Configure SCIM Provisioning With Okta

 

This guide provides the steps required for existing Okta and Udemy Business customers to configure automatic provisioning, de-provisioning, profile updates, and group management of Udemy Business users and groups using System for Cross-domain Identity Management (SCIM 2.0).

If you've already configured SCIM provisioning, and want to use the new Udemy Business app, you'll need to migrate your existing integration to Bearer token authentication.

Notes:

  • If you already have SSO sign on enabled for Udemy Business in Okta, you don't need to reconfigure SSO.
  • If you had SSO set up from a manual configuration by one of our team, you should add our new Udemy Business app into your Okta account. You'll find this in Applications by searching for Udemy Business. Because this is a new version of our app in Okta, existing customers might be required to reconfigure Single Sign On (SSO) before enabling SCIM Provisioning. (step by step instructions below).
  • Users provisioned through Okta will not consume an active license until they log into the Udemy Business application for the first time.
  • SCIM-managed users and groups can only be changed in Okta.
  • When SCIM is enabled, Udemy uses the SCIM protocol for attribute mapping over SAML. Since groups is not a SCIM user attribute, groups will not pass via SAML if you previously mapped the attribute as part of a SAML only configuration.
  • SCIM API tokens for Udemy Business last for approximately two years. Admins will be sent a notification informing them of:
    • 30 days before the token expiry
    • After the token expiry

Table of Contents

SCIM provisioning features

The following SCIM provisioning features are supported:

  • Provision Users from Okta
    • Users assigned the Udemy Business app in Okta will be provisioned in Udemy Business.
    • Note: Users won't receive an automatically-generated invite email if they are SCIM provisioned from Okta.
  • Push Profile Updates
    • Updates made to the user's profile through Okta will be pushed to Udemy Business for users who are associated with Udemy Business in Okta.
  • Push User Deactivation
    • Deactivating the user or disabling the user's access to the application through Okta will deactivate the user on Udemy Business and remove them from all groups.
    • Note: Deactivated users will retain their learning data for reporting purposes or future reactivation.  To permanently delete a SCIM-managed deactivated user, you'l first need to break the SCIM connection for that user, which Udemy Business support can assist with.
  • Reactivate Users
    • You can reactivate users in Udemy Business by reassigning the app to that user through Okta.
    • Note: Reactivated users will receive an automatically-generated email from Udemy saying they’ve been reactivated.
  • Group Push
    • Groups and their memberships will be pushed to Udemy Business.
    • Note: Manage groups is limited to groups pushed originally from Okta as we don't send information of groups created on Udemy Business.
  • Import Users and Groups
    • If you switch to the new Udemy Business app in Okta, you can import users and groups from your existing integration into your new integration.

SCIM-managed users have a gray SCIM flag next to their name and email.  Users with the Status SCIM provisioned won't consume an active license until they login for the first time:

 

Before you begin

If you haven't enabled SSO for Okta, or if you had SSO set up from a manual configuration by our team, complete the Okta SSO configuration steps here first.

  • You can avoid any SSO downtime by hiding the Udemy Business tile in your Okta dashboard until the new SSO and SCIM configuration is complete.
  • Beside Application Visibility, click Do not display application icon to users.

Configuration Steps

1. In the Udemy Business app, select the General tab, and complete these fields:

  • Subdomain: Your Udemy Business domain name
  • Domain: udemy.com
  • Audience URI (SP Entity ID): PingConnect.

2.  On the Provisioning tab, click Configure API integration. 

configure_api_integration.png

3.  Select Enable API Integration and add the API token.

You can generate or view the API token in your Udemy Business account by navigating to Manage > Settings > Provisioning (SCIM) 

 

 4. Click Test API Credentials, and you should see a message indicating that you’ve successfully completed your SSO integration. If not, please send a message to the Udemy Business Support Team with the given error message.

5. Click Save and you’ll be redirected to the application Provisioning configuration page.

6. In Settings > To App, click Edit to enable individual features. 

To use all the capabilities, we recommend enabling Create Users, Update User Attributes, and Deactivate Users. Click Save.

provisioning_to_app_save.png

 

provisioning_to_app_edit.png

7. (Optional) Profile attributes: In your Okta account, go to Directory >  Profile Editor > Your application name. 

8. On the Profile Editor page, click Add Attribute

9. On the Add Attribute page, complete these fields with the following attributes: 

Attribute Name Data type Display name Variable name External name External Namespace eNUM 
licenseTypes
 string array License Types licenseTypes licenseTypes urn:ietf:params:scim:schemas:extension:udemy:2.0:User enabled 
licensePoolName
 string License Pool Name licensePoolName licensePoolName urn:ietf:params:scim:schemas:extension:udemy:2.0:User   
externalId
 string Udemy External ID UdemyExternalId externalId urn:ietf:params:scim:schemas:core:2.0:User   
employeeNumber
 string employeeNumber employeeNumber employeeNumber urn:ietf:params:scim:schemas:extension:enterprise:2.0:User   
title
 string title Udemytitle title urn:ietf:params:scim:schemas:core:2.0:User  

10. Click either Add Attribute or Save and Add Another.

After adding your attribute, you should see something like this added into the profile:

Assign users to a license pool

To assign a user to a license pool:

1. On the left-hand side of the Okta admin page, navigate to Application → Applications.

2. Select your application.

3. Go to the Assignments tab.

4. Click Assign, and then click either Assign to People or Assign to Groups.

5. Enter the attributes for that user or group.

User attributes:

Group attributes:

6. Click Save and Go Back.

You've now added users or groups with License Pool Name attributes, and the user(s) will be assigned to the particular license pool that you mentioned.

