Klaxoon SCIM rules

Rate limits on Klaxoon SCIM API

Klaxoon uses rate limiting on SCIM API in order to allow secured processing of the requests received and to protect the servers.

The average rate limit is 16 requests per second above which Klaxoon returns the standard 429 response (“too many requests”).

Supported features

Klaxoon supports the following provisioning features:

Create new users

When you assign your users to Klaxoon SCIM, if they already have a Klaxoon PRO license they receive an email asking for their consent to join your team. As long as they do not consent, the IdP request for these users will fail with a 409 error (conflict, “User confirmation pending”). Else they automatically become members of your synced Klaxoon team, their accounts being created if necessary.

Deactivate users

Deactivating/deleting synced users in your IdP or de-assignating them from the Klaxoon SCIM application will deactivate them in their Klaxoon team and free their licenses. Users can be reactivated by the corresponding reverse actions.

Manage your users licenses

Depending on your IdP there are different ways to manage your licenses and to set which users you want to have a “PRO” paying license or a “FREE”, limited one. Klaxoon will reject license attribution in case you do not have enough licenses available for your team.

Keep users synchronized between your IdP and Klaxoon

Once synchronized with your IdP, your Klaxoon users will reflect the changes you do on user’s name, email or license. Once synced with SCIM, the users cannot change their name nor email themselves. We do not sync profile pictures to let users choose the one they like in Klaxoon, we do not sync passwords (mainly due to some IdP not offering that possibility) and we do not sync language as it is accurately detected upon connection to fit users preferences.



Permanent deletion of users and their content is not possible via/through SCIM API.

Supported attributes

Klaxoon User Attributes

Klaxoon AttributesTypeUsageMandatory
userNamestringtechnical unique identifieryes
name.givenNamestringfirst nameyes
name.familyNamestringlast nameyes
emails[{ value, type, primary}]objectuser email
Only one email is used: primary if set else the first one in table
Must be unique for each user

Used to create the Klaxoon email account.
yes (value)
externalIdstringIdP reference
Must be unique for each user
activebooleanuser active statusyes
"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:User" { license }stringlicense value (see Licensing)no (null by default

Group Attributes

Klaxoon AttributesTypeUsageMandatory
displayNamestringtechnical identifieryes
externalIdstringdP reference
Must be unique for each
membersreferencelist of references to users
eg: "members" : [{"value": <id_user1>},{"value": <id_user2>},..]
"urn:ietf:params:scim: schemas:extension:klaxoon:2.0:Group" { license }stringlicense value (see Licensing)no (null by default


The license attribute tells Klaxoon if users must use one of your PRO licenses to have full access to Klaxoon or if users should be FREE and have a limited profile.

It can be attached to a User or a Group object depending on your IdP capabilities and administration habits.

The following values are supported:

  • true : meaning the User or Group members should be considered PRO
  • false : meaning the User of Group members should be considered FREE
  • null : meaning the licensing is not managed

In case of a conflict between the Group and User license information, the User information prevails (except if User is in a Group and both User and Group license values are null, then the user is considered PRO).
If the license attribute is null, the default rules apply to define the user's status as show in below table:

User does not belong to a GroupUser’s Group license attribute is nullUser’s Group license attribute is falseUser’s Group license attribute is true
User’s license attribute is nullFREEPROFREEPRO
User’s license attribute is falseFREEFREEFREEFREE
User’s license attribute is truePROPROPROPRO

What’s Next