docs: expand Okta SCIM setup with custom attribute/claim mapping steps, profile editor screenshots, and clarified token claim guidance

[BearTS]

Summary

Expands the Okta setup guide to cover SCIM attribute-based mappings for roles, teams, and business units, and clarifies when each authorization server type and sync mechanism applies.

Changes

• Renamed Step 4 from "Add Role Claim to Tokens (If you have added custom role attribute)" to "Add Claims to Tokens" and broadened its scope to cover any Okta user profile attribute (department, costCenter, custom fields, etc.), not just bifrostRole
• Added a note to Step 4 clarifying that custom claim expressions are only supported on the Custom Authorization Server, and that the Org Authorization Server should use app-level Group Claims (Step 5) instead
• Added guidance on aligning the SCIM external_name with the OIDC claim name so a single Bifrost mapping rule works for both OIDC login and SCIM push without requiring attributeValue overrides
• Added a note to Step 7 clarifying that the API token is optional when SCIM push is used for real-time sync, and explaining how the two mechanisms complement each other
• Added a new subsection under Step 9 — "Map custom attributes to SCIM (for SCIM attribute-based mappings)" — with step-by-step instructions for declaring a custom attribute on the SCIM app schema in Profile Editor and mapping an Okta user profile value to it
• Added three new screenshots: the Profile Editor page, the Add Attribute dialog, and the attribute mapping view

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

Review the rendered documentation for the Okta setup guide and verify:

1. Step 4 correctly describes adding claims for any profile attribute, with the Custom vs. Org Authorization Server note visible
2. Step 7 includes the note about the API token being optional when SCIM push is configured
3. The new "Map custom attributes to SCIM" subsection in Step 9 renders with all three screenshots and the note about aligning external_name with the OIDC claim name

Breaking changes

• Yes
• No

Related issues

Security considerations

None. This is a documentation-only change covering Okta SSO and SCIM configuration guidance.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

Summary by CodeRabbit

• Documentation
  • Renamed Step 4 to "Add Claims to Tokens" and expanded guidance to map token claims from any Okta user attribute (including attribute vs expression usage)
  • Clarified custom claim expressions apply only to Custom Authorization Servers; recommend app-level group claims for Org servers
  • Explained aligning OIDC claim names with SCIM external names and requiring SCIM attributeValue for lookups
  • Documented declaring and mapping custom Okta profile attributes into SCIM and noted SCIM push can omit an API token
  • Removed the Per-User OAuth version gate note from the docs

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Generalizes Okta Step 4 into "Add Claims to Tokens" (Custom vs Org server guidance), explains exposing profile attributes as token claims, notes SCIM push can omit the Okta API token, adds SCIM custom-attribute mapping instructions, and removes a Per-User OAuth version note.

Changes

Okta Integration Documentation

Layer / File(s)	Summary
Token claims configuration for Custom Authorization Servers docs/enterprise/setting-up-okta.mdx	Step 4 shifts from a role-claim-only procedure to a general "Add Claims to Tokens" flow, explicitly noting Custom Authorization Servers support custom claim expressions while Org Authorization Servers should use app-level group claims. Shows how to expose arbitrary Okta profile attributes as token claims (attribute vs expression) and gives a bifrostRole → token claim example, with guidance to set attributeValue to a SCIM external_name when SCIM mappings are in use.
SCIM attribute mapping and sync guidance docs/enterprise/setting-up-okta.mdx	Step 7 adds an optional note that the Okta API token is unnecessary when relying solely on SCIM push for real-time sync. The SCIM push section distinguishes OIDC vs SCIM matching fields for group mappings and adds a "Map custom attributes to SCIM" procedure: declare custom attributes in the Bifrost SCIM app schema (require SCIM external_name), map Okta user attribute/expression into those SCIM attributes, and require attributeValue to match the SCIM external_name for SCIM lookups.

Per-User OAuth documentation

Layer / File(s)	Summary
Remove Per-User OAuth version info block docs/mcp/auth/per-user-oauth.mdx	Removes the <Info> callout that documented the minimum Bifrost version required to enable Per-User OAuth.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• maximhq/bifrost#3516: Prior edits to the Okta setup guide around Org vs Custom Authorization Server claim configuration and mapping.
• maximhq/bifrost#3974: Related updates adding SCIM attributeType/attributeValue fields and mapping guidance aligned with this PR's SCIM attribute instructions.
• maximhq/bifrost#3860: Overlapping updates to docs/enterprise/setting-up-okta.mdx concerning Okta claims and role mapping.

