Cursor/docs saml SCIM map roles by group v2

[keydunov]

Check List

• Tests have been run in packages where changes have been made if available
• Linter has been run for changed code
• Tests for the changes have been added if not covered yet
• Docs have been added / updated if required

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
cubed3	🟡 Building	–	May 22, 2026, 10:13 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[claude]

Claude finished @keydunov's task in 1m 19s —— View job

---

Code Review: docs(sso) — Simplify and correct group-mapping sections

• Gather context and read changed files
• Analyze documentation changes
• Provide code review feedback

---

Overall assessment: This PR looks good. Clean documentation improvement — net removal of ~55 lines, corrected semantics, and consistent structure across all four SSO pages.

What the PR does

Two commits that refine the "Map roles by group" documentation for both Okta and Microsoft Entra ID (SAML + SCIM pages):

1. Corrects group-mapping semantics — The old docs stated group mappings were applied on every SAML login (additive). The new docs clarify that for SAML SSO, mappings are evaluated only when a new user is auto-provisioned, and matched roles replace (not stack on top of) the default role. The default role acts as a fallback only.
2. Removes internal implementation names (groupsRolesMap, rolesMap) from user-facing docs — good practice.
3. Removes a duplicate Admin Info block on the Entra SAML page and a legacy rolesMap callout on both SAML pages.
4. Simplifies SCIM group-mapping sections — condenses verbose bullet-point lists into concise flowing prose.

Positives

• Consistent parallel structure: The SAML "Map roles by group" paragraphs on both provider pages are essentially identical (modulo "Cube" vs "Cube Cloud" naming). Same for the SCIM pages. This makes the docs predictable across providers.
• Correct cross-references: All internal anchors (#map-roles-by-group, #default-role-for-new-users, #configure-attribute-mappings, etc.) and link references at the bottom of each file check out.
• Clean commit history: Two well-scoped commits with clear messages describing the "what" and "why."

Minor observations (non-blocking)

1. Pre-existing naming inconsistency: The Entra pages use "Cube" throughout while the Okta pages use "Cube Cloud". This is pre-existing and not introduced by this PR, but worth noting if a future pass normalizes the naming.

2. SCIM "additive" note lost some detail: The old SCIM sections included an explicit note that the match is on displayName (not the group object ID) and advised users to ensure their IdP group name entries match. The new text retains the displayName mention but the "make sure entries match" guidance was dropped. This is fine for brevity, but could trip up users who enter the Entra group object ID instead of the display name. Consider whether a short reminder is worthwhile — something like "use the group's display name, not its object ID" in the SAML mapping steps. Totally optional.

3. Semantics change is significant: The switch from "roles are additive on every login" to "evaluated only at first provisioning" is a material behavioral clarification. If this accurately reflects the product's behavior (which the commit message indicates it does), then the docs are now correct and the old version was misleading.

No issues found

• No security concerns (docs-only change)
• No broken links or malformed MDX
• No performance implications
• Markdown formatting is clean throughout

LGTM — no blocking issues. Nice cleanup.