SCIM integration tests (#27750)

For #27287

This PR adds integration tests for SCIM API endpoints as well as some
bug fixes found by these tests.

# Checklist for submitter

- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality

Author: getvictor

cmd/fleetctl/users_test.go

@@ -191,7 +191,7 @@ func TestCreateBulkUsers(t *testing.T) {
 		user15,[email protected],false,false,,1:admin
 		user16,[email protected],false,false,,1:admin 2:maintainer`)
 
-	expectedText := `{"kind":"user_roles","apiVersion":"v1","spec":{"roles":{"[email protected]":{"global_role":"admin","teams":null},"[email protected]":{"global_role":"maintainer","teams":null},"[email protected]":{"global_role":"observer","teams":null},"[email protected]":{"global_role":"admin","teams":null},"[email protected]":{"global_role":null,"teams":[{"team":"","role":"maintainer"}]},"[email protected]":{"global_role":null,"teams":[{"team":"","role":"admin"}]},"[email protected]":{"global_role":null,"teams":[{"team":"","role":"admin"},{"team":"","role":"maintainer"}]},"[email protected]":{"global_role":"observer","teams":null},"[email protected]":{"global_role":"observer","teams":null}}}}
+	expectedText := `{"kind":"user_roles","apiVersion":"v1","spec":{"roles":{"[email protected]":{"global_role":"admin","teams":null},"[email protected]":{"global_role":"maintainer","teams":null},"[email protected]":{"global_role":"observer","teams":null},"[email protected]":{"global_role":"admin","teams":null},"[email protected]":{"global_role":null,"teams":[{"team":"","role":"maintainer"}]},"[email protected]":{"global_role":null,"teams":[{"team":"","role":"admin"}]},"[email protected]":{"global_role":null,"teams":[{"team":"","role":"admin"},{"team":"","role":"maintainer"}]},"[email protected]":{"global_role":"maintainer","teams":null},"[email protected]":{"global_role":"observer","teams":null}}}}
 `
 
 	assert.Equal(t, "", runAppForTest(t, []string{"user", "create-users", "--csv", csvFile}))

docs/Contributing/MDM-end-user-authentication.md

@@ -18,7 +18,7 @@ Create a SAML app in an IdP.
 
 ## Description
 
-If the IT admin configured end user authentication, we change the `configuration_web_url` value in the [enrollment JSON profile](https://developer.apple.com/documentation/devicemanagement/profile) to be `{server_url}/api/v1/fleet/mdm/sso`. This page initiates the SSO flow in the setup assistant webview.
+If the IT admin configured end user authentication, we change the `configuration_web_url` value in the [enrollment JSON profile](https://developer.apple.com/documentation/devicemanagement/profile) to be `{server_url}/mdm/sso`. This page gets the SAML Request from `{server_url}/api/v1/fleet/mdm/sso` and initiates the SSO flow in the setup assistant web view.
 
 `end_user_authentication` setting is global, but `enable_end_user_authentication` is a team setting.
 

docs/Contributing/MDM-SCIM-integration.md docs/Contributing/SCIM-integration.md

@@ -11,6 +11,10 @@
 
 - https://developer.okta.com/docs/guides/scim-provisioning-integration-prepare/main/
 
+Sample provisioning settings that work. Capabilities can be disabled and attributes can be removed as needed.
+
+![Okta to Fleet provisioning](./assets/SCIM-Okta-provisioning.png)
+
 ### Testing Okta integration
 
 First, create at least one SCIM user: