new docs updates for scim

[akshaydeo]

Summary

This PR updates the v1.5.0-prerelease3 changelog to focus on the most significant user-facing changes while removing detailed technical implementation notes. It also includes documentation updates for contributing guidelines, user provisioning setup guides, and various feature enhancements.

Changes

• Changelog consolidation: Streamlined v1.5.0-prerelease3 changelog to highlight key features like OAuth MCP hints, Azure passthrough, 272k token tier pricing, and critical bug fixes
• User provisioning documentation: Added comprehensive setup guides for Google Workspace, Keycloak, and Zitadel identity providers with step-by-step configuration instructions
• Enhanced attribute mapping: Updated Okta and Entra setup guides with improved attribute-to-role mapping examples and custom attribute support
• Documentation improvements: Updated contributing guidelines, code conventions, and repository setup instructions to reflect current tooling (Vite instead of Next.js)
• Configuration updates: Restructured governance configuration examples to use separate budget and rate limit arrays with ID references
• Provider enhancements: Added raw request/response storage options and improved LangChain integration examples

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (Next.js)
• Docs

How to test

Validate documentation changes by reviewing the updated guides:

# Verify documentation builds correctly
cd docs
npm install
npm run build

# Test specific provider setup guides
# - Navigate to /enterprise/setting-up-google-workspace
# - Navigate to /enterprise/setting-up-keycloak  
# - Navigate to /enterprise/setting-up-zitadel
# - Verify all images and links work correctly

# Validate changelog formatting
# - Check /changelogs/v1.5.0-prerelease3 renders properly
# - Ensure all feature descriptions are clear and concise

Screenshots/Recordings

N/A - Documentation-only changes

Breaking changes

• Yes
• No

Related issues

Updates documentation to reflect current product capabilities and streamlines changelog for better user experience.

Security considerations

The user provisioning guides include proper security practices for OAuth client setup, service account permissions, and domain-wide delegation configuration across multiple identity providers.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 17d6115f-9757-4938-ac62-d90510ec8534

📥 Commits

Reviewing files that changed from the base of the PR and between e7ef535 and a2cef32.

⛔ Files ignored due to path filters (29)

• docs/media/custom-base-url.mp4 is excluded by !**/*.mp4
• docs/media/guardrails/azure-api-key.png is excluded by !**/*.png
• docs/media/guardrails/microsoft-guardrails-url.png is excluded by !**/*.png
• docs/media/setting-up-dashboard-auth.png is excluded by !**/*.png
• docs/media/ui-config.png is excluded by !**/*.png
• docs/media/ui-multi-key-for-models.png is excluded by !**/*.png
• docs/media/ui-provider-configs.png is excluded by !**/*.png
• docs/media/user-provisioning/attribute-to-entity-mapping.png is excluded by !**/*.png
• docs/media/user-provisioning/custom-attribute-mapping.png is excluded by !**/*.png
• docs/media/user-provisioning/entra-app-manifest.png is excluded by !**/*.png
• docs/media/user-provisioning/entra-form.png is excluded by !**/*.png
• docs/media/user-provisioning/gws-apis-and-services.png is excluded by !**/*.png
• docs/media/user-provisioning/gws-form.png is excluded by !**/*.png
• docs/media/user-provisioning/okta-form.png is excluded by !**/*.png
• docs/media/user-provisioning/scim-attribute-mapping.png is excluded by !**/*.png
• docs/media/user-provisioning/scim-flow.png is excluded by !**/*.png
• docs/media/user-provisioning/scim-import-preview.png is excluded by !**/*.png
• docs/media/user-provisioning/scim-overview.png is excluded by !**/*.png
• docs/media/user-provisioning/scim-provider-select.png is excluded by !**/*.png
• docs/media/user-provisioning/zitadel-assert-roles.png is excluded by !**/*.png
• docs/media/user-provisioning/zitadel-client-id.png is excluded by !**/*.png
• docs/media/user-provisioning/zitadel-form.png is excluded by !**/*.png
• docs/media/user-provisioning/zitadel-project-roles.png is excluded by !**/*.png
• docs/media/user-provisioning/zitadel-refresh-token.png is excluded by !**/*.png
• docs/media/user-provisioning/zitadel-service-account-create.png is excluded by !**/*.png
• docs/media/user-provisioning/zitadel-service-account-key.png is excluded by !**/*.png
• docs/media/user-provisioning/zitadel-service-account-role.png is excluded by !**/*.png
• docs/media/user-provisioning/zitadel-token-settings.png is excluded by !**/*.png
• docs/media/user-provisioning/zitadel-user-role-assignment.png is excluded by !**/*.png

📒 Files selected for processing (36)

• docs/changelogs/v1.5.0-prerelease3.mdx
• docs/contributing/code-conventions.mdx
• docs/contributing/setting-up-repo.mdx
• docs/docs.json
• docs/enterprise/audit-logs.mdx
• docs/enterprise/clustering.mdx
• docs/enterprise/guardrails.mdx
• docs/enterprise/rbac.mdx
• docs/enterprise/setting-up-entra.mdx
• docs/enterprise/setting-up-google-workspace.mdx
• docs/enterprise/setting-up-keycloak.mdx
• docs/enterprise/setting-up-okta.mdx
• docs/enterprise/setting-up-zitadel.mdx
• docs/enterprise/user-provisioning.mdx
• docs/features/governance/budget-and-limits.mdx
• docs/features/governance/virtual-keys.mdx
• docs/features/litellm-compat.mdx
• docs/features/observability/prometheus.mdx
• docs/integrations/guardrails/azure-content-safety.mdx
• docs/integrations/langchain-sdk.mdx
• docs/media/user-provisioning/.custom-attribute-mapping.png-TkS4
• docs/media/user-provisioning/.custom-attribute-mapping.png-e0eo
• docs/media/user-provisioning/.scim-import-preview.png-sIys
• docs/openapi/openapi.json
• docs/openapi/openapi.yaml
• docs/openapi/paths/management/governance.yaml
• docs/openapi/schemas/integrations/bedrock/converse.yaml
• docs/openapi/schemas/management/governance.yaml
• docs/overview.mdx
• docs/plugins/building-dynamic-binary.mdx
• docs/plugins/writing-go-plugin.mdx
• docs/providers/request-options.mdx
• docs/quickstart/gateway/provider-configuration.mdx
• docs/quickstart/gateway/setting-up-auth.mdx
• docs/quickstart/gateway/setting-up.mdx
• docs/quickstart/go-sdk/provider-configuration.mdx

---

📝 Walkthrough

Summary by CodeRabbit

• Documentation

  • Added comprehensive setup guides for Google Workspace, Zitadel, and Keycloak identity providers
  • Added new User Provisioning (SCIM) documentation with end-to-end configuration and workflow details
  • Updated enterprise RBAC, audit logs, guardrails, and clustering documentation with simplified configurations
  • Updated code conventions and repository setup instructions for development workflow

• New Features

  • Added virtual-keys quota management API endpoint
  • Added raw request/response storage configuration options

• Chores

  • Restructured governance configuration for budgets and rate limits
  • Updated OpenAPI schemas and Prometheus plugin configuration format
  • Simplified LiteLLM compatibility features and streaming response handling

Walkthrough

Documentation across the Bifrost project has been significantly updated, including restructured changelog content, new identity provider setup guides (Zitadel, Google Workspace, Keycloak), a consolidated User Provisioning (SCIM) page, reorganized governance configuration examples, updated OpenAPI schemas for streaming and LiteLLM compatibility, and UI development setup changes from Next.js to Vite.

