• Configure SCIM Provisioning With Azure Active Directory (AD)

    Once Single Sign-on (SSO) is set up you can configure System for Cross-domain Identity Management (SCIM 2.0) provisioning in Azure Active Directory (AD) with Udemy Business. This will allow you to provision, deprovision, create groups, manage group membership and change user profile details like name and email address in Azure AD, which automatically updates Udemy Business. You will no longer need to update both Azure AD and Udemy Business separately with these actions as it will all be synced from Azure AD.

    To enable SCIM Provisioning for your Udemy Business account, first go to your Udemy Business account and access Manage > Settings > Provisioning (SCIM).

    Click Start Setup and follow the instructions to enable SCIM and generate the Secret Token (Bearer token) which you then need to put into Azure AD.

    Notes:

    • Single sign-on and provisioning are available to Udemy Business Enterprise Plan customers.
    • Users provisioned through Azure AD will not take up a license until they log into the Udemy Business application for the first time. 
    • SCIM provisioning changes can only be synced from Azure AD to Udemy Business, not the other way round. 
    • Users and Groups managed by SCIM in Azure AD cannot be changed within the Udemy Business app - SCIM is the single source of truth for user and group data.
    • You can still create groups manually in Udemy Business if you have users that you don’t need or want to push from Azure AD, eg. contractors or temporary staff.

    Configure SCIM Provisioning with Azure AD

    1. To enable SCIM Provisioning for Udemy Business, first go to your Udemy Business account and access Manage > Settings > Provisioning (SCIM).

    2. Click Start Setup, choose your Identity Provider and follow the instructions to generate the Secret Token (Bearer token) which you then need to input into Azure AD.

    1a.png

    3. Next, access your Azure AD account and go to your Udemy Business SSO app and follow the steps below to get set up. You can also refer to Microsoft’s own configuration guide for SCIM Provisioning with Azure AD for further guidance.

    Go to the Provisioning tab in your Azure portal.   

    (Note: udemyazure is a test name we used in the screenshots below for the purpose of illustrating how to configure SCIM; you should locate the app that was named by your team when configuring within your own instance) 

    1b.png

    4. Choose Automatic as the Provisioning Mode.

    1c.png

    5. In the Admin Credentials section:

    Tenant URL is: https://yourdomain.udemy.com/scim/v2 (yourdomain is the url for your Udemy Business account)

    Secret Token: This is a ‘Bearer’ token that you can generate or view inside your Udemy Business account. (go to Manage > Settings > User Access to get the Secret Token)

    6. Click Test Connection to check that it’s working correctly.  

    Optional: You can enter an email address if you wish to receive alerts from Azure about errors.

    1d.png

    7. In Mappings

    Check the attribute mapping so that user's email is mapped to emails[type eq "work"].value 

    1e.png

    1f.png

    8. In Settings

    Toggle the Provisioning Status button to On.

    1h.png

     

    9. Choose the Scope of how you want to sync your users and groups.

    1i.png

    You can sync only users and groups who are assigned the Udemy Business app if you need to restrict access to certain employees or departments. Or, you can sync all users and groups if every employee is going to have access.

    1j.png

    In order to provision more users and groups with Udemy Business access:

    10. Click Users and groups

    1k.png

    11. Click on Add User (which will give you the option to add both Users and Groups)

    Select all users or the groups you want to add to the application and click Select.

    1l.png

    Troubleshooting

    In relation to Mappings:

    1m.png

    If you experience this error when provisioning:

    {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":400,"detail":"{'emails': ['This field is required.']}"}

    You should change the mapping of the User.

    1n-1.png

    emails[type eq "work"].value needs to be mapped to userPrincipalName that is, if userPrincipalName is where the email is.

    If you go to the user profile, you should be able to see which field contains the email there.

    1o.png

    Read article
  • Configure SCIM Provisioning With OneLogin

    Once Single Sign-on (SSO) is set up you can then configure System for Cross-domain Identity Management (SCIM) provisioning in OneLogin with Udemy Business. This will allow you to provision, deprovision, create groups, manage group membership and change user profile details like name and email address in OneLogin, which automatically updates Udemy Business. You will no longer need to update both OneLogin and Udemy Business separately with these actions as it will all be synced from OneLogin.

    This article outlines how you can configure SCIM provisioning with OneLogin. 

