From 2ee80aef3737635200e02a4ee6239cc160d988a9 Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Tue, 17 Feb 2026 10:41:09 -0500
Subject: [PATCH] Backport add SCIM endpoint ServiceProviderConfig into ce/main
 (#12303)

---
 vault/identity_store.go          | 17 +++++++++++------
 vault/identity_store_oss.go      |  4 ++++
 vault/identity_store_scim_oss.go |  6 ++++++
 3 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/vault/identity_store.go b/vault/identity_store.go
index 1c3af32b3e..f8e6b00bf0 100644
--- a/vault/identity_store.go
+++ b/vault/identity_store.go
@@ -113,6 +113,14 @@ func NewIdentityStore(ctx context.Context, core *Core, config *logical.BackendCo
 		return nil, fmt.Errorf("failed to create group packer: %w", err)
 	}
 
+	unauthenticatedPaths := []string{
+		"oidc/.well-known/*",
+		"oidc/+/.well-known/*",
+		"oidc/provider/+/.well-known/*",
+		"oidc/provider/+/token",
+	}
+	unauthenticatedPaths = append(unauthenticatedPaths, identityStoreLoginMFAEntUnauthedPaths()...)
+	unauthenticatedPaths = append(unauthenticatedPaths, identityStoreSCIMUnauthedPaths()...)
 	iStore.Backend = &framework.Backend{
 		BackendType:    logical.TypeLogical,
 		Paths:          iStore.paths(),
@@ -120,12 +128,7 @@ func NewIdentityStore(ctx context.Context, core *Core, config *logical.BackendCo
 		InitializeFunc: iStore.initialize,
 		ActivationFunc: iStore.activate,
 		PathsSpecial: &logical.Paths{
-			Unauthenticated: append([]string{
-				"oidc/.well-known/*",
-				"oidc/+/.well-known/*",
-				"oidc/provider/+/.well-known/*",
-				"oidc/provider/+/token",
-			}),
+			Unauthenticated: unauthenticatedPaths,
 			LocalStorage: []string{
 				localAliasesBucketsPrefix,
 			},
@@ -167,6 +170,8 @@ func (i *IdentityStore) paths() []*framework.Path {
 		mfaDuoPaths(i),
 		mfaPingIDPaths(i),
 		mfaLoginEnforcementPaths(i),
+		mfaLoginEnterprisePaths(i),
+		scimPaths(i),
 	)
 }
 
diff --git a/vault/identity_store_oss.go b/vault/identity_store_oss.go
index 350d8c3831..da98262df0 100644
--- a/vault/identity_store_oss.go
+++ b/vault/identity_store_oss.go
@@ -24,6 +24,10 @@ func identityStoreLoginMFAEntUnauthedPaths() []string {
 	return []string{}
 }
 
+func identityStoreSCIMUnauthedPaths() []string {
+	return []string{}
+}
+
 func mfaLoginEnterprisePaths(i *IdentityStore) []*framework.Path {
 	return []*framework.Path{}
 }
diff --git a/vault/identity_store_scim_oss.go b/vault/identity_store_scim_oss.go
index b8e8cfb630..5ddcd5344a 100644
--- a/vault/identity_store_scim_oss.go
+++ b/vault/identity_store_scim_oss.go
@@ -7,6 +7,8 @@ package vault
 
 import (
 	"context"
+
+	"github.com/hashicorp/vault/sdk/framework"
 )
 
 func (i *IdentityStore) loadSCIMClients(ctx context.Context) error {
@@ -15,3 +17,7 @@ func (i *IdentityStore) loadSCIMClients(ctx context.Context) error {
 
 func (i *IdentityStore) invalidateSCIMClient(ctx context.Context, key string) {
 }
+
+func scimPaths(_ *IdentityStore) []*framework.Path {
+	return []*framework.Path{}
+}