Changes

Cohort / File(s)	Summary
Changelog & Contributing docs/changelogs/v1.5.0-prerelease3.mdx, docs/contributing/code-conventions.mdx, docs/contributing/setting-up-repo.mdx	Condensed changelog entries for v1.5.0-prerelease3; updated code-formatting command to npm run format; replaced Next.js dev server guidance with Vite setup and adjusted troubleshooting steps for UI dependencies.
Enterprise Identity Providers - New Guides docs/enterprise/setting-up-zitadel.mdx, docs/enterprise/setting-up-google-workspace.mdx, docs/enterprise/setting-up-keycloak.mdx	Added comprehensive setup guides for Zitadel, Google Workspace, and Keycloak as identity providers, covering OAuth/OIDC configuration, optional user provisioning, attribute mapping, and troubleshooting sections.
Enterprise Identity Providers - Updates docs/enterprise/setting-up-okta.mdx, docs/enterprise/setting-up-entra.mdx	Shifted from group-to-role mappings to attribute-based mappings; made role creation optional; added attribute mapping sections with evaluation rules; updated configuration references and removed obsolete troubleshooting items.
Enterprise Features docs/enterprise/user-provisioning.mdx, docs/enterprise/rbac.mdx, docs/enterprise/audit-logs.mdx, docs/enterprise/clustering.mdx, docs/enterprise/guardrails.mdx	Added consolidated SCIM user provisioning documentation; updated RBAC to reference provisioning instead of IdP authentication; simplified audit logs configuration schema (removed nested structure); extended clustering gossip examples with timeout/threshold configs; restructured guardrails examples from enterprise.guardrails to guardrails_config.
Navigation & Overview docs/docs.json, docs/overview.mdx	Reorganized navigation structure; added new enterprise pages (user-provisioning, setting-up-zitadel, setting-up-google-workspace); updated /features/enterprise/scim redirect; removed "Secret Management (Vaults)" section and vault-support feature card.
Governance & Features docs/features/governance/budget-and-limits.mdx, docs/features/governance/virtual-keys.mdx, docs/features/litellm-compat.mdx	Restructured governance configuration to model budgets and rate limits as separate top-level arrays with id-based references; removed budget_id and keys arrays from virtual key objects; removed parameter conversion support from LiteLLM compatibility documentation.
OpenAPI Specifications docs/openapi/openapi.json, docs/openapi/openapi.yaml, docs/openapi/paths/management/governance.yaml, docs/openapi/schemas/management/governance.yaml, docs/openapi/schemas/integrations/bedrock/converse.yaml	Changed streaming field invokeModelRawChunks (array) to invokeModelRawChunk (single byte); replaced compat object with enable_litellm_fallbacks boolean; added new GET /virtual-keys/quota endpoint and VirtualKeyQuotaResponse schema.
Provider Configuration & Request Options docs/providers/request-options.mdx, docs/quickstart/gateway/provider-configuration.mdx, docs/quickstart/go-sdk/provider-configuration.mdx	Added documentation for raw request/response handling (BifrostContextKeySendBackRawRequest, BifrostContextKeyStoreRawRequestResponse); updated Go SDK examples to remove ctx parameter from GetConfigForProvider; added per-request override notes and embedded video for custom base URL.
Quick Start & Authentication docs/quickstart/gateway/setting-up.mdx, docs/quickstart/gateway/setting-up-auth.mdx	Reformatted configuration flags table for consistency; added PostgreSQL 16+ minimum version requirement and materialized views permission note; added OSS-only note for unavailable features and linked to SCIM provisioning page.
Integrations & Plugins docs/integrations/guardrails/azure-content-safety.mdx, docs/integrations/langchain-sdk.mdx, docs/features/observability/prometheus.mdx, docs/plugins/building-dynamic-binary.mdx, docs/plugins/writing-go-plugin.mdx	Updated Azure Content Safety table formatting and added image/key collection guide; changed Google Gemini LangChain model from 2.5-flash to 1.5-flash and updated configuration parameters; restructured Prometheus plugin config into nested push_gateway object; updated Dockerfile UI build comments and commands to use npm run build-enterprise; replaced log_level config with nested client.enable_logging structure.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~35 minutes

Poem

🐰 Hop through new pages, oh what a sight!
Zitadel, Google, and Keycloak bright!
Vite builds faster than Next.js could fly,
Attribute mappings reach for the sky! ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 04-16-new_docs_updates_for_scim

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[akshaydeo]

• new docs updates for scim #2748 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[akshaydeo]

Merge activity

• Apr 15, 8:22 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Apr 15, 8:23 PM UTC: @akshaydeo merged this pull request with Graphite.

[github-actions]

🧪 Test Suite Available

This PR can be tested by a repository admin.

Run tests for PR #2748

[greptile-apps]

Confidence Score: 3/5

Not safe to merge — two P1 issues (missing Keycloak nav entry + missing screenshots) will cause broken docs on the live site.