    How to enable SCIM Provisioning

    To enable SCIM Provisioning for your Udemy Business account, first go to your Udemy Business account and access Manage > Settings > Provisioning (SCIM).

    Click Start Setup and follow the instructions to enable SCIM and generate the Secret Token (Bearer token) which you then need to save in OneLogin.

    1_21.png

    Next, access your OneLogin account and go to your Udemy Business SSO app and follow the steps below to get set up. 

    Additional information regarding how to provision users is also available in One Login's support center.

    1. In the admin panel click on the applications tab:

    2_21.png

    2. Navigate to the “Configuration” tab. Inside the “Configuration” tab, input the SCIM bearer token from your Udemy Business account that was generated above, and set to “Enabled”:

    3_21.png

    3. Next, navigate to the “Provisioning” tab, and check the “Enable provisioning” box:

    workflow_enable_provisioning.png

    Creating a rule to sync a user’s group with Udemy Business

    OneLogin uses the concept of “rules” in order to sync a user with a particular group in your Udemy Business account. There are many ways to create rules based on your different requirements for syncing groups. The following is one specific example of how to create a rule to sync a user with a group called “Engineers”.

    1. Navigate to the “Rules” tab and select “Add Rule”:

    rules_.png

    2. Prerequisite: Before moving to the next step, please contact our Support Team and request that they enable the feature flag that will allow SCIM groups to be pulled from Udemy Business. With this feature enabled you can pull the existing groups from Udemy Business and access them in OneLogin.

    3. Inside of the “Edit Mapping” screen is where you can configure the logic for your rule. In this example, we create a rule where the logic is “If the Group of the user is Engineering Group then the action is set the user’s group in Udemy Business to Engineers”: In order to pull groups “From Existing” in Udemy Business - you will need to refresh entitlements.

    actions.png

    4. Navigate to the “Parameters” tab:

    parameters.png

    5. Click on the “Groups” field:

    groups_field.png

    6. Check the “Include in User Provisioning” box and save:

    9_21.png

    7. Now, after adding a user in OneLogin and setting that user’s group to “Engineering Group”:

    10_21.png

    8. Once the user is added to the Udemy Business application and synced, based on the rule, this user will be added to the “Engineers” group in your Udemy Business account:

    11_21.png

     

    Read article
  • How to Automate User and Group Management With SCIM

    Udemy Business supports user and group access and identity management with the System for Cross-domain Identity Management (SCIM) standard. SCIM is used by Single Sign-On (SSO) services and Identity Providers to manage people across a variety of apps and tools, including Udemy Business.

    What you can do with SCIM:

    • Grant access to users and groups (provisioning).
    • Deactivate users and groups (deprovisioning). 
    • Change user details: name, email address. 
    • Create, remove or edit groups.
    • Manage group membership (users changing groups).

    What you cannot do with SCIM:

    • Delete User Personal Identifiable Information (PII) I via SCIM on any Identity Provider.
    • Sync data from Udemy Business back to the Identity Provider.
    • Manage roles (assign group admins, admins).

    Once you take any of the above supported actions, the data or change will automatically update in Udemy Business.

    Key points about SCIM Integration for your Udemy Business Account

    • Your SCIM integration setup will vary depending on the identity provider you use. 
    • Udemy Business supports SCIM Provisioning for the key identity providers and SSO services that offer access and identity management.
    • SCIM Provisioning is available to Enterprise Plan customers using Single Sign-on (SSO).
    • Users provisioned through SCIM in your SSO service will not take up a license until they join Udemy Business by signing in for the first time. When users are provisioned through SCIM, but have not signed in for the first time, they will display in the All users page with a No License status. 

    users_with_no_license.png

    How to enable SCIM provisioning

    To enable SCIM provisioning for your Udemy Business account, go to your Udemy Business account to Manage > Settings > Provisioning (SCIM)

    Scroll to the SCIM Integration section. Next, follow the instructions to enable SCIM, choose your Identity Provider from the dropdown and generate the credentials (Username and Password or Secret/Bearer token), which you then need to input into your Identity Provider as part of the configuration.

    SCIM_1.png

    Depending on which Identity Provider you use, follow the instructions in the appropriate guide below to complete the SCIM set up.

    Okta Configuration Guide 

    Azure AD Configuration Guide 

    OneLogin Configuration Guide

    For other IdPs, or your own tools, please refer to the Udemy SCIM API Configuration Guide.

