Klaxoon SCIM rules
Rate limits on Klaxoon SCIM API
Klaxoon uses rate limiting on SCIM API in order to allow secured processing of the requests received and to protect the servers.
The average rate limit is 16 requests per second above which Klaxoon returns the standard 429 response (“too many requests”).
Supported features
Klaxoon supports the following provisioning features:
Create new users
When you assign your users to Klaxoon SCIM, if they already have a Klaxoon PRO license they receive an email asking for their consent to join your team. As long as they do not consent, the IdP request for these users will fail with a 409 error (conflict, “User confirmation pending”). Else they automatically become members of your synced Klaxoon team, their accounts being created if necessary.
Deactivate users
Deactivating/deleting synced users in your IdP or de-assignating them from the Klaxoon SCIM application will deactivate them in their Klaxoon team and free their licenses. Users can be reactivated by the corresponding reverse actions.
Manage your users licenses
Depending on your IdP there are different ways to manage your licenses and to set which users you want to have a “PRO” paying license or a “FREE”, limited one. Klaxoon will reject license attribution in case you do not have enough licenses available for your team.
Keep users synchronized between your IdP and Klaxoon
Once synchronized with your IdP, your Klaxoon users will reflect the changes you do on user’s name, email or license. Once synced with SCIM, the users cannot change their name nor email themselves. We do not sync profile pictures to let users choose the one they like in Klaxoon, we do not sync passwords (mainly due to some IdP not offering that possibility) and we do not sync language as it is accurately detected upon connection to fit users preferences.
Note
Permanent deletion of users and their content is not possible via/through SCIM API.
Supported attributes
Klaxoon User Attributes
| Klaxoon Attributes | Type | Usage | Mandatory |
|---|---|---|---|
userName | string | technical unique identifier | yes |
name.givenName | string | first name | yes |
name.familyName | string | last name | yes |
emails[{ value, type, primary}] | object | user email Only one email is used: primary if set else the first one in table Must be unique for each user Used to create the Klaxoon email account. | yes (value) |
externalId | string | IdP reference Must be unique for each user | yes |
active | boolean | user active status | yes |
"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:User" { license } | string | license value (see Licensing) | no (null by default |
Group Attributes
| Klaxoon Attributes | Type | Usage | Mandatory |
|---|---|---|---|
displayName | string | technical identifier | yes |
externalId | string | dP reference Must be unique for each | yes |
members | reference | list of references to users eg: "members" : [{"value": <id_user1>},{"value": <id_user2>},..] | no |
"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:Group" { license } | string | license value (see Licensing) | no (null by default |
Licensing
The license attribute tells Klaxoon if users must use one of your PRO licenses to have full access to Klaxoon or if users should be FREE and have a limited profile.
It can be attached to a User or a Group object depending on your IdP capabilities and administration habits.
The following values are supported:
- true : meaning the User or Group members should be considered PRO
- false : meaning the User of Group members should be considered FREE
- null : meaning the licensing is not managed
In case of a conflict between the Group and User license information, the User information prevails (except if User is in a Group and both User and Group license values are null, then the user is considered PRO).
If the license attribute is null, the default rules apply to define the user's status as show in below table:
| User does not belong to a Group | User’s Group license attribute is null | User’s Group license attribute is false | User’s Group license attribute is true | |
|---|---|---|---|---|
| User’s license attribute is null | FREE | PRO | FREE | PRO |
| User’s license attribute is false | FREE | FREE | FREE | FREE |
| User’s license attribute is true | PRO | PRO | PRO | PRO |
Updated 5 months ago