7. Navigate to the Assignments tab to assign Udemy Business to single users or entire groups. 

Assigned users will be automatically provisioned after being added, automatically modified when changes are made to their profiles, and automatically deactivated when they are removed from assignments.

8. Navigate to the Push Groups tab to send groups and their membership information to Udemy Business.

push_groups_to_ub.png

9. Click + Push Groups and select the groups you want to push to Udemy Business.

You'll be able to select each group, or you can create an automatic rule.

find_groups_ub.png

10. Select the group search criteria and fill the requested information for the groups you would like to send information to Udemy Business.

push_groups_by_name.png

11. After selecting the group, select Push group memberships immediately to send not only the group but the members within the group as soon as you select the group, then click Save.

12. Repeat these previous steps for groups selection for all groups you would like to send to Udemy Business.

Note: Udemy Business won't allow changes to SCIM-managed users or groups after setup.

 

Migrate an existing integration to bearer token to enable use of the new Udemy Business app in Okta

If you already have SCIM provisioning with Okta configured, and want to use the Udemy Business application in Okta, you’ll need to migrate to bearer token authentication first. Follow the steps below to migrate your integration.

Step 1: Generate a token in Udemy Business 

1. In your Udemy Business admin account, navigate to Manage > Settings > Provisioning (SCIM).

If you already have an Okta integration that is based on username/password, you’ll see those credentials on the dashboard.

2. Click Generate token, and you’ll see a modal to confirm that you want to generate a Bearer token for SCIM integration.

  • Once you confirm, your previous credentials will no longer be visible for Provisioning SCIM, but they will still remain valid for other existing integrations (for example, LMS, public APIs for learning activity, and so on). 

Results 

Once generated, a success message will appear, and the Bearer token will appear on the Provisioning SCIM page. You can click Copy to copy the Bearer token for Okta setup. 

After you refresh the page, the success message will disappear, and the dropdown option will change from Okta (Legacy) to Okta.

Step 2: Update the integration in Okta

To complete the migration, you need to update your integration in Okta. 

1. In your Okta admin account, navigate to Applications > Application > Browse App Catalog and search for Udemy Business.

2.  Add the integration and complete the details, including Subdomain, domain, and Audience URI (SP Entity ID)


 

3. On the Provisioning tab, click Enable API integration

4. When prompted to provide the API Token, paste the Bearer token you previously copied from Udemy Business.

5. Click Test API Credentials to test the connection. 

If the test is successful, you can safely click Save.

Test API credentials

6. In the Provisioning tab, navigate to Settings > To App and ensure that all types of provisioning are enabled: 

  • Create Users
  • Update User Attributes
  • Deactivate Users 

Note: After completing this step, all the changes done in this new Udemy Business application will affect your provisioning in Udemy Business.

Provisioning to App.png

 

Results

Your basic integration of the new Udemy Business application is now complete. 

Step 3: Manage your old Udemy Business application 

After creating your new integration, you must choose between these two options:

Option 1: Disable the old integration

  • Pro: There will be 1 source of truth, and you’ll be sure that any changes you make in the new integration will stay.
  • Con: Your users won’t be able to log in through SSO in Udemy Business.

Option 2: Keep the old integration as it is 

  • Pro: There won’t be any downtime for your users using Udemy Business.
  • Con: If someone makes changes to the old integration, the changes would overwrite the new integration. You’ll have to carefully manage the transition, and let other administrators know to not make changes to any users or groups in the old integration.

Step 4: Import Users into the new integration 

You have two options for importing users into the new integration: 

  • Auto import
  • Review and self import 

The time the import takes to complete will depend on the number of users in the application, and can range from a few seconds to several minutes. 

Option 1: Auto import users

To import users automatically: 

  1. Navigate to the Provisioning tab of the new Udemy Business application.
  2. On the left-hand side, select To Okta.
  3. Under the User Creation & Matching setting, you’ll see these options to automatically import and confirm the assignments for you:
    • Imported user is an exact match to Okta user if:
      • Select Email matches
    • Allow partial matches:
      • Select Partial match on first and last name
    • Confirm matched users:
      • Select Auto-confirm exact matches
      • Select Auto-confirm partial matches
    • Under Confirm new users:
      • Select Auto-confirm new users

User Creation and Matching

4. Click Save.

5. In the Udemy Business app, navigate to the Import tab.

6. Click Import Now.

Auto Import Groups

Option 2: Review and self import 

To self import users:

  1. On the Udemy Business app, navigate to the Import tab.
  2. Click Import Now.

Step 5: Import groups to the new integration

Note: You need to add all users to the new integration before you start adding groups.

To import groups to the new integration:

1. On the new Udemy Business app, navigate to the Push Groups tab. 

2. Click Refresh App Groups.

3. Select Push Groups > Find groups by name.

Push groups to Udemy Business

 4. On the left-hand side, click By name and use the Link Group option.

Link group

5. Click Save or Save & Add Another and repeat the same process for the rest of your groups.

Related articles

Contact Us