Suggested reviewers

• akshaydeo
• danpiths

Poem

🐰 I hopped through docs with ink and cheer,
Claims now carry what profiles hold dear.
SCIM and OIDC, aligned and neat,
API tokens optional — sync stays complete.
— a jubilant doc-writing rabbit ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: expanding Okta SCIM setup documentation with custom attribute/claim mapping, profile editor screenshots, and clarified token claim guidance.
Description check	✅ Passed	The description is well-structured, addresses all key sections of the template, clearly explains changes, and provides testing guidance appropriate for a documentation-only PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 06-09-docs_update_for_custom_attributes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[BearTS]

• docs: expand Okta SCIM setup with custom attribute/claim mapping steps, profile editor screenshots, and clarified token claim guidance #4214 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
Bifrost	🟡 Building	–	Jun 9, 2026, 1:24 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/enterprise/setting-up-okta.mdx`:
- Around line 407-409: The Note is misleading: change it to explain that Bifrost
mapping is keyed by the JWT claim fields (attribute) and matching
value/attributeValue (and attributeType/attributeValue for team/business-unit
mappings), not the SCIM external_name; update the text to instruct readers to
configure the mapping’s attribute, attributeValue (and attributeType when
applicable) to match the OIDC claim name/value so a single Bifrost rule can
apply to both OIDC login and SCIM push, and remove the claim that matching SCIM
external_name alone avoids setting attributeValue.
- Around line 364-391: The "Map custom attributes to SCIM" section currently
instructs adding SCIM attributes but doesn't reflect Bifrost's provisioning
model; update the subsection titled "Map custom attributes to SCIM (for SCIM
attribute-based mappings)" to (1) explicitly state that Bifrost does NOT support
inbound SCIM management APIs from IdPs and that you should not point an IdP SCIM
connector at Bifrost's /scim/v2 endpoint, (2) clarify that adding the SCIM
attribute/URN (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User) in
Okta is only necessary if you need the attribute included in outbound SCIM user
payloads from Okta to a supported provisioning endpoint (and show the exact
steps to add the attribute/variable/external name as currently written), and (3)
verify and fix the referenced image resources — ensure
okta-scim-profile-editor-page.png, okta-scim-profile-editor-add-attribute.png,
and okta-scim-profile-editor-mapping.png exist under media/user-provisioning/
and update the filenames/paths in the doc to match exactly if they differ.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3ab85ca7-ed71-48ec-bf1a-60e68f580ed4

📥 Commits

Reviewing files that changed from the base of the PR and between 86f7b9e and c95654c.

⛔ Files ignored due to path filters (3)

• docs/media/user-provisioning/okta-scim-profile-editor-add-attribute.png is excluded by !**/*.png
• docs/media/user-provisioning/okta-scim-profile-editor-mapping.png is excluded by !**/*.png
• docs/media/user-provisioning/okta-scim-profile-editor-page.png is excluded by !**/*.png

📒 Files selected for processing (1)

• docs/enterprise/setting-up-okta.mdx

[greptile-apps]

Confidence Score: 4/5

Safe to merge after correcting one inaccuracy in Steps 4 and 9 that conflicts with the config schema.

Steps 4 and 9 both state that attributeValue is required for each Bifrost mapping when SCIM is enabled, but transports/config.schema.json declares attributeRoleMappings with additionalProperties false and no attributeValue field — only team and BU mappings support it. An operator who follows the docs literally and adds attributeValue to a role mapping will get a schema validation failure that prevents Bifrost from starting.

docs/enterprise/setting-up-okta.mdx — the attributeValue notes in Steps 4 and 9 should be scoped to team/BU mappings only.

Important Files Changed

Filename	Overview
docs/enterprise/setting-up-okta.mdx	Expands Step 4 and adds SCIM attribute mapping guidance; contains an inaccuracy where notes in Steps 4 and 9 incorrectly claim attributeValue is required for all mappings (including role mappings), conflicting with the config schema that only permits attributeValue on team and BU mappings.
docs/mcp/auth/per-user-oauth.mdx	Removes the prerelease version gate note for per-user OAuth; no correctness concerns.

_{Reviews (5): Last reviewed commit: "docs: update for custom attributes" | Re-trigger Greptile}

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
bifrost	🟢 Ready	View Preview	Jun 9, 2026, 1:37 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[coderabbitai]

♻️ Duplicate comments (3)

docs/enterprise/setting-up-okta.mdx (3)

407-409: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Note incorrectly describes the relationship between SCIM external_name and Bifrost mapping fields.