    How to disable SCIM provisioning

    To disable SCIM provisioning for your Udemy Business account (if you’re changing providers or no longer require SCIM) access Manage > Settings > Provisioning (SCIM).

    Scroll to the SCIM Integration section and click on the Disable Integration link and follow the instructions to disable SCIM. This will disable the integration from the Udemy Business side, but your IT team will need to disable the integration from the Identity Provider side also. 

    You can continue to use Udemy Business as usual, but you will need to manually update user and group information within the platform from now on.

    SCIM_2.png

    Deleting PII for SCIM managed learners

    If you wish to disconnect a learner from being managed by your IdP with SCIM, you can do so by first deprovisioning them in your SSO Active Directory, and then you can delete their PII in your Udemy Business account. To learn how to anonymize a learner, click here.

    If you need to manage a learner directly from within your Udemy Business account and not via your SSO IdP, and further, you do not wish to delete their PII, please reach out to our support team for further assistance.

    Read article
  • Configure SCIM Provisioning With Okta

    This guide provides the steps required for existing Okta and Udemy Business customers to configure automatic provisioning, deprovisioning, profile updates and group management of Udemy Business using System for Cross-domain Identity Management (SCIM 2.0).

    Notes:

    • If you already have SSO sign on enabled from the previous Udemy Business app you do not need to reconfigure SSO again, just look for the Provisioning tab under Applications in Okta to set SCIM up. 
    • If you had SSO set up from a manual configuration by one of our team, you should add our new Udemy Business app into your Okta account. You will find this in Applications by searching for Udemy Business. Because this is a new version of our app in Okta, existing customers might be required to reconfigure Single Sign On (SSO) before enabling SCIM Provisioning. (step by step instructions below)
    • Users provisioned through Okta will not take up a license until they log into the Udemy Business application for the first time. 
    • SCIM provisioning changes can only be synced from Okta to Udemy Business, not the other way round. 
    • Users and Groups managed by SCIM in Okta cannot be changed within the Udemy Business app - SCIM is the single source of truth for user and group data.

    Contents

    • Features
    • Requirements
    • Configuration Steps
    • Schema Discovery
    • Troubleshooting Tips

    Features

    The following provisioning features are supported:

    • Identity Provider (IdP) Initiated SSO
      • Users will be able to initiate the login process from their Okta dashboard
    • Service Provider (SP) Initiated SSO
      • Users will be able to access [your-subdomain.udemy.com] and initiate the login process their Udemy Business login page.
    • Just in Time (JIT) Provisioning
      • Users authenticated through SSO will be provisioned to Udemy Business on their first login.
      • All user attributes which are configured to be sent will be updated whenever the user logs in. This does not apply to SCIM users since they are only managed by SCIM.
    • Push Users with Ahead of Time Provisioning (SCIM)
      • New users associated with Udemy Business app on Okta will be created on Udemy Business.
    • Push Profile Updates (SCIM)
      • Updates made to the user's profile through Okta will be pushed to Udemy Business for users that are associated with the Udemy Business on Okta.
    • Push User Deactivation (SCIM)
      • Deactivating the user or disabling the user's access to the application through Okta will deactivate the user on Udemy Business and remove them from all groups.
      • Note: For Udemy Business, deactivating a user means removing access to login, but maintaining the user's information on Udemy Business as a deactivated user.
    • Reactivate Users
      • User accounts can be reactivated on Udemy Business by reassigning the app to that user through Okta.
    • Group Push (SCIM)
      • Groups and their memberships will be pushed to Udemy Business. Manage groups is limited to groups pushed originally from Okta as we do not send information of groups created on Udemy Business.

    Configuration Steps

    Note: 

    • If you already have SSO login enabled for the Udemy app through Okta you do not need to reconfigure SSO again; proceed to step 8. 
    • If you had SSO set up from a manual configuration by our team, you should reconfigure SSO with the Udemy Business app in Okta (steps 1-7).
      • You can avoid any SSO downtime by hiding the Udemy Business tile in your Okta dashboard until the new SSO and SCIM configuration is complete. 
      • Beside Application Visibility click ‘Do not display application icon to users’

    1 - To get started, log into your Udemy Business account and go to the User Access page from Manage > Settings > Single Sign-On (SSO).

    Click Start setup. Choose your Identity Provider and follow the instructions from there to enable SCIM, and generate your credentials for inputting into your Identity Provider, as part of the configuration process.

    start_setup.png

    2 - From your Okta,  access the Applications page from the sidebar.

