Configure SCIM Provisioning With Udemy’s SCIM API

Overview

System for Cross-Domain Identity Management (SCIM) is a standard API for automating user and group provisioning/deprovisioning, and updating user and group data from the customer’s Identity Provider (IdP) into the Udemy Business account.  SCIM is supported by a number of Identity Providers such as Okta, Azure AD, and OneLogin.  You can also utilize the Udemy Business SCIM API for other IdPs or home-grown tools.

If your organization uses one of the following IdPs, please instead refer to our guides below for configuring SCIM:

SCIM uses a standardized REST API with data formatted in JSON. Udemy Business supports version 2.0 of the SCIM standard. The API is available for all customers that are on the Enterprise plan.

Udemy Business SCIM API supports the following features: 

  • Provisioning users
  • Deprovisioning users (deactivation)
  • Changing email addresses
  • Changing user details
  • Provisioning groups
  • Adding/removing users to groups

SCIM protocol description

SCIM Protocol is an application-level REST protocol for provisioning and managing identity data on the web. The protocol is client-server where the client is the Identity Provider (IdP) and the server is Udemy Business.

The basic flow is:

  • When access to Udemy Business is granted to the user in the IDP by the customer, the IdP sends us a request to check if the specific user exists in our database. They issue a User search request by an attribute like userName or email.
  • If the user does not exist, the IdP sends a request to create a user.
  • If the user exists, the IdP sends an update request for the user.
  • When access to Udemy Business is revoked, the IdP sends us a request to deactivate the user from our database.
  • IdP can also send requests to change user details.

How to access the API?

In order to obtain the authorization credentials to connect to the SCIM API, you will have to set up SCIM integration via Manage -> Settings -> Provisioning (SCIM) page in your Udemy Business account. Note that only Admins have access to this page. 

Click Start Setup.

provisioning_scim.png

In the next step, select Choose provider, then Custom.

select_provider.png

Click Generate token.

generate_token.png

On this screen, click Copy to copy the Bearer token to the clipboard.

copy_bearer_token.png

 

You will need to include Authorization HTTP header with the Bearer token in your requests, for example:

GET /scim/v2/Users HTTP/1.1
Host: myorganization.udemy.com
Accept: application/scim+json
Authorization: Bearer <enter you Bearer token here>
Content-Type: application/scim+json

Udemy Business SCIM API uses the HTTP protocol and is only available over a secure HTTPS connection.

The base URL for the API is: https://<yoursubdomain>.udemy.com/scim/v2/.

If you are developing an application to interact with the Udemy Business SCIM API, it is recommended to refer to the SCIM RFCs included at the end of this document. Udemy Business SCIM API implementation is compliant with the standard.

Rate limiting

Udemy Business applies rate limiting to the SCIM API in accordance with the standard HTTP rate limiting protocol. If your request is ratelimited, you will receive an HTTP 429 response and you’re supposed to wait and retry according to what is specified in the Retry-After header.

SCIM API endpoints

Informational Endpoints

These endpoints are informational and serve to configure the clients. They do not require authentication, so you don’t need to include the Authorization header when accessing these endpoints.

GET /ServiceProviderConfig

Returns details about Udemy Business SCIM implementation including which methods are supported.

GET /Schemas

Returns information about the schemas that our SCIM implementation supports. Supported schemas are Users and Groups.

GET /Schemas/Users

Returns all attributes that we support for User resources.

GET /Schemas/Groups

Returns all attributes that we support for Group resources.

User endpoints

Using these endpoints you can list users, filter by attributes, add new users, update  users’ information, or deactivate/anonymize users. 

If the SCIM API does not return all users please contact Udemy Business Support.