Lines 407-409 state: "Use the same name for the SCIM attribute (external_name) as the OIDC claim you expose in the token...This way a single Bifrost mapping rule works for both OIDC login and SCIM push without needing to set attributeValue."

This guidance is incorrect. Bifrost's attribute mappings (configured in Step 10) are keyed by the JWT claim fields attribute and value (or attributeValue), and for team/business-unit mappings, also attributeType. The SCIM external_name is an Okta-internal field that controls how Okta names attributes in its outbound SCIM payloads; it does not determine or simplify Bifrost's mapping configuration.

Correct the note to instruct users to configure their Bifrost mapping rules' attribute field to match the OIDC claim name (e.g., "attribute": "bifrostRole"), and remove the claim that aligning SCIM external_name avoids setting attributeValue.

📝 Suggested fix

 <Note>
-  Use the same name for the SCIM attribute (`external_name`) as the OIDC claim you expose in the token. For example, if your authorization server emits `bifrostRole` as a JWT claim, name the SCIM attribute `bifrostRole` too. This way a single Bifrost mapping rule works for both OIDC login and SCIM push without needing to set `attributeValue`.
+  When configuring Bifrost attribute mappings in Step 10, set the `attribute` field to match the OIDC claim name you expose in the token. For example, if your authorization server emits a `bifrostRole` claim, configure your mapping rule with `"attribute": "bifrostRole"`. This ensures Bifrost can match the claim value during OIDC login.
 </Note>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-okta.mdx` around lines 407 - 409, The Note
incorrectly claims SCIM `external_name` can replace Bifrost mapping
configuration; update the text to remove that claim and instruct readers to set
the Bifrost mapping fields to match the OIDC claim instead: tell them to
configure the Bifrost mapping rule's "attribute" field to the JWT claim name
(for example, "attribute": "bifrostRole") and, where applicable, supply "value"
(or "attributeValue") and "attributeType" for team/business-unit mappings as
described in Step 10; also clarify that Okta's SCIM `external_name` only affects
Okta's outbound attribute naming and does not simplify or replace Bifrost
mapping configuration.

---

364-391: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

SCIM attribute mapping subsection may not reflect Bifrost's actual provisioning model.

This subsection instructs users to add custom attributes to the Okta SCIM app schema and provides detailed Profile Editor steps. However, as flagged in past review, Bifrost's enterprise documentation elsewhere states it does not support inbound SCIM management APIs from IdPs and advises against configuring IdP SCIM connectors to point at Bifrost's /scim/v2 endpoint.

If this restriction is still accurate:

1. Clarify that adding SCIM attributes in Okta is only necessary if the attribute needs to be included in outbound SCIM payloads to a different downstream system (not Bifrost).
2. State explicitly that Bifrost does not consume these SCIM attributes via inbound SCIM push.
3. Verify that the three referenced screenshot files exist under media/user-provisioning/ with the exact filenames shown (past review found them missing).

If Bifrost has added inbound SCIM support since the past review, update the broader user provisioning documentation to reflect this change and remove the conflicting guidance.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-okta.mdx` around lines 364 - 391, Update the "Map
custom attributes to SCIM (for SCIM attribute-based mappings)" subsection to
clarify Bifrost's actual SCIM behavior: if Bifrost does not accept inbound SCIM
pushes, state explicitly that adding SCIM attributes in Okta is only needed when
you intend to include those attributes in outbound SCIM payloads to other
downstream systems (not consumed by Bifrost), and add a clear note that Bifrost
does not consume SCIM attributes via inbound pushes to /scim/v2; alternatively,
if Bifrost now supports inbound SCIM, update the broader user provisioning docs
to reflect that and remove the warning; also verify the three image filenames
referenced (okta-scim-profile-editor-page.png,
okta-scim-profile-editor-add-attribute.png, and the third screenshot name used)
exist in media/user-provisioning/ and correct or remove image references if they
are missing.

---

152-152: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Misleading guidance: SCIM external_name does not control Bifrost attribute mappings.

Line 152 suggests that matching the OIDC token claim name with the SCIM attribute's external_name will "avoid needing attributeValue overrides in your mappings." This is inaccurate.

Bifrost's provisioning attribute mappings (for roles, teams, and business units) are keyed by the JWT claim fields attribute and value/attributeValue (plus attributeType/attributeValue for team/business-unit mappings), as shown in the code. The SCIM external_name is an Okta-side field used to wire Okta user profile attributes into outbound SCIM payloads; it does not control or simplify Bifrost's mapping configuration.