    3 - Click on Browse App Catalog, search for Udemy Business and click Add.

    browse_app_catalog_add.png

    4 - Adding the Udemy Business app will redirect you to the Application General Settings - Required page as shown below.  Choose a name for your Application label and click Done.

    general_settings_required.png

    5 - Next, click the Sign On tab, then Edit.

    sign_on_tab.png

    Scroll down to Advanced Sign-on Settings and add the Audience URI (SP Entity ID) value below into the corresponding field and click Save. 

    d905a6ca-adf9-45e2-9b9d-0d6485f27206

     

    advanced_settings_save.png

    6 - On the same page, scroll down to SAML Signing Certificates.  Click on Actions then View IdP metadata.  Copy the metadata URL to your clipboard.  

    (Alternatively, you can select Download certificate to download the metadata file to your computer).

    view_idp_metadata.png

     

    7 - Navigate back to your Udemy Business account and access the Single sign-on (SSO) settings. On the configuration page, choose the appropriate metadata configuration method, and follow the instructions to create the SSO connection with your Identity Provider and Udemy Business.

     

    sso_okta_connection.png

    8 - Now that SSO is enabled for Okta we can enable Provisioning (SCIM).  To start,click on the Provisioning tab then Configure API integration.

    configure_api_integration.png

    9 - Click on Enable API Integration and add your subdomain, CLIENT_ID as username, and SECRET_ID as password

    [You can generate or view these credentials in your Udemy Business account by accessing the Provisioning (SCIM) page under Manage -> Settings.]

    test_api_credentials.png

    10 - Click on Test API Credentials and you should see a message indicating that you’ve successfully completed your SSO integration. If not, please send a message to the Udemy Business Support Team with the given error message.


    11 - Click on Save and you will be redirected to the Application Provisioning configuration page.


    provisioning_to_app_save.png

    12 - On To App link click on Edit to enable individual features. To use all the capabilities we recommend to enable Create Users, Update User Attributes and Deactivate Users on this page.

    provisioning_to_app_edit.png
    13 - Click on Save

    14 - Click on the Assignments tab to assign Udemy Business to single users or entire groups. Assigned users will be automatically provisioned after being added, automatically modified when changes are made to their profiles, and automatically deactivated when they are removed from assignments.

    15 - Click on the Push Groups tab to send groups and their membership information to Udemy Business.

    push_groups_to_ub.png
    16- Click on + Push Groups and select the groups you want to push to Udemy Business.

    You will be able to select each group, or you can create an automatic rule.

    find_groups_ub.png
    17 - Select the group search criteria and fill the requested information for the groups you would like to send information to Udemy Business.

    push_groups_by_name.png

    18 - After selecting the group, check Push group memberships immediately to send not only the group but the members within the group as soon as you select the group, and click on Save.

    19 - Follow the previous steps for groups selection for all groups you would like to send to Udemy Business.

    Note: After Okta sends User or Group information to Udemy Business, we will consider Okta as the source of truth, and will not allow changes to user profiles or groups on Udemy Business.

    Read article
  • Configure SCIM Provisioning With Udemy’s SCIM API

    Overview

    System for Cross-Domain Identity Management (SCIM) is a standard API for automating user and group provisioning/deprovisioning, and updating user and group data from the customer’s Identity Provider (IdP) into the Udemy Business account.  SCIM is supported by a number of Identity Providers such as Okta, Azure AD, and OneLogin.  You can also utilize the Udemy Business SCIM API for other IdPs or home-grown tools.

    If your organization uses one of the following IdPs, please instead refer to our guides below for configuring SCIM:

    SCIM uses a standardized REST API with data formatted in JSON. Udemy Business supports version 2.0 of the SCIM standard. The API is available for all customers that are on the Enterprise plan.

    Udemy Business SCIM API supports the following features: 

    • Provisioning users
    • Deprovisioning users (deactivation)
    • Changing email addresses
    • Changing user details
    • Provisioning groups
    • Adding/removing users to groups

    SCIM protocol description

    SCIM Protocol is an application-level REST protocol for provisioning and managing identity data on the web. The protocol is client-server where the client is the Identity Provider (IdP) and the server is Udemy Business.

