[pull] master from cube-js:master

docs/pages/product/administration/_meta.js

@@ -1,5 +1,6 @@
 module.exports = {
   "users-and-permissions": "Users & permissions",
+  "sso": "SSO & identity providers",
   "ai": "AI",
   "workspace": "Workspace",
   "deployment": "Deployment",

docs/pages/product/administration/sso/microsoft-entra-id.mdx

@@ -0,0 +1,29 @@
+# Microsoft Entra ID
+
+Cube Cloud supports authenticating users through [Microsoft Entra
+ID][ext-ms-entra-id] (formerly Azure Active Directory), which is
+useful when you want your users to access Cube Cloud using single sign-on.
+
+<InfoBox>
+
+Single sign-on with Microsoft Entra ID is available in Cube Cloud on
+[Enterprise and above](https://cube.dev/pricing) product tiers.
+
+</InfoBox>
+
+## Setup guides
+
+<Grid imageSize={[56, 56]}>
+  <GridItem
+    url="microsoft-entra-id/saml"
+    imageUrl="https://static.cube.dev/icons/azure.svg"
+    title="SAML"
+  />
+  <GridItem
+    url="microsoft-entra-id/scim"
+    imageUrl="https://static.cube.dev/icons/azure.svg"
+    title="SCIM"
+  />
+</Grid>
+
+[ext-ms-entra-id]: https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id

docs/pages/product/administration/sso/microsoft-entra-id/_meta.js

@@ -0,0 +1,4 @@
+module.exports = {
+  "saml": "SAML",
+  "scim": "SCIM"
+}

docs/pages/product/administration/workspace/sso/microsoft-entra-id.mdx → docs/pages/product/administration/sso/microsoft-entra-id/saml.mdx

@@ -5,16 +5,16 @@ ID][ext-ms-entra-id] (formerly Azure Active Directory), which is
 useful when you want your users to access Cube Cloud using single sign-on.
 
 This guide will walk you through the steps of configuring SAML authentication
-in Cube Cloud with Entra ID. You **must** have sufficient permissions in your
+in Cube Cloud with Entra ID. You **must** have sufficient permissions in your
 Azure account to create a new Enterprise Application and configure SAML
 integration.
 
-<SuccessBox>
+<InfoBox>
 
 Single sign-on with Microsoft Entra ID is available in Cube Cloud on
 [Enterprise and above](https://cube.dev/pricing) product tiers.
 
-</SuccessBox>
+</InfoBox>
 
 ## Enable SAML in Cube Cloud
 

docs/pages/product/administration/sso/microsoft-entra-id/scim.mdx

@@ -0,0 +1,72 @@
+# SCIM provisioning with Microsoft Entra ID
+
+With SCIM (System for Cross-domain Identity Management) enabled, you can
+automate user provisioning in Cube Cloud and keep user groups synchronized
+with Microsoft Entra ID (formerly Azure Active Directory).
+
+<InfoBox>
+
+SCIM provisioning with Microsoft Entra ID is available in Cube Cloud on
+[Enterprise and above](https://cube.dev/pricing) product tiers.
+Contact [Cube support](https://cube.dev/contact) to activate SCIM for your account.
+
+</InfoBox>
+
+## Prerequisites
+
+Before proceeding, ensure you have the following:
+
+- Microsoft Entra SAML authentication already configured. If not, complete
+  the [SAML setup][ref-saml] first.
+- Admin permissions in Cube Cloud.
+- Sufficient permissions in Microsoft Entra to manage Enterprise Applications.
+
+## Generate an API key in Cube Cloud
+
+To allow Entra ID to communicate with Cube Cloud via SCIM, you'll need to
+create a dedicated API key:
+
+1. In Cube Cloud, navigate to <Btn>Settings → API Keys</Btn>.
+2. Create a new API key. Give it a descriptive name such as **Entra SCIM**.
+3. Copy the generated key and store it securely — you'll need it in the
+   next step.
+
+## Set up provisioning in Microsoft Entra
+
+This section assumes you already have a Cube Cloud Enterprise Application
+in Microsoft Entra. If you haven't created one yet, follow the
+[SAML setup guide][ref-saml] first.
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
+2. Go to <Btn>Applications → Enterprise Applications</Btn> and open your
+   Cube Cloud application.
+3. Navigate to <Btn>Manage → Provisioning</Btn>.
+4. Set the <Btn>Provisioning Mode</Btn> to **Automatic**.
+5. Under <Btn>Admin Credentials</Btn>, fill in the following:
+   - **Tenant URL** — Your Cube Cloud deployment URL with `/api/scim/v2`
+     appended. For example: `https://your-deployment.cubecloud.dev/api/scim/v2`
+   - **Secret Token** — The API key you generated in the previous step.
+6. Click <Btn>Test Connection</Btn> to verify that Entra ID can reach
+   Cube Cloud. Proceed once the test is successful.
+
+## Configure attribute mappings
+
+Next, configure which user and group attributes are synchronized with
+Cube Cloud:
+
+1. In the <Btn>Mappings</Btn> section, select the object type you want to
+   configure — either users or groups.
+2. Remove all default attribute mappings **except** the following:
+   - **For users**: keep `userName` and `displayName`.
+   - **For groups**: keep `displayName` and `members`.
+3. Click <Btn>Save</Btn>.
+
+<InfoBox>
+
+Users provisioned via SCIM will receive the Explorer role.
+To grant admin permissions, update the user's role manually in
+Cube Cloud under <Btn>Team & Security</Btn>.
+
+</InfoBox>
+
+[ref-saml]: /product/administration/sso/microsoft-entra-id/saml

docs/pages/product/administration/workspace/_meta.js

@@ -12,7 +12,6 @@ module.exports = {
   "pre-aggregations": "Pre-aggregations",
   "performance": "Performance Insights",
   "monitoring": "Monitoring Integrations",
-  "sso": "Authentication & SSO",
   "audit-log": "Audit Log",
   "chats-history": "Chats History",
   "api-keys": "API keys",

docs/redirects.json

@@ -1811,22 +1811,42 @@
   },
   {
     "source": "/product/workspace/sso",
-    "destination": "/product/administration/workspace/sso",
+    "destination": "/product/administration/sso",
+    "permanent": true
+  },
+  {
+    "source": "/product/administration/workspace/sso",
+    "destination": "/product/administration/sso",
     "permanent": true
   },
   {
     "source": "/product/workspace/sso/google-workspace",
-    "destination": "/product/administration/workspace/sso/google-workspace",
+    "destination": "/product/administration/sso/google-workspace",
+    "permanent": true
+  },
+  {
+    "source": "/product/administration/workspace/sso/google-workspace",
+    "destination": "/product/administration/sso/google-workspace",
     "permanent": true
   },
   {
     "source": "/product/workspace/sso/microsoft-entra-id",
-    "destination": "/product/administration/workspace/sso/microsoft-entra-id",
+    "destination": "/product/administration/sso/microsoft-entra-id",
+    "permanent": true
+  },
+  {
+    "source": "/product/administration/workspace/sso/microsoft-entra-id",
+    "destination": "/product/administration/sso/microsoft-entra-id",
     "permanent": true
   },
   {
     "source": "/product/workspace/sso/okta",
-    "destination": "/product/administration/workspace/sso/okta",
+    "destination": "/product/administration/sso/okta",
+    "permanent": true
+  },
+  {
+    "source": "/product/administration/workspace/sso/okta",
+    "destination": "/product/administration/sso/okta",
     "permanent": true
   },
   {