Update this sentence to instruct users to configure the attribute field in their Bifrost mapping rules to match the OIDC claim name they expose in the token (e.g., "attribute": "role"), and remove the claim that matching SCIM external_name has any effect on attributeValue requirements.

📝 Suggested fix

-Set **Name** to the claim name Bifrost will see in the token — use the same name as your SCIM attribute's `external_name` (configured in the SCIM app profile) to avoid needing `attributeValue` overrides in your mappings.
+Set **Name** to the claim name Bifrost will see in the token (e.g., `role`). In your Bifrost attribute mappings (configured in Step 10), use this same claim name as the `attribute` field (e.g., `"attribute": "role"`).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-okta.mdx` at line 152, Replace the misleading
guidance about SCIM `external_name` with a clear instruction that Bifrost
mapping rules use the JWT claim fields and that users must set the mapping's
"attribute" to the OIDC claim name they expose in the token (e.g., `"attribute":
"role"`); remove any suggestion that matching the Okta SCIM `external_name` will
avoid `attributeValue`/`attributeType` overrides and briefly note that
`attributeValue` (and `attributeType` for team/business-unit mappings) are
required by Bifrost mapping logic and are independent of Okta's SCIM
external_name.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@docs/enterprise/setting-up-okta.mdx`:
- Around line 407-409: The Note incorrectly claims SCIM `external_name` can
replace Bifrost mapping configuration; update the text to remove that claim and
instruct readers to set the Bifrost mapping fields to match the OIDC claim
instead: tell them to configure the Bifrost mapping rule's "attribute" field to
the JWT claim name (for example, "attribute": "bifrostRole") and, where
applicable, supply "value" (or "attributeValue") and "attributeType" for
team/business-unit mappings as described in Step 10; also clarify that Okta's
SCIM `external_name` only affects Okta's outbound attribute naming and does not
simplify or replace Bifrost mapping configuration.
- Around line 364-391: Update the "Map custom attributes to SCIM (for SCIM
attribute-based mappings)" subsection to clarify Bifrost's actual SCIM behavior:
if Bifrost does not accept inbound SCIM pushes, state explicitly that adding
SCIM attributes in Okta is only needed when you intend to include those
attributes in outbound SCIM payloads to other downstream systems (not consumed
by Bifrost), and add a clear note that Bifrost does not consume SCIM attributes
via inbound pushes to /scim/v2; alternatively, if Bifrost now supports inbound
SCIM, update the broader user provisioning docs to reflect that and remove the
warning; also verify the three image filenames referenced
(okta-scim-profile-editor-page.png, okta-scim-profile-editor-add-attribute.png,
and the third screenshot name used) exist in media/user-provisioning/ and
correct or remove image references if they are missing.
- Line 152: Replace the misleading guidance about SCIM `external_name` with a
clear instruction that Bifrost mapping rules use the JWT claim fields and that
users must set the mapping's "attribute" to the OIDC claim name they expose in
the token (e.g., `"attribute": "role"`); remove any suggestion that matching the
Okta SCIM `external_name` will avoid `attributeValue`/`attributeType` overrides
and briefly note that `attributeValue` (and `attributeType` for
team/business-unit mappings) are required by Bifrost mapping logic and are
independent of Okta's SCIM external_name.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: fe7947be-222b-489f-a90d-3f227c9274fd

📥 Commits

Reviewing files that changed from the base of the PR and between c95654c and 2a176ab.

⛔ Files ignored due to path filters (3)

• docs/media/user-provisioning/okta-scim-profile-editor-add-attribute.png is excluded by !**/*.png
• docs/media/user-provisioning/okta-scim-profile-editor-mapping.png is excluded by !**/*.png
• docs/media/user-provisioning/okta-scim-profile-editor-page.png is excluded by !**/*.png

📒 Files selected for processing (1)

• docs/enterprise/setting-up-okta.mdx

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/enterprise/setting-up-okta.mdx (1)

422-525: 🧹 Nitpick | 🔵 Trivial | 🏗️ Heavy lift

Consider adding a config.json example tab for users who configure Bifrost via file.

The guidelines specify that Mintlify MDX docs should include "Web UI / API / config.json tabs." This section currently shows only the UI approach (line 422: "Using the Bifrost UI") with a configuration reference table (lines 511-525), but no concrete config.json example.