    The basic flow is:

    • When access to Udemy Business is granted to the user in the IDP by the customer, the IdP sends us a request to check if the specific user exists in our database. They issue a User search request by an attribute like userName or email.
    • If the user does not exist, the IdP sends a request to create a user.
    • If the user exists, the IdP sends an update request for the user.
    • When access to Udemy Business is revoked, the IdP sends us a request to deactivate the user from our database.
    • IdP can also send requests to change user details.

    How to access the API?

    In order to obtain the authorization credentials to connect to the SCIM API, you will have to set up SCIM integration via Manage -> Settings -> Provisioning (SCIM) page in your Udemy Business account. Note that only Admins have access to this page. 

    Click Start Setup.

    provisioning_scim.png

    In the next step, select Choose provider, then Custom.

    select_provider.png

    Click Generate token.

    generate_token.png

    On this screen, click Copy to copy the Bearer token to the clipboard.

    copy_bearer_token.png

     

    You will need to include Authorization HTTP header with the Bearer token in your requests, for example:

    GET /scim/v2/Users HTTP/1.1

     Host: myorganization.udemy.com

     Accept: application/scim+json

     Authorization: Bearer <enter you Bearer token here>

    Content-Type: application/scim+json

    Udemy Business SCIM API uses the HTTP protocol and is only available over a secure HTTPS connection.

    The base URL for the API is https://<organization>.udemy.com/scim/v2/

    If you are developing an application to interact with the Udemy Business SCIM API, it is recommended to refer to the SCIM RFCs included at the end of this document. Udemy Business SCIM API implementation is compliant with the standard.

    SCIM API Endpoints

    Informational Endpoints

    These endpoints are information and serve to configure the clients. They do not require authentication, so you don’t need to include the Authorization header when accessing these endpoints.

    GET /ServiceProviderConfig

    Returns details about Udemy Business SCIM implementation including which methods are supported.

    GET /Schemas

    Returns information about the schemas that our SCIM implementation supports. Supported schemas are Users and Groups.

    GET /Schemas/Users

    Returns all attributes that we support for User resources.

    GET /Schemas/Groups

    Returns all attributes that we support for Group resources.

    User Endpoints

    Using these endpoints you can list users, filter by attributes, add new users, update  users’ information, or deactivate/anonymize users. Bear in mind that you will only be able to access users that were created using the SCIM API, users created within Udemy Business will not be available unless you reconcile them through SCIM. More details about reconciliation are given below.

    Supported Attributes

    SCIM attribute

    Required?

    Description

    userName

    Yes

    The userName from the IdP. Must be unique.

    name, { givenName, familyName }

    No

    Given name and family name of the user. Even though they are not required, we recommend always specifying those attributes since it’ll make it easier to identify users.

    emails[type=”work”]]['value’]

    Yes

    Email of the user, must be unique

    active

    Yes

    Flag to deactivate/reactivate users

    title

    No

    User’s job title, i.e. “Senior Engineer”

    externalId

    Yes

    The externalId of the user from IdP. Must be unique.

    Please note: If you specify any other attribute that is not on this list, it will be ignored.

    GET /Users

    Returns a paginated list of users, 12 users per page by default. You can pass in count and startIndex parameters to paginate through the result set. For example:

    GET /scim/v2/Users?startIndex=1&count=100 HTTP/1.1

     Host: myorganization.udemy.com

     Accept: application/scim+json

     Authorization: Bearer <enter you Bearer token here>

    • startIndex is the 1-based index of the first result in the current set of list results (offset)
    • count is the number of resources returned in a list response page (limit). You can retrieve no more than 1000 users in a single request. If this item is omitted it will default to 12.

    GET /Users?filter=

    This endpoint is used to filter users by specific attributes. For example, it is possible to search by userName attribute:

    GET /Users?filter=userName eq "gloria.graynor”

    Note: In the example above, you will need to urlencode the URL parameters so the URL becomes:
    GET /Users?filter=userName%20eq%20%22gloria.graynor%22

    This will return a list of user resources. If there are no results, an empty list will be returned.

    The supported filters are:

    • userName
    • externalID
    • emails[type eq=”work”]

    The supported operators are:

    • and
    • eq

    Response:

    • HTTP status code 200 with the list of entities on success
    • HTTP status code 501 if an unsupported filter is supplied

    POST /Users

    This endpoint is used to create (provision) new users in Udemy Business. 

    The response will contain an id attribute which should be used when referring to this user in all subsequent requests.

