docs: add --sync-sso-user-last-login to README, remove orphaned SCIM fields

[carolinaroncaglia]

Summary

• Add --sync-sso-user-last-login to README: Flag was introduced in PR cx-32 add last login event feed #98 (CXP-15) but was never added to the README CLI usage section. Requires cloudtrail:LookupEvents IAM permission.
• Remove orphaned SCIM struct fields: SCIMToken, SCIMEndpoint, SCIMEnabled were left as dead code in pkg/connector/connector.go after SCIM support was fully removed in PR cxp-232 take sso user status from api response #104 (CXP-232). These fields are not wired to any config or main entry point.

Context

Surfaced during containerization validation QA plan review (CXP-116). Both items are documentation/cleanup gaps that should be resolved before the containerized release ships.

Related: #101 (containerization PR), #98 (CXP-15 last login), #104 (CXP-232 SCIM removal)

Test plan

• go build ./... passes with SCIM fields removed
• README diff reviewed for accuracy

🤖 Generated with Claude Code

[github-actions]

Claude finished @carolinaroncaglia's task in 1m 2s —— View job

---

PR Review

• Gather context and read changed files
• Review README changes
• Review connector.go changes
• Post review feedback

---

Verdict: Looks good ✅

Both changes are clean and correct. A couple of notes:

README (README.md:97)

The new --sync-sso-user-last-login flag entry is correctly placed in alphabetical order, the description matches the field definition in pkg/config/config.go:86-89, and the env var $BATON_SYNC_SSO_USER_LAST_LOGIN is consistent with the config field name. No issues here.

SCIM field removal (pkg/connector/connector.go)

The three removed fields (SCIMToken, SCIMEndpoint, SCIMEnabled) have zero references remaining in the Go source — no config wiring in cmd/baton-aws/main.go, no config field definitions in pkg/config/, and no usage anywhere in pkg/connector/. This is confirmed dead code and safe to remove.

Minor observation (out of scope for this PR)

docs/connector.mdx still references SCIM configuration (BATON_SCIM_ENABLED, BATON_SCIM_ENDPOINT, BATON_SCIM_TOKEN) at lines 536 and 627-629. Since that file documents the C1 web UI setup and isn't Go code, it's reasonable to handle in a separate follow-up — but worth noting so it doesn't get forgotten.

---

[github-actions]

Claude finished @carolinaroncaglia's task in 56s —— View job

---

• Gather context and read changed files
• Review README changes
• Review connector.go changes
• Review connector.mdx changes
• Post review feedback

---

PR Review

Verdict: Approve ✅

All three changes are clean, correct, and well-scoped. No issues found.

README.md (line 97)

The new --sync-sso-user-last-login flag entry is correctly placed in alphabetical order between --sync-secrets and --ticketing. The description and env var ($BATON_SYNC_SSO_USER_LAST_LOGIN) match the config field definition at pkg/config/config.go:86-89 exactly.

pkg/connector/connector.go (lines 45-47)

The three removed fields (SCIMToken, SCIMEndpoint, SCIMEnabled) have zero remaining references anywhere in the Go source — confirmed via grep. No config wiring in cmd/baton-aws/main.go, no field definitions in pkg/config/, no usage in any builder. Safe to remove.

docs/connector.mdx

The second commit cleanly removes all SCIM references from the connector docs:

• Line 53: Removed the "DO NOT click Enable usage of the AWS IAM Identity Center SCIM API" clause — appropriate since the feature no longer exists.
• Lines 533-535 (old): Removed the SCIM setup step from the web UI instructions.
• Lines 620-625 (old): Removed the BATON_SCIM_* env vars from the Kubernetes secret example.

After these removals, zero SCIM references remain in connector.mdx. This addresses the observation from the earlier review about the SCIM references that were out of scope for the first commit.

Build verification

The SyncSSOUserLastLogin field in the Config struct (connector.go:47) is properly wired through main.go:70 and used at connector.go:215, confirming no breakage from the SCIM removal.

---

[carolinaroncaglia]

Addressed in this PR (commit d4a6342): docs/connector.mdx was updated in the same PR — the three SCIM references have been removed:

• UI setup step for "Enable usage of the AWS IAM Identity Center SCIM API" (line 536)
• BATON_SCIM_ENABLED, BATON_SCIM_ENDPOINT, BATON_SCIM_TOKEN env vars from the self-hosted config example (lines 626–629)
• Reference to "DO NOT click Enable usage of the AWS IAM Identity Center SCIM API" in the cross-account access note (line 53)

No longer a follow-up item.