Summary

Documents multi-tenant SCIM support in the SCIM overview, so a single Permit environment can back multiple isolated customer tenants. Adds a new section to docs/integrations/SCIM/SCIM_overview.mdx.

Why

The SCIM server now supports a tenant-aware URL form, but that capability was undocumented — leaving customers without a clear way to adopt it and the support team without a canonical reference.

• Multi-customer environments need isolated role assignments. Customers running one Permit environment across multiple end-customers had no documented way to keep each tenant's user-to-role bindings separate. The tenant-aware URL is the supported mechanism, and it needs to be discoverable.
• The URL shape is easy to get wrong. The double /v2/ segment looks like a typo or a protocol version bump. Without an explicit note, users misread it, misconfigure their IdP, or assume it's a SCIM version mismatch. Documenting the routing-prefix-vs-protocol-version distinction prevents misconfiguration and support tickets.
• The scoping model is non-obvious. That users and role definitions are environment-scoped while role assignments are tenant-scoped is a subtle but critical detail. Getting it wrong leads to wrong assumptions about isolation (e.g., expecting per-tenant users, or duplicate role definitions). Spelling out the data model sets correct expectations up front.
• Backward-compatibility reassurance. Existing single-tenant integrations must keep working. Documenting that the legacy URL is unchanged and continues to route to the default tenant prevents unnecessary migrations.

What's in here

• Two supported base URL shapes:
  • Legacy (single-tenant): https://scim.permit.io/scim/v2/{permit_project_id}/{permit_env_id} — all role assignments land in the default tenant; existing integrations keep working unchanged.
  • Tenant-aware: https://scim.permit.io/scim/v2/{permit_project_id}/{permit_env_id}/v2/{tenant_id} — {tenant_id} is required (there is no tenant-less /v2/Users). Each tenant points its IdP at its own base URL.
• A clarifying note that the second /v2/ segment is a routing prefix selecting the multi-tenant SCIM API — not a SCIM protocol version (the SCIM 2.0 version is the earlier /scim/v2/ segment).
• {tenant_id} validation rule: [A-Za-z0-9_-]{1,64}; invalid values return a 404 at the routing layer before any handler runs.
• How users, groups, and tenants relate:
  • Users are environment-scoped — userName stays globally unique within the environment; the tenant segment does not partition users.
  • Groups (roles) are environment-scoped definitions — a duplicate displayName reuses the existing role rather than failing.
  • Group membership (role assignment) is tenant-scoped — the same user can hold a role in one tenant and not another, independently.
• Guidance on choosing between the two URLs (single-tenant vs. multi-customer environments).
• Minor typo fix: curly apostrophe → straight apostrophe in the Security bullet.

Linear

PER-15099 — https://linear.app/permit/issue/PER-15099/docs-document-multi-tenant-scim-support-in-scim-overview