via SCIM | +| SCIM group deprovisioned | A role was removed via SCIM | | *+ many more* | | ### Project-level events diff --git a/contents/docs/settings/sso.mdx b/contents/docs/settings/sso.mdx index 2063afda7079..bea20788106c 100644 --- a/contents/docs/settings/sso.mdx +++ b/contents/docs/settings/sso.mdx @@ -347,6 +347,16 @@ Before setting up SCIM, you need: 2. SAML SSO configured and working for your domain 3. Identity Provider that supports SCIM 2.0 (e.g., Okta, Entra ID, OneLogin) +### Domain requirements + +SCIM can only provision users whose email domain matches your organization's verified authentication domain. For example, if your verified domain is `example.com`, SCIM can only create or manage users with `@example.com` email addresses. Attempts to provision users with mismatched email domains are rejected. + + + +This validation prevents cross-tenant user adoption. Your Identity Provider can only provision users for domains your organization has verified in PostHog. + + + ### Setting up SCIM 1. In PostHog, navigate to Organization settings and go to [Authentication domains](https://app.posthog.com/settings/organization-authentication).