Three P1 findings: Keycloak guide absent from sidebar navigation, all 6 Keycloak screenshots missing from the repo, and copy-pasted Okta text in the Entra guide. These will ship broken pages to users.

docs/docs.json (add Keycloak nav entry), docs/enterprise/setting-up-keycloak.mdx (add screenshots), docs/enterprise/setting-up-entra.mdx (fix provider name copy-paste)

Important Files Changed

Filename	Overview
docs/enterprise/user-provisioning.mdx	New SCIM overview page — well structured, but the Keycloak Card links to /enterprise/setting-up-keycloak which is absent from the sidebar navigation, and scim-attribute-mapping.png has the wrong alt text.
docs/enterprise/setting-up-keycloak.mdx	New Keycloak IdP guide — missing from docs.json navigation and all 6 referenced screenshot images are absent from the repository, so the page will render with broken image placeholders.
docs/enterprise/setting-up-entra.mdx	Updated Entra IdP guide — the new Attribute Mappings section was copy-pasted from the Okta guide and still says "Okta claim values" / "Okta claims" / "Okta authorization server" throughout; the Frame alt text also says "Create token dialog in Okta".
docs/enterprise/setting-up-okta.mdx	Updated Okta guide — formatting improvements and Attribute Mappings section added; minor inconsistency where clientSecret is now marked Required in the config table but still described as "optional, for token revocation" in the UI config section.
docs/enterprise/setting-up-zitadel.mdx	New Zitadel IdP guide — comprehensive and correctly added to docs.json navigation; all referenced images are present in the repository.
docs/enterprise/setting-up-google-workspace.mdx	New Google Workspace IdP guide — added to docs.json navigation; all referenced images exist in the repository.
docs/docs.json	Navigation updated to add user-provisioning, Zitadel, and Google Workspace pages; however setting-up-keycloak.mdx is omitted from the Identity Providers group despite being linked from user-provisioning.mdx.
docs/openapi/paths/management/governance.yaml	Adds GET /api/governance/virtual-keys/quota endpoint for self-service quota lookup; security definitions and response schema look correct.
docs/openapi/schemas/management/governance.yaml	Adds VirtualKeyQuotaResponse schema with budget and rate_limit fields; refs to existing Budget/RateLimit schemas are correct.

Comments Outside Diff (1)

1. docs/docs.json, line 295-302 (link)

   Keycloak guide missing from sidebar navigation

   docs/enterprise/setting-up-keycloak.mdx is a new file in this PR and is linked from the Keycloak Card in user-provisioning.mdx, but it is not listed in the "Identity Providers (SSO)" group here. Visitors who click the Card will reach the page but can never find it in the sidebar, and documentation build tools (Mintlify) may warn or error on unlisted pages.

_{Reviews (1): Last reviewed commit: "new docs updates for scim" | Re-trigger Greptile}

[greptile-apps]

All Keycloak screenshots are missing

The guide references six images that do not exist anywhere in the repository:

• keycloak-create-client.png (line 27)
• keycloak-capability-config.png (line 44)
• keycloak-client-credentials.png (line 65)
• keycloak-group-mapper.png (line 80)
• keycloak-service-account-roles.png (line 122)
• keycloak-bifrost-config.png (line 159)

Every <Frame> wrapping one of these will render a broken image. Please add the missing screenshots to docs/media/user-provisioning/ before merging.

[greptile-apps]

Copy-paste from Okta guide — wrong provider name throughout

This section was copied from setting-up-okta.mdx and still names Okta in three places:

• line 281: "translate Okta claim values … without restructuring your Okta claims"
• line 287: "These mappings work with any Okta claim — the groups claim from Step 5, the custom role claim from Step 4, or any other claim your authorization server includes"

All three occurrences should reference Microsoft Entra / Entra ID, and the step references (Step 4, Step 5) should match the Entra guide's step numbering. Additionally, the <Frame> on line 242 has alt="Create token dialog in Okta" — that should say Entra.

[greptile-apps]

clientSecret marked Required but described as optional

The UI config description above (line 244) reads "Your Okta application Client Secret (optional, for token revocation)", but the Configuration Reference table now marks clientSecret as Yes (required). These are contradictory — please align them. If the secret is now mandatory, update the description; if it remains optional, change the table back to No.

[greptile-apps]

Wrong alt text on attribute-mapping screenshot

scim-attribute-mapping.png has alt="Preview of users matching an import filter", which is the same alt text used for the import-preview image further down (line 154). The attribute-mapping screenshot should have a distinct, accurate description such as "Attribute mapping configuration in the Bifrost dashboard".

Suggested change

	3. Fill in the provider-specific fields. Required fields are marked and validated on **Verify**.
	<Frame>
	<img src="/media/user-provisioning/scim-attribute-mapping.png" alt="Attribute mapping configuration in the Bifrost dashboard" />