Klaxoon SCIM rules

Rate limits on Klaxoon SCIM API

Klaxoon uses rate limiting on SCIM API in order to allow secured processing of the requests received and to protect the servers.

The average rate limit is 16 requests per second above which Klaxoon returns the standard 429 response (“too many requests”).

Supported features

Klaxoon supports the following provisioning features:

Create new users

When you assign your users to Klaxoon SCIM, if they already have a Klaxoon PRO license they receive an email asking for their consent to join your team. As long as they do not consent, the IdP request for these users will fail with a 409 error (conflict, “User confirmation pending”). Else they automatically become members of your synced Klaxoon team, their accounts being created if necessary.

Deactivate users

Deactivating/deleting synced users in your IdP or de-assignating them from the Klaxoon SCIM application will deactivate them in their Klaxoon team and free their licenses. Users can be reactivated by the corresponding reverse actions.

Manage your users licenses

Depending on your IdP there are different ways to manage your licenses and to set which users you want to have a “PRO” paying license or a “FREE”, limited one. Klaxoon will reject license attribution in case you do not have enough licenses available for your team.

Manage users roles

Optionally you can assign specific roles to users through Klaxoon SCIM such as team-admin or company-admin. Roles requiring a license cannot be assigned to users without a license.

Manage users teams

Optionally you can manage different Klaxoon teams to reflect your organization. If the team is not defined via SCIM, users are placed in the default team. Users can be moved between teams.

Keep users synchronized between your IdP and Klaxoon

Once synchronized with your IdP, your Klaxoon users will reflect the changes you do on user’s name, email or license. Once synced with SCIM, the users cannot change their name nor email themselves. We do not sync profile pictures to let users choose the one they like in Klaxoon, we do not sync passwords (mainly due to some IdP not offering that possibility) and we do not sync language as it is accurately detected upon connection to fit users preferences.

📘

Note

Permanent deletion of users and their content is not possible via/through SCIM API.

Supported attributes

Klaxoon User Attributes

Klaxoon Attributes Type Usage Mandatory

userName

string

technical unique identifier

yes

name.givenName

string

first name

yes

name.familyName

string

last name

yes

emails[{ value, type, primary}]

object

user email
Only one email is used: primary if set else the first one in table
Must be unique for each user

Used to create the Klaxoon email account.

yes (value)

externalId

string

IdP reference
Must be unique for each user

yes

active

boolean

user active status

yes

"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:User" { license }

string

license value (see Licensing)

no (null by default)

"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:User" { role }

string

role value (see Role management)

no (null by default)

"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:User" { team }

string

team value (see Team management)

no (null by default)

Group Attributes

Klaxoon Attributes Type Usage Mandatory

displayName

string

technical identifier

yes

externalId

string

dP reference
Must be unique for each

yes

members

reference

list of references to users
eg: "members" : [{"value": <id_user1>},{"value": <id_user2>},..]

no

"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:Group" { license }

string

license value (see Licensing)

no (null by default)

"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:Group" { role }

string

role value (see Role management)

no (null by default)

"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:Group" { team }

string

team value (see Team management)

no (null by default)

Licensing

The license attribute tells Klaxoon if users must use one of your PRO licenses to have full access to Klaxoon or if users should be FREE and have a limited profile.

It can be attached to a User or a Group object depending on your IdP capabilities and administration habits.

The following values are supported:

  • true : meaning the User or Group members should be considered PRO
  • false : meaning the User of Group members should be considered FREE
  • null : meaning the licensing is not managed

In case of a conflict between the Group and User license information, the User information prevails.
If the license attribute is null, the default rules apply to define the user's status as show in below table:

User does not belong to a GroupUser’s Group license attribute is nullUser’s Group license attribute is falseUser’s Group license attribute is true
User’s license attribute is nullFREEFREEFREEPRO
User’s license attribute is falseFREEFREEFREEFREE
User’s license attribute is truePROPROPROPRO

Role management

The role represents the user's authorization level and associated permissions.

It can be null or one of three values:

  • user: the default role for a standard user, whether Pro or Free
  • team-admin: a team administrator
  • company-admin: a company administrator

If undefined, the default role is applied.

The roles “team-admin” and “company-admin” require a license to be assigned. A request to assign these roles to a Free user will be rejected by Klaxoon.

If a user with an admin role has their license revoked, they lose their role.

By default, if an admin is moved to another team, they lose their role (unless the role is enforced via SCIM).

If multiple roles are assigned via SCIM, the highest-level role is applied.

Team management

The team is the organizational unit in Klaxoon. With SCIM you can handle different teams with different content and security rules to reflect your internal needs.

General team management

  • A default team must be set in Klaxoon during your SCIM configuration.
  • If you want to use different teams, all of them must be grouped within the same Company in Klaxoon.
  • Some teams might not be available for SCIM sync (eg. teams not using a SSO).

Mapping values

You can map a new or a pre-existing attribute to the Klaxoon team attribute. The values of your attribute must then be mapped to Klaxoon teams internally (ask our support team for this configuration).

  • A single value of the team attribute can correspond to only one team.
  • Multiple values of this attribute can be mapped to a single team if necessary.
  • Undeclared values results in the user going to the default team.

Moving users

  • A user can belong to only one team at once.
  • A Pro user cannot be moved to a team with no license available.
  • Users SCIMed from the AUTO team do not need to give consent to join the SCIM team.

What’s Next