docs(enterprise): Add IdP delegation documentation [PLAT-4827]

[justinegeffen]

Summary

Customer-facing documentation for PLAT-4827 — IdP delegation & claims mapping on Seqera Platform Enterprise, shipping with the v26.1 release. Targets the `enterprise-26.1-documentation` branch so this content flows into the 26.1 versioned docs.

This PR adds the documentation layer that explains how organization owners can map a Seqera Team to an IdP group, populate the group catalog (SCIM or manual), configure the IdP to emit the `groups` claim, and understand multi-organization routing.

Pages added

Under platform-enterprise_docs/enterprise/configuration/authentication/idp-delegation/:

• `overview.md` — concept hub: three components, login evaluation, multi-org routing, audit trail
• `group-catalog/overview.md` — SCIM vs manual entry, promotion, orphan behavior
• `group-catalog/scim-okta.md` — full Okta SCIM setup procedure
• `group-catalog/scim-entra-id.md` — full Entra ID SCIM setup procedure
• `group-catalog/manual-google-workspace.md` — manual catalog entries for Google Workspace
• `group-catalog/manual-keycloak.md` — manual catalog entries for Keycloak
• `claim-mapping.md` — per-IdP OIDC and SAML `groups` claim configuration
• `multi-org-routing.md` — topology decision table, FR-039 uniqueness invariant, conflict resolution

Plus a new Teams page (created from scratch — Enterprise didn't have one):

• `platform-enterprise_docs/orgs-and-teams/teams.md` — Team creation, editing, and full IdP delegation procedure with the `#delegate-a-team-to-an-idp-group` anchor used by cross-references

Pages updated

• `platform-enterprise_docs/enterprise-sidebar.json` — adds IdP delegation category under Authentication, adds the new Teams page under Organizations & teams
• `platform-enterprise_docs/enterprise/configuration/authentication/overview.md` — OIDC group-claim note + new IdP delegation and group claims section

AC coverage (PLAT-4827)

User story	Covered in
US1 / PLAT-5164 — Connect IdP groups	`group-catalog/*`
US2 / PLAT-5165 — Delegate a Team	`teams.md` — "Delegate a Team to an IdP group"
US3 / PLAT-5166 — Login JIT evaluation	`overview.md`, `teams.md`
US3 AC 7 — Multi-org routing	`multi-org-routing.md`
US4 / PLAT-5167 — Immutability	`teams.md`
US5 / PLAT-5168 — Audit trail (delegation/SCIM)	`overview.md` — "Audit trail"
USV / PLAT-5172 — Per-IdP setup sufficient	`group-catalog/*`, `claim-mapping.md`

Out of scope

• US8 / PLAT-5171 — workspace assignment usability content is blocked on Figma. Will follow in a separate PR once UX assets land.
• Audit log page update — Enterprise has `platform-enterprise_docs/monitoring/audit-logs.md` but the SCIM/delegation audit content lives in `idp-delegation/overview.md` instead. If you'd prefer the SCIM/delegation entries to also appear in `audit-logs.md`, flag and I'll lift a short section across.
• Changelog entries — landing separately.

Open questions for product/engineering

1. Auth0 mapping for Enterprise-on-Auth0 customers — a subset of Enterprise deployments run their instance behind their own Auth0 tenant. Should the Enterprise docs cross-link to the Cloud Auth0 connection mapping page, or get a sibling Enterprise version? Currently silent (assumes Enterprise reads IdP tokens directly).
2. Screenshots — PLAT-5172 AC 1 implies the SCIM and claim mapping guides should be sufficient for setup without backend assistance. Would screenshots of the Okta, Entra, and Keycloak admin consoles raise the bar enough to commission them? Currently none.
3. Multi-organization naming conventions — `multi-org-routing.md` includes operator guidance with three example conventions (prefix, reverse-DNS, project-coded). Confirm this aligns with how Seqera SAs guide multi-org deployments, or flag a different recommended pattern.

Reviewers

CODEOWNERS will auto-request docs reviewers. Please also add:

• A PLAT-4827 SME (Andrew Dawson reported the epic; Rob Newman commented on it)

Test plan

• Local Docusaurus build (`npm start` or `npm run build` from repo root)
• All internal markdown links resolve, including the deep anchor `teams#delegate-a-team-to-an-idp-group`
• New sidebar entries render in correct order under Authentication → IdP delegation and the new `teams` entry appears under Organizations & teams
• Cross-links from `authentication/overview.md` to the new sub-folder navigate correctly
• The 26.1 versioned snapshot picks up these files when the release process runs

Companion Cloud PR: #1415 against `master`.