If users can configure the Okta OIDC provider via config.json directly, consider adding a tab with a complete working example that includes:

• All required fields (issuerUrl, authServerType, clientId, clientSecret)
• Optional fields (audience, apiToken, provisioningToken)
• Sample attributeRoleMappings, attributeTeamMappings, attributeBusinessUnitMappings arrays
• Comments explaining the mapping evaluation rules

Validate any config.json example against transports/config.schema.json to ensure accuracy.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-okta.mdx` around lines 422 - 525, Add a
"config.json" tab alongside the UI instructions showing a complete example JSON
configuration for the Okta provider that includes required fields (issuerUrl,
authServerType, clientId, clientSecret), optional fields (audience, apiToken,
provisioningToken), and sample attributeRoleMappings, attributeTeamMappings, and
attributeBusinessUnitMappings arrays; include short inline comments describing
evaluation rules (first-match for attributeRoleMappings, all-match for
team/businessUnit mappings, case-insensitive and "*" passthrough), reference the
configuration keys exactly as used in the docs (issuerUrl, authServerType,
clientId, clientSecret, audience, apiToken, provisioningToken,
attributeRoleMappings, attributeTeamMappings, attributeBusinessUnitMappings) and
validate the example against transports/config.schema.json to ensure field
names/types match the schema before adding the tab to the MDX.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/enterprise/setting-up-okta.mdx`:
- Around line 152-153: Update the two passages to remove the contradictory
implication that name alignment alone removes other requirements: explicitly
state that when SCIM is enabled each Bifrost mapping must include attributeValue
in addition to attribute (i.e., the mapping needs both the SCIM external_name
and the attributeValue for SCIM provisioning), whereas for OIDC-only flows the
OIDC claim name (attribute) is sufficient and attributeValue is not required;
clarify that aligning the OIDC claim name (attribute) with the SCIM
external_name simply allows you to reuse the same attribute key in both mappings
for consistency and easier maintenance, but it does not eliminate the
requirement to set attributeValue for SCIM mappings, and remove any sentence
claiming that alignment alone makes attributeValue unnecessary.
- Around line 261-262: Update the note at the sentence that currently reads
"This step is optional if you plan to use SCIM push (Step 9) for real-time sync
instead" so it no longer implies SCIM push and the API token are mutually
exclusive; replace it with the suggested wording: "This step is optional if you
plan to rely solely on SCIM push (Step 9) for real-time sync. Note that SCIM
push and background sync are complementary—the API token enables the 24-hour
background reconciliation that catches anything SCIM push may have missed."
Ensure the changed sentence appears in the same paragraph that references SCIM
push (Step 9) and the 24-hour background reconciliation so the complementarity
is clear.

---

Outside diff comments:
In `@docs/enterprise/setting-up-okta.mdx`:
- Around line 422-525: Add a "config.json" tab alongside the UI instructions
showing a complete example JSON configuration for the Okta provider that
includes required fields (issuerUrl, authServerType, clientId, clientSecret),
optional fields (audience, apiToken, provisioningToken), and sample
attributeRoleMappings, attributeTeamMappings, and attributeBusinessUnitMappings
arrays; include short inline comments describing evaluation rules (first-match
for attributeRoleMappings, all-match for team/businessUnit mappings,
case-insensitive and "*" passthrough), reference the configuration keys exactly
as used in the docs (issuerUrl, authServerType, clientId, clientSecret,
audience, apiToken, provisioningToken, attributeRoleMappings,
attributeTeamMappings, attributeBusinessUnitMappings) and validate the example
against transports/config.schema.json to ensure field names/types match the
schema before adding the tab to the MDX.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f73dc35b-2133-4337-9c26-ada41705f64d

📥 Commits

Reviewing files that changed from the base of the PR and between 04c5381 and 28923cb.

⛔ Files ignored due to path filters (3)

• docs/media/user-provisioning/okta-scim-profile-editor-add-attribute.png is excluded by !**/*.png
• docs/media/user-provisioning/okta-scim-profile-editor-mapping.png is excluded by !**/*.png
• docs/media/user-provisioning/okta-scim-profile-editor-page.png is excluded by !**/*.png

📒 Files selected for processing (2)

• docs/enterprise/setting-up-okta.mdx
• docs/mcp/auth/per-user-oauth.mdx

💤 Files with no reviewable changes (1)

• docs/mcp/auth/per-user-oauth.mdx

[akshaydeo]

Merge activity

• Jun 9, 2:48 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Jun 9, 2:49 PM UTC: @akshaydeo merged this pull request with Graphite.