    Note that:

    • New users created this way will not consume a license until that user signs in for the first time.
    • If there was an existing pending invitation for this user, it will get used at this point.
      The user will get added to groups, be assigned appropriate role/course assignments according to what is specified in the invitation.
    • An attempt to create a user that already exists in Udemy Business will cause the user to become SCIM managed (displayed with a small link icon in Manage Users pages). Note that user’s status and license usage will not be changed. If the user was active it will remain active and if the user was deactivated it will remain deactivated.

    Response:

    • HTTP status code 201 and the user’s resource on success
    • HTTP status code 409 if the member with the same userName already exists in the Organization
    • HTTP status code 400 with the error details in the response body if the request did not pass validation

    GET /Users/<id>

    This endpoint is used to retrieve user details for a specified user. id parameter in the request above is a unique identifier that was returned when the user was created using SCIM or when listing all existing users.

    Response:

    • HTTP status code 200 with the user resource on success
    • HTTP status code 404 if the user has not been found

    PUT /Users/<id>

    This endpoint is used to replace (overwrite) user details in Udemy Business. If specified, attribute active can be used to deactivate or reactivate the user.

    Response:

    • HTTP status code 200 and the updated user resource
    • HTTP status code 404 if the user doesn’t exist. 
    • HTTP status code 400 in case of an attempt to deactivate an organization owner.

    PATCH /Users/<id>

    This endpoint is used to make partial updates to the user details in our system, meaning that you can use it to change only some attributes of the user. This is in contrast to PUT which replaces the entire user. 

    It can contain attribute active which will cause the user to be deactivated or reactivated.

    • The body of each request MUST contain the "schemas" attribute with the URI value of "urn:ietf:params:scim:api:messages:2.0:PatchOp".
    • The body of an HTTP PATCH request MUST contain the attribute "Operations", whose value is an array of one or more PATCH operations.  Each PATCH operation object MUST have exactly one "op" member, whose value indicates the operation to perform and MAY be one of "add", "remove", or "replace".
    • The “path” attribute can be empty, in this case “value” should be a dictionary in the format of {“path”: “value”}.

    Response:

    • HTTP status code 200 with the updated user’s resource on success
    • HTTP status code 404 if the user was not found
    • HTTP status code 400 if attempting to deactivate an organization owner or in case of an invalid operation.

    Group Endpoints

    Supported Attributes

    SCIM attribute

    Required?

    Description

    displayName

    Yes

    Group title. Must be unique among all Udemy Business groups.

    externalId

    No

    The externalId of the group from the Identity Provider

    Note: If you specify any other attribute that is not on this list, it will be ignored.

    GET /Groups

    This endpoint is used to get a paginated list of all provisioned groups. Include startIndex and count query string parameters to paginate through the results. 

    Bear in mind that only groups created using SCIM will be returned. Groups created from Udemy Business will not be returned.

    GET /Groups?filter=

    This endpoint is used to filter groups by specific attributes. For example, it is possible to search by displayName attribute:

    GET /Groups?filter=displayName eq "Marketing”

    This will return a list of group resources. If there are no results, an empty list will be returned.

    Note that you will need to url encode the parameters, so the request becomes:
    GET /Groups?filter=displayName%20eq%20%22Marketing%22

    The supported filters are:

    • displayName
    • externalId
    • Id
    • member.value

    The supported operators are:

    • and
    • eq

    Response:

    • HTTP status code 200 with the list of entities on success
    • HTTP status code 501 if the non-supported filter is used

    POST /Groups

    This endpoint is used to create (provision) new groups in Udemy Business. 

    Response:

    • HTTP status code 409 If the provisioned group with the same name already exists in the org, we return 409 (Conflict) with a scimType error code of uniqueness.
    • When the group has been created successfully, we return the full representation of the group with HTTP status code 201 (Created) together with the Location header that contains the URL of the create group resource.

    GET /Groups/<id>

    This endpoint is used to fetch the group details from Udemy Business. 

    Response:

    • HTTP status code 200 and a group resource
    • HTTP status code 404 if the group has not been found

    PUT /Groups/<id>

    This endpoint is used to replace the group details in Udemy Business.

    Response:

    • HTTP status code 200 and the updated group resource 
    • HTTP status code 404 if the group doesn’t exist. 

    PATCH /Groups/<id>

    This endpoint is used to make partial updates to group details in Udemy Business. 