🤖 Generated with Claude Code

[joaquimgamero]

First read-through, ping me if you need help or want to clarify something @justinegeffen, happy to help :)
I left lots of comments but a lot of them are repetitions of the same.

[joaquimgamero]

See comment above, the SSO connection is not required, it's activating OIDC auth that's required instead. cc. @JaimeSeqLabs

[swingingsimian]

Just to clarify here, as OIDC is SSO. I think what @joaquimgamero is getting at is... not a runtime managed SSO connection within the UI (which is restricted to CloudPro), but the env/config managed OIDC SSO connection.

[joaquimgamero]

Same as above, the requirement is to activate OIDC auth. cc. @JaimeSeqLabs

[joaquimgamero]

This can only be done via Group Mapping page, not in the team edit page.

[justinegeffen]

@joaquimgamero do we have screenshots or a recording of this? I want to double-check I have all the UI elements/steps documented properly.

[joaquimgamero]

This is why I meant @justinegeffen - this is the only place where you can assign a team to an IdP group

[swingingsimian]

This would I think be correct for cloud, but not enterprise. As SSO is env/config driven, there is not UI for managing SSO, hence we just have Org setting > Group mapping > 'manage'

[JaimeSeqLabs]

this file is inside platform-enterprise_docs directory so I'm guessing this is for enterprise only, we need to fix this

[swingingsimian]

Just a general comment here on the use of 'catalog'. I think this is claude parlance which has slipped into usage in the code and made it's way to the UI.

And now in the docs. It's not necessarily a bad thing, just raising that this might not be how we want to refer to a collection of objects in the UI.

[swingingsimian]

Same deal as for google wrt form/flow, and presence on team form

[swingingsimian]

SAML is not supported yet

[swingingsimian]

Hmm, I believe this isn't aligned with the behaviour, we current treat malformed as absent, hence no removal will happen. Let me double check that.

[swingingsimian]

Yup FR-018:

Malformed claims should be rejected by the SSO layer before reaching evaluation; if they do reach evaluation, treat as absent (skip) to fail safely.

Absent here means no groups claim, no membership change.

[JaimeSeqLabs]

should we include a screenshot creating a manual group with this ?

[JaimeSeqLabs]

this file is inside platform-enterprise_docs directory so I'm guessing this is for enterprise only, we need to fix this

[JaimeSeqLabs]

This is likely carried from the outdated spec, there is no display name for the manual groups:

Suggested change

	2. Select **Add manual group**.
	3. In **Group name**, paste the group's email address.
	4. (Optional) In **Display name**, enter a human-friendly label for the group. This appears in the **IdP Group** dropdown on the team form.
	6. (Optional) Select a Linked team
	7. Select **Add**.
	2. Select **Add manual group**.
	3. In **Group name**, paste the group's email address.
	4. Select a Linked team from the list.
	5. Select **Add**.

[christopher-hakkaart]

I've made lots of editorial suggestions. There is one place where it looks like a merge conflict has been carried through. Everything is marked as suggestions, please check that the meaning is retained.

[christopher-hakkaart]

Suggested change

	Seqera maintains a per-organization catalog of identity provider (IdP) groups. The catalog is independent of user activity and groups appear as soon as they're synced or entered, before any user has signed in.
	Seqera maintains a per-organization catalog of identity provider (IdP) groups. Groups appear in the catalog as soon as they're synced from the IdP or added manually. They don't depend on any user having signed in.

[christopher-hakkaart]

Suggested change

	:::info
	Other identity providers
	SCIM provisioning is officially supported with Okta and Microsoft Entra ID. Any OIDC or SAML identity provider can authenticate users through Auth0, but group membership won't sync automatically and lifecycle events (joiners, movers, leavers) need to be handled manually in Seqera.
	If you use Google Workspace, Keycloak, Ping, OneLogin, or another OIDC/SAML provider and want to delegate team membership, contact your Seqera account team to discuss your setup.
	:::
	:::info[Other identity providers]
	SCIM-based provisioning is supported for Okta and Microsoft Entra ID. With these providers, group membership syncs automatically, including lifecycle events (joiners, movers, leavers).
	Other OIDC or SAML identity providers can authenticate users through Auth0, but group membership doesn't sync automatically. An admin must update memberships in Seqera as users join, move, or leave.
	If you use Google Workspace, Keycloak, Ping, OneLogin, or another OIDC/SAML provider and want to delegate team membership, contact your Seqera account team to discuss your setup.
	:::

I found this unclear, please check meaning is retained. Note that even if the content is incorrect, I've moved the title to be the title of the admonition.

