What kind of change does this PR introduce?

Feature - adds SCIM v2 provisioning support for enterprise SSO providers

This is a complete, general implementation inspired by the needs of this PR #2115

What is the current behavior?

Currently there's no way for identity providers (Okta, Azure AD, OneLogin, etc.) to automatically provision and deprovision users. Admins have to manually manage user accounts when employees join or leave, which is error-prone and doesn't scale for enterprise customers.

What is the new behavior?

Adds full SCIM v2 (RFC 7644) support, allowing identity providers to:

• User provisioning: Automatically create users when added to the IdP
• User updates: Sync profile changes (name, email) from IdP
• User deprovisioning: Soft-delete users via ban when removed from IdP (preserves data, terminates sessions)
• Group management: Create/update/delete groups and manage group membership

Endpoints added:

• GET/POST /scim/v2/Users - list and create users
• GET/PUT/PATCH/DELETE /scim/v2/Users/{id} - manage individual users
• GET/POST /scim/v2/Groups - list and create groups
• GET/PUT/PATCH/DELETE /scim/v2/Groups/{id} - manage individual groups
• Discovery endpoints: /scim/v2/ServiceProviderConfig, /scim/v2/Schemas, /scim/v2/ResourceTypes

Authentication: Bearer token per SSO provider (stored as SHA-256 hash). Tokens are 160 bits generated from crypto/rand with a scim_ prefix.

Filtering: Full RFC 7644 filter support using the scim2/filter-parser library - supports eq, ne, co, sw, ew, pr, gt, ge, lt, le operators with and/or/not logic.

IdP compatibility: Tested with Azure AD quirks (booleans as strings, case-insensitive displayName uniqueness).

SCIM routes skip isValidExternalHost middleware

SCIM routes intentionally do not go through the isValidExternalHost middleware. This is by design because:

• SCIM is a server-to-server API (IdP → Auth), not a user-facing browser redirect flow
• SCIM does not generate email redirect URLs, which is the purpose of isValidExternalHost (validating redirect destinations)
• SCIM uses its own bearer token authentication scoped to a specific SSO provider, which is separate from the JWT-based auth used by other endpoints

Additional context

I tried my best to make the implementation fit within the current tenant/user model instead of new tables for everything, adding schema changes only when necessary.

Some compliance work might be needed for other nuances with other SCIM providers (I've tested Microsoft Azure).

Deviations from RFC 7643

Some deviations from the RFC for SCIM v2 were done that relates to Supabase Auth:

• Email is REQUIRED, as required by our auth model.
• Deprovisioning uses soft-delete via Ban with reason (the RFC leaves this implementation to the implementer).
• Bulk operations not supported, yet in the initial implementation.

New dependencies

• github.com/scim2/filter-parser/v2 - RFC 7644 SCIM filter parsing

Schema Changes

• sso_providers gets 2 new columns: scim_enabled (boolean), scim_bearer_token_hash (text)
• scim_groups - stores SCIM groups per SSO provider
• scim_group_members - junction table for group membership
• Bulk operations not supported in initial release

Testing

All tests were based on the assumptions that the Azure Validation Tool expects, currently all passing.