docs: Update SSO and SCIM documentation with Entra ID setup details and misconfiguration guidance

[niklub]

Reason for change

The existing SSO (auth_setup.md) and SCIM (scim_setup.md) documentation was missing critical configuration details for Microsoft Entra ID, and lacked guidance on common misconfiguration pitfalls. Users setting up Entra ID SAML SSO or SCIM provisioning with Label Studio Enterprise had to piece together information from multiple sources, leading to avoidable setup errors.

Changes

docs/source/guide/auth_setup.md

• Entra ID SAML walkthrough: Added a dedicated "Set up SAML SSO with Microsoft Entra ID" section with step-by-step instructions (Enterprise App creation, Basic SAML Configuration, attribute mapping, metadata upload, user assignment and testing).
• SP URL formats: Added URL format examples (https://<your-host>/saml/<token>/acs, etc.) to the SP URL descriptions.
• SLO note: Added a callout that Label Studio does not implement SAML Single Logout to the IdP.
• Group names vs. Object IDs warning: Added a prominent warning about configuring Entra ID to send group names instead of Object IDs—a common misconfiguration.
• SAML Settings API reference: Added API endpoint table (GET/POST/DELETE /api/saml/settings, validate-metadata-url) with a curl example for programmatic configuration.
• JIT provisioning: Added section explaining Just-In-Time account creation behavior and NameID format.
• SAML user lifecycle table: Documents what happens at each stage (first login, subsequent logins, group removal, app unassignment).
• SAML + SCIM interaction: Documents precedence rules, the destructive effect of DELETE /api/saml/settings on SCIM assignments, shared manual_role_management, and potential role override conflicts.
• Manual management flags table: Added detailed table explaining MANUAL_ROLE_MANAGEMENT, MANUAL_WORKSPACE_MANAGEMENT, MANUAL_PROJECT_MEMBER_MANAGEMENT with per-org override note.
• Troubleshooting section: Covers SSO redirect errors, wrong role assignment, attribute extraction failures, email case normalization, and group name case sensitivity.
• Advanced SAML configuration: Added pysaml2 environment variable reference table.

docs/source/guide/scim_setup.md

• Expanded Entra ID section: Replaced the abbreviated Entra ID section with a full 6-step walkthrough including enterprise app creation/reuse, automatic provisioning mode, admin credentials, and start provisioning.
• Detailed attribute mappings: Separated into required, recommended, optional (no effect), and mappings-to-remove categories with Entra ID–specific attribute names and notes about userName/UPN email derivation.
• HTTP 501 warning: Prominent callout that unsupported attribute mappings cause provisioning errors, with a complete list of common mappings to remove.
• Group provisioning: Added required group mappings (displayName, members) and instructions for assigning groups to the Enterprise Application.
• Group mapping API example: Added curl example for configuring roles_groups, workspaces_groups, and projects_groups via /api/scim/settings.
• Group mapping reference: Added shared reference section documenting all three mapping types (roles, workspaces, projects) with formats, available roles, elevation behavior, and removal behavior.
• SCIM user lifecycle table: Documents provisioning, cross-org scenarios, group addition/removal, deactivation, reactivation, and deletion.
• SAML + SCIM interaction: Mirrors the auth_setup.md section for discoverability from either doc.
• Troubleshooting section: Covers connection failures, wrong roles, missing workspace/project assignments, unsupported attribute errors, email case normalization, and group name case sensitivity.
• Prerequisites update: Updated to note that both legacy tokens and PATs are supported.

Testing

Documentation-only change. Verified:

• All markdown renders correctly (tables, admonitions, code blocks, links)
• Cross-references between auth_setup.md and scim_setup.md are consistent and bidirectional
• Existing Okta content preserved unchanged
• Front matter (YAML metadata) unchanged
• No broken internal links introduced

Risks

Low risk—documentation-only change. No code modifications.

Reviewer notes

The source material for the Entra ID additions was a comprehensive internal reference document covering both SAML SSO and SCIM provisioning with Microsoft Entra ID. The information has been integrated into the existing doc structure while preserving all existing Okta-specific content.

  

[netlify]

✅ Deploy Preview for label-studio-docs-new-theme ready!

Name	Link
🔨 Latest commit	3364690
🔍 Latest deploy log	https://app.netlify.com/projects/label-studio-docs-new-theme/deploys/69dfd9adf6a65f0008fa0978
😎 Deploy Preview	https://deploy-preview-9693--label-studio-docs-new-theme.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for label-studio-storybook canceled.

Name	Link
🔨 Latest commit	3364690
🔍 Latest deploy log	https://app.netlify.com/projects/label-studio-storybook/deploys/69dfd9ad9f235100085cd7fa

[netlify]

✅ Deploy Preview for label-studio-playground canceled.

Name	Link
🔨 Latest commit	3364690
🔍 Latest deploy log	https://app.netlify.com/projects/label-studio-playground/deploys/69dfd9adb4ec300008b0f4a2

[netlify]

✅ Deploy Preview for heartex-docs ready!

Name	Link
🔨 Latest commit	3364690
🔍 Latest deploy log	https://app.netlify.com/projects/heartex-docs/deploys/69dfd9adac504600089c8590
😎 Deploy Preview	https://deploy-preview-9693--heartex-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.