Kahoot!: How to set up and manage SCIM

Updated

Learn how to set up and manage SCIM for your organization to automate user provisioning, streamline access control, and enhance security with seamless data synchronization between your platform and identity providers.

☝️ SCIM is available on Kahoot! Enterprise (Standard, Pro, and Premium) and Kahoot! EDU (Pro and Premium) plans.

🔗 If you are setting up SCIM with a specific identity provider, see our detailed configuration guides

🔗 New to SSO on Kahoot!? Follow Kahoot!: How to set up and manage SSO to configure SSO before enabling SCIM.

Shortcuts:

How to set up SCIM

SCIM (System for Cross-domain Identity Management) gives your organization full control over user access by automating provisioning and deprovisioning. This eliminates manual work, boosts security, and ensures accurate user data across systems.

Once SSO is set up, you can configure SCIM by following these steps:

  1. Log in to your account as the Organization Owner and click on your profile icon in the top-right corner of the screen.
  2. Go to Configurations and open SSO and SCIM Management.
  3. Click Start setup to begin the process.
  4. In the Set up SCIM provisioning window, copy the Base URI and paste it into your SCIM configuration in your Identity Provider (IdP).
  5. Click Generate for SCIM token.
  6. Copy the SCIM token and send it to your IT team. They will use it to complete the setup in your Identity Provider. 
☝️ Once you close this window, you won’t be able to view the full token again. 
  1. Go back to SSO and SCIM Management section, click Turn on SCIM.
  2. In the confirmation window, select the checkbox to confirm you understand the changes, then click Turn on.
  3. You can always Turn off SCIM or Invalidate token.
☝️ Once SCIM provisioning is enabled, user management is handled through your Identity Provider. You won’t be able to manage users directly in Kahoot!, but you can still assign roles.
☝️ If you turn off SCIM provisioning, users will still be required to log in via SSO.
💡 Enable Manage member roles via SCIM if you want to control user roles directly from your Identity Provider. 


This setup ensures a secure, automated approach to managing employee access and keeps your organization compliant and efficient.

SCIM User & Content Scenarios

Deleting User

Taking an already synced user out of your scope for your SCIM provisioning will soft-delete the user in Kahoot. Within 20 days Kahoot! will perform a hard-delete. If you provision the user again within this time period, the same user will be added to your Kahoot! workspace again.

At hard-deletion provisioning, the same user from your IdP will result in a new user on your platform.

During the soft-delete period, the user will not be able to log in to Kahoot!.

Content when deleting user

Content created by a user will remain in your Kahoot! workspace both at soft and hard delete.

Provisioning a new Kahoot! user

Provisioning a user that does not already have a Kahoot user will result in a new user being created and a welcome email sent to the user. The user is automatically added to the organisation.

Provisioning an already existing free Kahoot! user

A user will receive an invitation to the organisation via email. Also, the user will be blocked on login and asked to either accept the invitation or change their email.

  • If the user accepts the invitation, the user is taken over by SCIM, which means it’s managed by the organisation, and their account may be deleted by the organisation.
  • If the user changes their email address, they can continue with their account as previously. The original email is taken over by SCIM, and a new account is set up and added to the organisation.

Provisioning an already existing Kahoot! user with a paid subscription is not part of your workspace

The user will be blocked on login, and asked to change their email address. They cannot continue using their account until they do so. The paid account cannot be taken over by SCIM because it could be deleted by the organisation, and the paid subscription would be lost. Once the user changes their email address, the original email is taken over by SCIM, and a new account is set up and added to the organization.

Provisioning an existing Kahoot! user who is a member of other organisations

A user will be blocked on login, and asked to change their email address. They cannot continue using their account until they do so. Once the user changes their email address, the original email is taken over by SCIM, and a new account is set up, and added to the organization.

SCIM and multiple organisations

The limitation of SCIM is that it does not allow a user to be a member of multiple organisations. Since the user is managed by SCIM, and the account is owned by the SCIM-enabled organisation, the user may be deleted at any time, which would result in losing access to all organisations. Hence, the user may be a member only of the SCIM-managed organisation. 

FAQ

1. Who can set up SCIM in our organization? Only users with the Organization Owner role have the necessary permissions to access and configure SCIM settings.

2. Is SCIM configuration mandatory if we already use SSO?
No, setting up SCIM is not mandatory. If your organization only requires Single Sign-On (SSO) for secure login, you can enable SSO without configuring SCIM. SCIM is useful for automating user provisioning and deprovisioning, but it's entirely optional. If your company’s infrastructure doesn’t support SCIM or you prefer to manage users manually, you can still maintain secure access with SSO alone.

3. What do I need to start setting up SCIM? You will need:

  • API access enabled for your organization
  • Credentials from your Identity Provider (Client ID, Client Secret, Discovery URL or SAML Entity)
  • Access to SSO and SCIM Management in your account settings.

4. What should I do if I can’t proceed with the setup?
 If API access is not enabled, or you encounter an error, please contact your Account Manager for support.

5. What are the configuration requirements for OIDC, SAML, and SCIM?

  • OIDC → Allowed claims: email profile

  • SAML → Custom claims: firstName, lastName, email

6. What is a SCIM Token and when do I need it? The SCIM Token is a secure key used to link your SCIM integration with your identity provider. It’s required in some configurations and optional in others, depending on your IdP setup.7. Where do I send the SCIM Token once it’s generated? Send the token to your IT department. They’ll use it to complete the configuration on your identity provider’s side.

8. Can I edit SCIM settings after the setup is complete? Yes. Go to SSO and SCIM Management, click the pencil icon, and edit your connection. Note: Editing will invalidate the current setup. Be sure to share updated credentials with your IT team.

9. What happens if I enter incorrect credentials during setup? The connection will fail. Double-check your Client ID, Client Secret, and Discovery URL or SAML details and correct any errors. You can go back and edit them anytime.

10. Can I delete the SCIM integration if needed? Yes. Click the trash bin icon in your SCIM settings and confirm deletion to remove the connection completely.

💡 Found this helpful? Subscribe to our Youtube channel for more tips and Kahoot! tutorials!

 

 

0 comments

Please sign in to leave a comment.