    The PATCH endpoint is more tricky than others, as it supports different kinds of operations (and their combinations are possible):

    • replace operation changes the specified value. In our case it’s either group name or members.
    • remove operation removes a member from the group.
    • add operation adds members to the group.

    The rules are the following:

    • We never remove unprovisioned members from the group (in case of `replace` members operation, for example).
    • PATCH request, regardless of the number of operations, SHALL be treated as atomic.

    The input validations are the following:

    • The body of each request MUST contain the "schemas" attribute with the URI value of "urn:ietf:params:scim:api:messages:2.0:PatchOp".
    • The body of an HTTP PATCH request MUST contain the attribute "Operations", whose value is an array of one or more PATCH operations.  Each PATCH operation object MUST have exactly one "op" member, whose value indicates the operation to perform and MAY be one of "add", "remove", or "replace".
    • The “path” attribute can be empty, in this case “value” should be a dictionary in the format of {“path”: “value”}.
    • For “Remove” operation the “members” path is required.
    • For the “Add” operation either “members” or “externalId” “path” should be present.
    • For “Replace” operation “members” path may be present. If it’s not there it means that we are replacing the group details (like group name) but not members.

    Note:

    • Assigning/unassigning users to a group happens asynchronously, so the changes won’t be reflected immediately in Udemy Business.
    • We do not support nested groups, so they will be ignored during this request.

    Response:

    • HTTP status code 204 if the operation was successful.
    • HTTP status code 404 if the group does not exist.
    • HTTP status code 404 with the error details if there is an attempt to assign a group to a user that’s not a member of the organization.
    • HTTP status code 400 with the error details in the response body if the request did not pass the validation

    DELETE /Groups/<id>

    This endpoint is used to remove or deprovision a group in Udemy Business. 

    The rules are the following:

    • If the group contains non-provisioned members, remove provisioned users from the group, delete `OrganizationSCIMGroup` record.

    Response:

    • HTTP status code 204 if the operation was successful.
    • HTTP status code 404 if the group does not exist.

    Further Reading

    Read article
  • Using Approved Email Domains to Give Users ‘Self-serve’ Access to Udemy Business

    We have two ways to provide your users with access to your Udemy Business account - through single sign-on (SSO) and by invitation sent by admins/group admins.

    This feature is an additional option if you use the invitation process, which gives your users a way to trigger the invitation email themselves from your account landing page (eg. company.udemy.com), once they use an approved/verified email address domain that has been pre-set by you, the admin.

    How to approve an email address domain

    On the page in Settings called Email Domain Access, admins can specify an email address domain (or multiple domains) that are approved for joining your Udemy Business account.

    email_domain_access.png

    This feature is available for both Team and Enterprise plans - but setting up the approved email domain in the Email Domain Access page is only accessible by owners and admins, not group admins.

    Sharing your account landing page URL for users to sign up

    You can share your Udemy Business account landing page URL with the users and groups in the organization who should have access, eg. by Slack, email, wiki, intranet or simply add the link in your learning management system (LMS).

    When a user accesses your account landing page URL they can enter their email address to sign up, once the email address entered matches an approved email domain that was pre-set by the admin.

    UB_login.jpg

    Once they enter an approved email address, they get an on-screen instruction to check their email to verify their account.

    check_your_email_for_invitation.png

    License usage and verification

    Users must complete signing up for their account in order to claim their license. 

    If there are no licenses available we present the user with the message below to contact their manager or IT department.

    all_licenses_have_been_allocated.png

    Users will then need to verify their account information, via the verification email they received which contains a link. The verification link will expire in one hour*. Once they’ve verified their account, they’ll be able to sign up, by adding their name, email and password.

    *Please note that Single Sign-On (SSO)/System for Cross-Domain Management (SCIM) users will not be put through this verification flow.

    send_verification_email.png

    activate_account_email.png

    If the email address the user enters does not match the approved email domain, they will see the message below and will be prevented from signing up.

    not_invited_to_this_account.png

    If there are no licenses available we present the user with the below message to contact their manager or IT department.

    no_licenses.png

    Users that sign up through the approved email domain process will show in the Pending Invitations screen in Manage Users, but they will be distinguished as ‘Invited through approved email’.

    invited_through_approved_email.png

    This feature is available for both Team and Enterprise plans - but setting up the approved email domain in the User Access page is only accessible by owners and admins, not group admins.

    Read article