Supported attributes

 

SCIM attribute Required? Description 
emails[type=”work”]]['value’]
 Yes Email of the user. Must be unique 
userName
 Yes The userName from the IdP. Must be unique. 
active
 Yes Flag to deactivate/reactivate users 
externalId
 Yes The externalId of the user from IdP. Must be unique. 
urn:ietf:params:scim:schemas:extension:
enterprise:2.0:User:employeeNumber
 Yes Returns employeeNumber field from EnterpriseSchema and store it as external_id field 
name.givenName
 No Given name of user. Even though they are not required, we recommend always specifying those attributes since it’ll make it easier to identify users. 
name.familyName
 No Family name of user. Even though they are not required, we recommend always specifying those attributes since it’ll make it easier to identify users. 
name, { givenName, familyName }
 No Given name and family name of the user. Even though they are not required, we recommend always specifying those attributes since it’ll make it easier to identify users. 
title
 No User’s job title, i.e. “Senior Engineer” 
groups
 No SCIM group(s) that the user belongs to


Note: If you specify any other attribute that is not on this list, it will be ignored.

GET /Users

Returns a paginated list of users, 12 users per page by default. You can pass in

count

and

startIndex

parameters to paginate through the result set. For example:

GET /scim/v2/Users?startIndex=1&count=100 HTTP/1.1

 Host: myorganization.udemy.com

 Accept: application/scim+json

 Authorization: Bearer <enter you Bearer token here>
startIndex
  • is the 1-based index of the first result in the current set of list results (offset) 
  • count
    is the number of resources returned in a list response page (limit). You can retrieve no more than 1000 users in a single request. If this item is omitted it will default to 12.

Example request

GET https://demo.udemy.com/scim/v2/Users 
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 18,
"startIndex": 1,
"Resources": [
{
"id": "KwLzN3",
"externalId": "00u3mlhj4x1E482sK5d7",
"userName": "firstName.lastName@domain.com",
"name": {
"givenName": "firstName",
"familyName": "lastName",
"formatted": "firstName lastName"
},
"emails": [
{
"value": "firstName.lastName@domain.com",
"type": "work",
"primary": true
}
],
"title": "",
"active": true,
"groups": [
{
"value": "NZOaw",
"display": "Group Test",
"$ref": "https://demo.udemy.com/scim/v2/Groups/NZOaw"
},
{
"value": "dn1K8",
"display": "NewGroup2",
"$ref": "https://demo.udemy.com/scim/v2/Groups/dn1K8"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"meta": {
"resourceType": "User",
"location": "https://demo.udemy.com/scim/v2/Users/KwLzN3",
"created": "2022-01-19T01:11:59Z",
"lastModified": "2024-11-22T21:58:48Z"
},
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "64e63"
}
},
[...]
],
"itemsPerPage": 12
}

 

GET /Users?filter=

This endpoint is used to filter users by specific attributes. For example, it is possible to search by userName attribute:

GET /Users?filter=userName eq "example..name

Note: In the example above, you will need to URL encode the URL parameters so the URL becomes:

GET /Users?filter=userName%20eq%20%22example.name%22

This will return a list of user resources. If there are no results, an empty list will be returned.

GET Users?filter=groups.value eq "{SCIM_Group_ID}"

This will return all users who belong to this SCIM Group

The supported filters are:

userName
externalID
emails[type eq=”work”]
groups

The supported operators are:

and
eq

Response:

  • HTTP status code 200 with the list of entities on success
  • HTTP status code 501 if an unsupported filter is supplied
POST /Users

This endpoint is used to create (provision) new users in Udemy Business. 

The response will contain an

id

attribute which should be used when referring to this user in all subsequent requests.

Note that:

  • New users created this way will not take up a license until they sign in for the first time.
  • If there was an existing pending invitation for this user, it will get used at this point.
    The user will get added to groups, be assigned appropriate role/course assignments according to what is specified in the invitation.
  • An attempt to create a user that already exists in Udemy Business will cause the user to become SCIM managed (displayed with a small link icon on the Manage Users page). Note that the user's status and license usage will not be changed. If the user was active,  they will remain active and if the user was deactivated they will remain deactivated.

