Klaxoon SCIM rules

Rate limits on Klaxoon SCIM API

Klaxoon uses rate limiting on SCIM API in order to allow secured processing of the requests received and to protect the servers.

The average rate limit is 16 requests per second above which Klaxoon returns the standard 429 response (“too many requests”).

Supported features

Klaxoon supports the following provisioning features:

Create new users

When you assign your users to Klaxoon SCIM, if they already have a Klaxoon PRO license they receive an email asking for their consent to join your team. As long as they do not consent, the IdP request for these users will fail with a 409 error (conflict, “User confirmation pending”). Else they automatically become members of your synced Klaxoon team, their accounts being created if necessary.

Deactivate users

Deactivating/deleting synced users in your IdP or de-assignating them from the Klaxoon SCIM application will deactivate them in their Klaxoon team and free their licenses. Users can be reactivated by the corresponding reverse actions.

Manage your users licenses

Depending on your IdP there are different ways to manage your licenses and to set which users you want to have a “PRO” paying license or a “FREE”, limited one. Klaxoon will reject license attribution in case you do not have enough licenses available for your team.

Manage users roles

Optionally you can assign specific roles to users through Klaxoon SCIM such as team-admin or company-admin. Roles requiring a license cannot be assigned to users without a license.

Manage users teams

Optionally you can manage different Klaxoon teams to reflect your organization. If the team is not defined via SCIM, users are placed in the default team. Users can be moved between teams.

Keep users synchronized between your IdP and Klaxoon

Once synchronized with your IdP, your Klaxoon users will reflect the changes you do on user’s name, email or license. Once synced with SCIM, the users cannot change their name nor email themselves. We do not sync profile pictures to let users choose the one they like in Klaxoon, we do not sync passwords (mainly due to some IdP not offering that possibility) and we do not sync language as it is accurately detected upon connection to fit users preferences.

📘
Note
Permanent deletion of users and their content is not possible via/through SCIM API.

Supported attributes

Klaxoon User Attributes

Klaxoon Attributes	Type	Usage	Mandatory
`userName`	string	technical unique identifier	yes
`name.givenName`	string	first name	yes
`name.familyName`	string	last name	yes
`emails[{ value, type, primary}]`	object	user email Only one email is used: primary if set else the first one in table Must be unique for each user Used to create the Klaxoon email account.	yes (value)
`externalId`	string	IdP reference Must be unique for each user	yes
`active`	boolean	user active status	yes
`"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:User" { license }`	string	license value (see Licensing)	no (null by default)
`"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:User" { role }`	string	role value (see Role management)	no (null by default)
`"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:User" { team }`	string	team value (see Team management)	no (null by default)

Group Attributes

Klaxoon Attributes	Type	Usage	Mandatory
`displayName`	string	technical identifier	yes
`externalId`	string	dP reference Must be unique for each	yes
`members`	reference	list of references to users eg: "members" : [{"value": <id_user1>},{"value": <id_user2>},..]	no
`"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:Group" { license }`	string	license value (see Licensing)	no (null by default)
`"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:Group" { role }`	string	role value (see Role management)	no (null by default)
`"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:Group" { team }`	string	team value (see Team management)	no (null by default)

Licensing

The license attribute tells Klaxoon if users must use one of your PRO licenses to have full access to Klaxoon or if users should be FREE and have a limited profile.

It can be attached to a User or a Group object depending on your IdP capabilities and administration habits.

The following values are supported:

true : meaning the User or Group members should be considered PRO
false : meaning the User of Group members should be considered FREE
null : meaning the licensing is not managed

In case of a conflict between the Group and User license information, the User information prevails.
If the license attribute is null, the default rules apply to define the user's status as show in below table:

	User does not belong to a Group	User’s Group license attribute is null	User’s Group license attribute is false	User’s Group license attribute is true
User’s license attribute is null	FREE	FREE	FREE	PRO
User’s license attribute is false	FREE	FREE	FREE	FREE
User’s license attribute is true	PRO	PRO	PRO	PRO

Role management

The role represents the user's authorization level and associated permissions.

It can be null or one of three values:

user: the default role for a standard user, whether Pro or Free
team-admin: a team administrator
company-admin: a company administrator

If undefined, the default role is applied.

The roles “team-admin” and “company-admin” require a license to be assigned. A request to assign these roles to a Free user will be rejected by Klaxoon.

If a user with an admin role has their license revoked, they lose their role.

By default, if an admin is moved to another team, they lose their role (unless the role is enforced via SCIM).

If multiple roles are assigned via SCIM, the highest-level role is applied.

Team management

The team is the organizational unit in Klaxoon. With SCIM you can handle different teams with different content and security rules to reflect your internal needs.

General team management

A default team must be set in Klaxoon during your SCIM configuration.
If you want to use different teams, all of them must be grouped within the same Company in Klaxoon.
Some teams might not be available for SCIM sync (eg. teams not using a SSO).

Mapping values

You can map a new or a pre-existing attribute to the Klaxoon team attribute. The values of your attribute must then be mapped to Klaxoon teams internally (ask our support team for this configuration).

A single value of the team attribute can correspond to only one team.
Multiple values of this attribute can be mapped to a single team if necessary.
Undeclared values results in the user going to the default team.

Moving users

A user can belong to only one team at once.
A Pro user cannot be moved to a team with no license available.
Users SCIMed from the AUTO team do not need to give consent to join the SCIM team.

Rate limits on Klaxoon SCIM API

Supported features

Create new users

Deactivate users

Manage your users licenses

Manage users roles

Manage users teams

Keep users synchronized between your IdP and Klaxoon

📘Note

Supported attributes

Klaxoon User Attributes

Group Attributes

Licensing

Role management

Team management

General team management

Mapping values

Moving users

📘
Note