Klaxoon SCIM rules
Rate limits on Klaxoon SCIM API
Klaxoon uses rate limiting on SCIM API in order to allow secured processing of the requests received and to protect the servers.
The average rate limit is 16 requests per second above which Klaxoon returns the standard 429 response (“too many requests”).
Supported features
Klaxoon supports the following provisioning features:
Create new users
When you assign your users to Klaxoon SCIM, if they already have a Klaxoon PRO license they receive an email asking for their consent to join your team. As long as they do not consent, the IdP request for these users will fail with a 409 error (conflict, “User confirmation pending”). Else they automatically become members of your synced Klaxoon team, their accounts being created if necessary.
Deactivate users
Deactivating/deleting synced users in your IdP or de-assignating them from the Klaxoon SCIM application will deactivate them in their Klaxoon team and free their licenses. Users can be reactivated by the corresponding reverse actions.
Manage your users licenses
Depending on your IdP there are different ways to manage your licenses and to set which users you want to have a “PRO” paying license or a “FREE”, limited one. Klaxoon will reject license attribution in case you do not have enough licenses available for your team.
Manage users roles
Optionally you can assign specific roles to users through Klaxoon SCIM such as team-admin or company-admin. Roles requiring a license cannot be assigned to users without a license.
Manage users teams
Optionally you can manage different Klaxoon teams to reflect your organization. If the team is not defined via SCIM, users are placed in the default team. Users can be moved between teams.
Keep users synchronized between your IdP and Klaxoon
Once synchronized with your IdP, your Klaxoon users will reflect the changes you do on user’s name, email or license. Once synced with SCIM, the users cannot change their name nor email themselves. We do not sync profile pictures to let users choose the one they like in Klaxoon, we do not sync passwords (mainly due to some IdP not offering that possibility) and we do not sync language as it is accurately detected upon connection to fit users preferences.
Note
Permanent deletion of users and their content is not possible via/through SCIM API.
Supported attributes
Klaxoon User Attributes
Klaxoon Attributes | Type | Usage | Mandatory |
---|---|---|---|
|
string |
technical unique identifier |
yes |
|
string |
first name |
yes |
|
string |
last name |
yes |
|
object |
user email Used to create the Klaxoon email account. |
yes (value) |
|
string |
IdP reference |
yes |
|
boolean |
user active status |
yes |
|
string |
license value (see Licensing) |
no (null by default) |
|
string |
role value (see Role management) |
no (null by default) |
|
string |
team value (see Team management) |
no (null by default) |
Group Attributes
Klaxoon Attributes | Type | Usage | Mandatory |
---|---|---|---|
|
string |
technical identifier |
yes |
|
string |
dP reference |
yes |
|
reference |
list of references to users |
no |
|
string |
license value (see Licensing) |
no (null by default) |
|
string |
role value (see Role management) |
no (null by default) |
|
string |
team value (see Team management) |
no (null by default) |
Licensing
The license attribute tells Klaxoon if users must use one of your PRO licenses to have full access to Klaxoon or if users should be FREE and have a limited profile.
It can be attached to a User or a Group object depending on your IdP capabilities and administration habits.
The following values are supported:
- true : meaning the User or Group members should be considered PRO
- false : meaning the User of Group members should be considered FREE
- null : meaning the licensing is not managed
In case of a conflict between the Group and User license information, the User information prevails.
If the license attribute is null, the default rules apply to define the user's status as show in below table:
User does not belong to a Group | User’s Group license attribute is null | User’s Group license attribute is false | User’s Group license attribute is true | |
---|---|---|---|---|
User’s license attribute is null | FREE | FREE | FREE | PRO |
User’s license attribute is false | FREE | FREE | FREE | FREE |
User’s license attribute is true | PRO | PRO | PRO | PRO |
Role management
The role represents the user's authorization level and associated permissions.
It can be null or one of three values:
- user: the default role for a standard user, whether Pro or Free
- team-admin: a team administrator
- company-admin: a company administrator
If undefined, the default role is applied.
The roles “team-admin” and “company-admin” require a license to be assigned. A request to assign these roles to a Free user will be rejected by Klaxoon.
If a user with an admin role has their license revoked, they lose their role.
By default, if an admin is moved to another team, they lose their role (unless the role is enforced via SCIM).
If multiple roles are assigned via SCIM, the highest-level role is applied.
Team management
The team is the organizational unit in Klaxoon. With SCIM you can handle different teams with different content and security rules to reflect your internal needs.
General team management
- A default team must be set in Klaxoon during your SCIM configuration.
- If you want to use different teams, all of them must be grouped within the same Company in Klaxoon.
- Some teams might not be available for SCIM sync (eg. teams not using a SSO).
Mapping values
You can map a new or a pre-existing attribute to the Klaxoon team attribute. The values of your attribute must then be mapped to Klaxoon teams internally (ask our support team for this configuration).
- A single value of the team attribute can correspond to only one team.
- Multiple values of this attribute can be mapped to a single team if necessary.
- Undeclared values results in the user going to the default team.
Moving users
- A user can belong to only one team at once.
- A Pro user cannot be moved to a team with no license available.
- Users SCIMed from the AUTO team do not need to give consent to join the SCIM team.
Updated 13 days ago