Example request

 

POST https://demo.udemy.com/scim/v2/Users 
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"active": true,
"emails": [
{
"primary": true,
"type": "work",
"value": "demo.user@test.com"
}
],
"externalId" : "externalIdValue",
"meta": {
"resourceType": "User"
},
"userName": "DemoTest",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "externalIdValue"
},
"name": {
"familyName": "Test",
"formatted": "formatted",
"givenName": "Demo"
}
}

Example response

{
"id": "MPD698",
"name": {
"givenName": "Demo",
"familyName": "Test",
"formatted": "Demo Test"
},
"emails": [
{
"value": "demo.user@test.com",
"type": "work",
"primary": true
}
],
"title": "",
"active": true,
"groups": [],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"meta": {
"resourceType": "User",
"location": "https://demo.udemy.com/scim/v2/Users/MPD698",
"created": "2024-12-27T22:00:25Z",
"lastModified": "2024-12-27T22:00:26Z"
},
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "externalIdValue"
},
"userName": "DemoTest",
"externalId": "externalIdValue"
}

 

Response:

  • HTTP status code 201 and the user’s resource on success
  • HTTP status code 409 if the member with the same userName already exists in the Organization
  • HTTP status code 400 with the error details in the response body if the request did not pass validation
GET /Users/<id>

This endpoint is used to retrieve user details for a specified user.

id

parameter in the request above is a unique identifier that was returned when the user was created using SCIM or when listing all existing users.

Response:

  • HTTP status code 200 with the user resource on success
  • HTTP status code 404 if the user has not been found
PUT /Users/<id>

This endpoint is used to replace (overwrite) user details in Udemy Business. If specified, attribute active can be used to deactivate or reactivate the user.

Example request:

PUT https://demo.udemy.com/scim/v2/Users/MPD698
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"id": "MPD698",
"userName": "demo.user@test.com",
"externalId": "NewExternalID",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "NewExternalID"
},
"name": {
"givenName": "demo",
"familyName": "user"
},
"emails": [
{
"value": "demo.user@test.com",
"type": "work",
"primary": true
}
],
"active": true
}

Example response

{
"id": "MPD698",
"name": {
"givenName": "demo",
"familyName": "user",
"formatted": "demo user"
},
"emails": [
{
"value": "demo.user@test.com",
"type": "work",
"primary": true
}
],
"title": "",
"active": true,
"groups": [],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"meta": {
"resourceType": "User",
"location": "https://demo.udemy.com/scim/v2/Users/MPD698",
"created": "2024-12-27T22:00:25Z",
"lastModified": "2024-12-27T22:17:52Z"
},
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "NewExternalID"
},
"userName": "demo.user@test.com",
"externalId": "NewExternalID"
}

 

Response:

  • HTTP status code 200 and the updated user resource
  • HTTP status code 404 if the user doesn’t exist. 
  • HTTP status code 400 in case of an attempt to deactivate an organization owner.
PATCH /Users/<id>

This endpoint is used to make partial updates to the user details in our system, meaning that you can use it to change only some attributes of the user. This is in contrast to PUT which replaces the entire user. 

It can contain the attribute active which will cause the user to be deactivated or reactivated.

  • The body of each request MUST contain the "schemas" attribute with the URI value of "urn:ietf:params:scim:api:messages:2.0:PatchOp".
  • The body of an HTTP PATCH request MUST contain the attribute "Operations", whose value is an array of one or more PATCH operations.  Each PATCH operation object MUST have exactly one "op" member, whose value indicates the operation to perform and MAY be one of "add", "remove", or "replace".
  • The “path” attribute can be empty, in this case “value” should be a dictionary in the format of {“path”: “value”}.

