From 11ac85a82c467a7b4e6bbca0af8cae726deb7e64 Mon Sep 17 00:00:00 2001
From: "inkeep[bot]" <257615677+inkeep[bot]@users.noreply.github.com>
Date: Thu, 26 Feb 2026 05:54:09 +0000
Subject: [PATCH 1/2] docs: add SCIM domain validation requirements to SSO docs

Documents the email domain matching requirement for SCIM provisioning
added in PostHog/posthog#49160. SCIM now validates that provisioned
users' email domains match the organization's verified authentication
domain to prevent cross-tenant user adoption.
---
 contents/docs/settings/sso.mdx | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/contents/docs/settings/sso.mdx b/contents/docs/settings/sso.mdx
index 2063afda7079..bea20788106c 100644
--- a/contents/docs/settings/sso.mdx
+++ b/contents/docs/settings/sso.mdx
@@ -347,6 +347,16 @@ Before setting up SCIM, you need:
 2. SAML SSO configured and working for your domain
 3. Identity Provider that supports SCIM 2.0 (e.g., Okta, Entra ID, OneLogin)
 
+### Domain requirements
+
+SCIM can only provision users whose email domain matches your organization's verified authentication domain. For example, if your verified domain is `example.com`, SCIM can only create or manage users with `@example.com` email addresses. Attempts to provision users with mismatched email domains are rejected.
+
+<CalloutBox icon="IconWarning" title="Cross-domain provisioning is blocked" type="caution">
+
+This validation prevents cross-tenant user adoption. Your Identity Provider can only provision users for domains your organization has verified in PostHog.
+
+</CalloutBox>
+
 ### Setting up SCIM
 
 1. In PostHog, navigate to Organization settings and go to [Authentication domains](https://app.posthog.com/settings/organization-authentication).

From abfe7f583c960ed5faec71459ff63b03ae268cf7 Mon Sep 17 00:00:00 2001
From: "inkeep[bot]" <257615677+inkeep[bot]@users.noreply.github.com>
Date: Thu, 26 Feb 2026 05:55:32 +0000
Subject: [PATCH 2/2] Add SCIM activity log events to organization-level events
 table

Based on PR PostHog/posthog#49160 which adds comprehensive activity
logging for SCIM operations including user and group
provisioning, updating, and deprovisioning.
---
 contents/docs/settings/activity-logs.mdx | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/contents/docs/settings/activity-logs.mdx b/contents/docs/settings/activity-logs.mdx
index a30b9bacf999..91227e102f73 100644
--- a/contents/docs/settings/activity-logs.mdx
+++ b/contents/docs/settings/activity-logs.mdx
@@ -46,6 +46,12 @@ These events track changes to organization-wide settings and membership.
 | Domain verified | An authentication domain was verified |
 | Organization settings changed | Organization name, logo, or other settings were updated |
 | 2FA enforcement changed | Two-factor authentication requirements were modified |
+| SCIM user provisioned | A user was created or added via SCIM |
+| SCIM user updated | A user was modified via SCIM |
+| SCIM user deprovisioned | A user was removed or deactivated via SCIM |
+| SCIM group provisioned | A role was created via SCIM |
+| SCIM group updated | A role was modified via SCIM |
+| SCIM group deprovisioned | A role was removed via SCIM |
 | *+ many more* | |
 
 ### Project-level events