[christopher-hakkaart]

Suggested change

	1. Open **Organization settings** and select **Group mapping**.
	2. Select **Add manual group**.
	To add a group manually:
	To delete a manually-entered group, select **Delete** on its row. If any delegated team references the group, its members are immediately purged.
	2. Select **Add group manually**.
	3. Enter the group identifier exactly as it appears in your IdP's `groups` claim.
	4. Select **Save**.
	To add a group manually:
	1. Open **Organization settings** and select **Group mapping**.
	2. Select **Add group manually**.
	3. Enter the group identifier exactly as it appears in your IdP's `groups` claim.
	4. Select **Save**.

Please check this is correct.

There were two steps:

• Select Add group manually.
• Select Add manual group.

And the text below was injected.

[christopher-hakkaart]

Suggested change

A manually-entered group is automatically promoted to SCIM-managed if your IdP later pushes the same group via SCIM. The promotion happens in place; the catalog row is reused, and any delegated teams that reference it continue to work without interruption. After promotion, the row's lifecycle is fully driven by SCIM, and the manual **Delete** action is no longer available; the row is removed when your IdP issues a SCIM `DELETE`.

A manually-entered group is automatically promoted to SCIM-managed if your IdP later pushes the same group via SCIM. The promotion happens in place. The catalog row is reused, and any delegated teams that reference it continue to work without interruption. After promotion, the row's lifecycle is fully driven by SCIM, and the manual **Delete** action is no longer available. The row is removed when your IdP issues a SCIM `DELETE`.

[christopher-hakkaart]

Suggested change

	- Every delegated team that referenced the group has its delegation-driven members purged. The team's other settings — name, workspace assignments, role — are preserved.
	- Every delegated team that referenced the group has its delegation-driven members purged. The team's other settings (name, workspace assignments, role) are preserved.

[christopher-hakkaart]

Suggested change

	- **Match found** — the user is added to the team if they aren't already a member.
	- **No match** and the user was previously a member — they're removed from the team.
	- **No match** and the user was never a delegation-driven member — no change.
	- **Match found**: The user is added to the team if they aren't already a member.
	- **No match and the user was previously a member**: The user is removed from the team.
	- **No match and the user was never a delegation-driven member**: no change.

[christopher-hakkaart]

Suggested change

	SCIM-originated entries — operations performed by your IdP's provisioning agent against Seqera's SCIM endpoint — are attributed to a **System** operator rather than to a named administrator, because they authenticate with a SCIM bearer token. To correlate a SCIM event with a specific administrator action, match by `displayName` and timestamp against your IdP's provisioning logs.
	SCIM-originated entries (operations performed by your IdP's provisioning agent against Seqera's SCIM endpoint) are attributed to a **System** operator rather than to a named administrator, because they authenticate with a SCIM bearer token. To correlate a SCIM event with a specific administrator action, match by `displayName` and timestamp against your IdP's provisioning logs.

[christopher-hakkaart]

Suggested change

	2. [Populate the IdP group catalog](./group-catalog/overview) — choose SCIM push or manual entry depending on your IdP.
	2. [Populate the IdP group catalog](./group-catalog/overview). Choose SCIM push or manual entry depending on your IdP.

[christopher-hakkaart]

Suggested change

	The same surface is used to delete a team. The **Delete** action is disabled for delegated teams; clear the **IdP Group** field first.
	The same surface is used to delete a team. The **Delete** action is disabled for delegated teams. Clear the **IdP Group** field first.

[christopher-hakkaart]

Suggested change

	- Organization owner access to your Seqera organization.
	:::info[**Prerequisites**]{#prerequisites}
	You will need the following to get started:
	- An active OIDC SSO connection on your organization. See [Authentication](../enterprise/configuration/authentication/overview).
	- A populated IdP group catalog. See [Manage your IdP group catalog](../enterprise/configuration/authentication/idp-delegation/group-catalog/overview).
	- An IdP that emits the `groups` claim in OIDC tokens. See [IdP claim mapping](../enterprise/configuration/authentication/idp-delegation/claim-mapping).
	- Organization owner access to your Seqera organization.
	:::

[christopher-hakkaart]

I've made lots of editorial suggestions. There is one place where it looks like a merge conflict has been carried through. Everything is marked as suggestions, please check that the meaning is retained.

[christopher-hakkaart]

fix formatting