Example request

PATCH https://demo.udemy.com/scim/v2/Users/MPD698 
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [ 
{
"op": "replace",
"path": "userName",
"value": "DemoUserName"
}
]
}

Example response

{
"id": "MPD698",
"name": {
"givenName": "demo",
"familyName": "user",
"formatted": "demo user"
},
"emails": [
{
"value": "demo.user@test.com",
"type": "work",
"primary": true
}
],
"title": "",
"active": true,
"groups": [
{
"value": "5ypNz",
"display": "NewGroup",
"$ref": "https://demo.udemy.com/scim/v2/Groups/5ypNz"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"meta": {
"resourceType": "User",
"location": "https://demo.udemy.com/scim/v2/Users/MPD698",
"created": "2024-12-27T22:00:25Z",
"lastModified": "2024-12-27T22:17:52Z"
},
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "NewExternalID"
},
"userName": "DemoUserName",
"externalId": "NewExternalID"
}

Response:

  • HTTP status code 200 with the updated user’s resource on success
  • HTTP status code 404 if the user was not found
  • HTTP status code 400 if attempting to deactivate an organization owner or in case of an invalid operation.

Group endpoints

Supported attributes

SCIM attribute

Required?

Description

 
displayName

Yes

Group title. Must be unique among all Udemy Business groups.

 
externalId

No

The externalId of the group from the Identity Provider

Note: If you specify any other attribute that is not on this list, it will be ignored.

GET /Groups

This endpoint is used to get a paginated list of all provisioned groups. Include startIndex and count query string parameters to paginate through the results. 

Bear in mind that only groups created using SCIM will be returned. Groups created from Udemy Business will not be returned.

Example request

GET https://demo.udemy.com/scim/v2/scim/v2/Groups
 "schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 6,
"startIndex": 1,
"Resources": [
{
"id": "NZOaw",
"displayName": "Group Test",
"members": [
{
"value": "KwLzN3",
"display": "firstName lastName",
"type": "User",
"$ref": "https://demo.udemy.com/scim/v2/Users/KwLzN3"
},
{
"value": "eBmzpr",
"display": "user four",
"type": "User",
"$ref": "https://demo.udemy.com/scim/v2/Users/eBmzpr"
}
],
"externalId": null,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"meta": {
"resourceType": "Group",
"location": "https://demo.udemy.com/scim/v2/Groups/NZOaw",
"created": "2024-08-23T22:26:48Z",
"lastModified": "2024-08-23T22:26:48Z"
}
},
[...]
],
"itemsPerPage": 12
}
GET /Groups?filter=

This endpoint is used to filter groups by specific attributes. For example, it is possible to search by displayName attribute:

GET /Groups?filter=displayName eq "Marketing”

This will return a list of group resources. If there are no results, an empty list will be returned.

Note that you will need to url encode the parameters, so the request becomes:

GET /Groups?filter=displayName%20eq%20%22Marketing%22

The supported filters are:

displayName
externalId
Id
member.value

The supported operators are:

and
eq

Response:

  • HTTP status code 200 with the list of entities on success
  • HTTP status code 501 if the non-supported filter is used
POST /Groups

This endpoint is used to create (provision) new groups in Udemy Business. 

Response:

  • HTTP status code 409 If the provisioned group with the same name already exists in the org, we return 409 (Conflict) with a scimType error code of uniqueness.
  • When the group has been created successfully, we return the full representation of the group with HTTP status code 201 (Created) together with the Location header that contains the URL of the create group resource.
GET /Groups/<id>

This endpoint is used to fetch the group details from Udemy Business. 

Response:

  • HTTP status code 200 and a group resource
  • HTTP status code 404 if the group has not been found
POST /Groups

This endpoint is used to create (provision) new groups in Udemy Business.

