Once Single Sign-on (SSO) is set up you can configure Udemy for Cross-domain Identity Management (SCIM 2.0) provisioning in Azure Active Directory (AD) with Udemy Business. This will allow you to provision, deprovision, create groups, manage group membership and change user profile details like name and email address in Azure AD, which automatically updates Udemy Business. You will no longer need to update both Azure AD and Udemy Business separately with these actions as it will all be synced from Azure AD.
To enable SCIM Provisioning for your Udemy Business account, first go to your Udemy Business account and access Manage > Settings > Provisioning (SCIM).
Click Start Setup and follow the instructions to enable SCIM and generate the Secret Token (Bearer token) which you then need to put into Azure AD.
Please note:
- SSO must be enabled prior to activating SCIM
- Single sign-on and provisioning are available to Udemy Business Enterprise Plan customers.
- Users provisioned through Azure AD will not take up a license until they log into the Udemy Business application for the first time.
- SCIM provisioning changes can only be synced from Azure AD to Udemy Business, not the other way round.
- Users and Groups managed by SCIM in Azure AD cannot be changed within the Udemy Business app - SCIM is the single source of truth for user and group data.
- You can still create groups manually in Udemy Business if you have users that you don’t need or want to push from Azure AD, eg. contractors or temporary staff.
Configure SCIM Provisioning with Azure AD
1. To enable SCIM Provisioning for Udemy Business, first go to your Udemy Business account and access Manage > Settings > Provisioning (SCIM).
2. Click Start Setup, choose your Identity Provider and follow the instructions to generate the Secret Token (Bearer token) which you then need to input into Azure AD.
3. Next, access your Azure AD account and go to your Udemy Business SSO app and follow the steps below to get set up. You can also refer to Microsoft’s own configuration guide for SCIM Provisioning with Azure AD for further guidance.
Go to the Provisioning tab in your Azure portal.
(Note: udemyazure is a test name we used in the screenshots below for the purpose of illustrating how to configure SCIM; you should locate the app that was named by your team when configuring within your own instance)
4. Choose Automatic as the Provisioning Mode.
5. In the Admin Credentials section:
Tenant URL is: https://yourdomain.udemy.com/scim/v2 (yourdomain is the url for your Udemy Business account)
Secret Token: This is a ‘Bearer’ token that you can generate or view inside your Udemy Business account. (go to Manage > Settings > User Access to get the Secret Token)
6. Click Test Connection to check that it’s working correctly.
Optional: You can enter an email address if you wish to receive alerts from Azure about errors.
7. In Mappings:
Check the attribute mapping:
Confirm that userName, active, emails[type eq "work"].value and externalId are added in the customappsso Attribute as these fields are required for SCIM provisioning to function within Udemy.
Confirm that the user's email is mapped to emails[type eq "work"].value
Confirm the attribute Switch([IsSoftDeleted], , "False", "True", "True", "False") is mapped to active which allows the deactivation of users to be passed over.
8. Scroll down to the bottom of the User Attributes Mapping and enable Show advanced options.
Select Edit attribute list for customappsso and enabled Exact case for both id and userName
9. Go back to the main provisioning setting screen:
10. Choose the Scope of how you want to sync your users and groups.
You can sync only users and groups who are assigned the Udemy Business app if you need to restrict access to certain employees or departments. Or, you can sync all users and groups if every employee is going to have access.
In order to provision more users and groups with Udemy Business access:
11. Click Users and groups
12. Click on Add User (which will give you the option to add both Users and Groups)
Select all users or the groups you want to add to the application and click Select.
Troubleshooting
In relation to Mappings:
If you experience this error when provisioning:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":400,"detail":"{'emails': ['This field is required.']}"}
You should change the mapping of the User.
emails[type eq "work"].value needs to be mapped to userPrincipalName that is, if userPrincipalName is where the email is.
If you go to the user profile, you should be able to see which field contains the email there.