Warning: When using the POST or PUT /scim/v2/Groups endpoint to create groups, do not include the members attribute in the request. Any members specified will be ignored. To add users to a group, first create the group, then make separate calls to the PATCH /scim/v2/Groups/ 

Example request 

https://demo.udemy.com/scim/v2/Groups 
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"displayName": "Group1",
"externalId": "234523"
}

Example response

{
"id": "vREOw",
"displayName": "Group1",
"members": [],
"externalId": "234523",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"meta": {
"resourceType": "Group",
"location": "https://demo.udemy.com/scim/v2/Groups/vREOw",
"created": "2025-01-15T22:24:54Z",
"lastModified": "2025-01-15T22:24:54Z"
}
}
PUT /Groups/<id>

This endpoint is used to replace the group details in Udemy Business.

Warning: When using the POST or PUT /scim/v2/Groups endpoint to create groups, do not include the members attribute in the request. Any members specified will be ignored. To add users to a group, first create the group, then make separate calls to the PATCH /scim/v2/Groups/ 

Example request

PUT https://demo.udemy.com/scim/v2/Groups/vREOw 
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"displayName": "Group1",
"externalId": "MPD699"
}

Example response

{
"id": "vREOw",
"displayName": "Group1",
"members": [],
"externalId": "MPD699",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"meta": {
"resourceType": "Group",
"location": "https://demo.udemy.com/scim/v2/Groups/vREOw",
"created": "2025-01-08T21:12:53Z",
"lastModified": "2025-01-15T22:35:55Z"
}
}

Response:

  • HTTP status code 200 and the updated group resource 
  • HTTP status code 404 if the group doesn’t exist. 
  •  
PATCH /Groups/<id>

This endpoint is used to make partial updates to group details in Udemy Business. 

The PATCH endpoint is more tricky than others, as it supports different kinds of operations (and their combinations are possible):

Example request

PATCH https://demo.udemy.com/scim/v2/Groups/5ypNz 
{ "schemas": 
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[
{
"op":"add",
"path": "members",
"value":[{
"display": "demo user",
"$ref":"https://demo.udemy.com/scim/v2/Users/MPD698",
"value": "MPD698"
}
] 
} 
]
}

Example response

204 No Content
  • replace operation changes the specified value. In our case it’s either group name or members.
  • remove operation removes a member from the group.
  • add operation adds members to the group.

The rules are the following:

  • We never remove unprovisioned members from the group (in case of `replace` members operation, for example).
  • PATCH request, regardless of the number of operations, SHALL be treated as atomic.

The input validations are the following:

  • The body of each request MUST contain the "schemas" attribute with the URI value of "urn:ietf:params:scim:api:messages:2.0:PatchOp".
  • The body of an HTTP PATCH request MUST contain the attribute "Operations", whose value is an array of one or more PATCH operations.  Each PATCH operation object MUST have exactly one "op" member, whose value indicates the operation to perform and MAY be one of "add", "remove", or "replace".
  • The “path” attribute can be empty, in this case “value” should be a dictionary in the format of {“path”: “value”}.
  • For “Remove” operation the “members” path is required.
  • For the “Add” operation either “members” or “externalId” “path” should be present.
  • For “Replace” operation “members” path may be present. If it’s not there it means that we are replacing the group details (like group name) but not members.

Note:

  • Assigning/unassigning users to a group happens asynchronously, so the changes won’t be reflected immediately in Udemy Business.
  • We do not support nested groups, so they will be ignored during this request.

Response:

  • HTTP status code 204 if the operation was successful.
  • HTTP status code 404 if the group does not exist.
  • HTTP status code 404 with the error details if there is an attempt to assign a group to a user that’s not a member of the organization.
  • HTTP status code 400 with the error details in the response body if the request did not pass the validation
DELETE /Groups/<id>

This endpoint is used to remove or deprovision a group in Udemy Business. 

The rules are the following:

  • If the group contains non-provisioned members, remove provisioned users from the group, delete `OrganizationSCIMGroup` record.

Response:

  • HTTP status code 204 if the operation was successful.
  • HTTP status code 404 if the group does not exist.

Further Reading

Related articles

Contact Us