This guide provides the steps required to configure Single Sign-On using Security Assertion Markup Language (SAML 2.0) and Provisioning using System for Cross-domain Identity Management (SCIM 2.0) for Udemy for Business.
If you have already configured SSO with SAML in Azure AD for Udemy for Business and just want to enable SCIM Provisioning, access your existing Udemy for Business SSO in Azure AD and follow the instructions from section 2 below (after SSO set up).
Notes:
- Single sign-on and provisioning are available to Udemy for Business Enterprise Plan customers.
- Users provisioned through Azure AD will not take up a license until they log into the Udemy for Business application for the first time.
- SCIM provisioning changes can only be synced from Azure AD to Udemy for Business, not the other way round.
- Users and Groups managed by SCIM in Azure AD cannot be changed within the Udemy for Business app - SCIM is the single source of truth for user and group data.
- You can still create groups manually in Udemy for Business if you have users that you don’t need or want to push from Azure AD, eg. contractors or temporary staff.
1. Configure Single Sign-On (SSO) with Azure
Log in to your Azure portal and click Azure Active Directory.
Next, select Enterprise applications.
Now click + New application in the top bar.
Select Non-gallery application.
Enter a name for the new application and click Add at the end of the window.
Then select Set up single sign on. 
For Single Sign-on mode, select SAML based Sign-on.
Follow the 4 steps on the SSO with SAML screen. Azure AD has also provided a detailed configuration guide at the top of the page for further guidance.
For Step 1, Basic SAML Configuration:
- In the Identifier (Entity ID) field, enter PingConnect.
- In Reply URL field, enter this value: https://sso.connect.pingidentity.com/sso/sp/ACS.saml2
- In Sign on URL field in enter: https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=PingConnect
For Step 2, User Attributes and Claims:
In the User Identifier field, enter user.mail.
Udemy for Business supports the following SAML attributes (all attributes are case-sensitive).
Required attributes
- SCIM.email
the unique email of the user
Optional attributes
- SCIM.name.givenName
the given (or first) name of the user - SCIM.name.middleName
the middle name (if any) of the user - SCIM.name.familyName
the family (or last) name of the user - SCIM.name.formatted
the fully formatted name of the user - groups
the list of groups to which the user belongs - externalID
a unique user ID specified by the customer
To change each attribute, click on the respective row.
Enter the attribute name as specified in the table above, select the corresponding value and remove Namespace value (leave it blank) and click OK.
To add more attributes to your SAML assertion, click Add attribute and repeat the process.
Once you’re done adding the attributes, click Save to complete the configuration.
For Step 3, in the SAML Signing Certificate section, click Download Federation Metadata XML which will export the Metadata file.
Important: Send this Metadata file to your Customer Success Manager at Udemy for Business in order to complete your SSO configuration.
Now you’re ready to give your users access to Udemy for Business.
Click on Azure Active Directory.
Select Enterprise applications.
Select your newly created application from the list.
Click Users and groups.
Click on Add User -> Users and Groups
Select all users you want to add to the application and click Select.
You have now completed configuring SSO for Udemy for Business with Azure AD.
2. Configure SCIM Provisioning with Azure AD
Once Single Sign-on (SSO) is set up you can then configure SCIM provisioning in Azure AD with Udemy for Business. This will allow you to provision, deprovision, create groups, manage group membership and change user profile details like name and email address which is then automatically updated in Udemy for Business. You will no longer need to update both Azure and Udemy for Business separately with these actions as it will all be synced from Azure.
To enable SCIM Provisioning for your Udemy for Business account, first go to your Udemy for Business account and access Manage > Settings > User Access.
Scroll to the SCIM Integration section and follow the instructions to enable SCIM and generate the Secret Token (Bearer token) which you then need to input into Azure AD.
Next, access your Azure AD account and go to your Udemy for Business SSO app and follow the steps below to get set up. You can also refer to Microsoft’s own configuration guide for SCIM Provisioning with Azure AD for further guidance.
Go to the Provisioning tab in your Azure portal.
(Note: udemyazure is a test name we used in the screenshots below for the purpose of illustrating how to configure SCIM; you should locate the app that was named by your team when configuring SSO)
Choose Automatic as the Provisioning Mode.
In the Admin Credentials section:
Tenant URL is: https://yourdomain.udemy.com/scim/v2 (yourdomain is the url for your Udemy for Business account)
Secret Token: This is a ‘Bearer’ token that you can generate or view inside your Udemy for Business account. (go to Manage > Settings > User Access to get the Secret Token)
Click Test Connection to check that it’s working correctly.
Optional: You can enter an email address if you wish to receive alerts from Azure about errors.
In Mappings:
Check the attribute mapping so that user's email is mapped to emails[type eq "work"].value
In Settings:
Toggle the Provisioning Status button to On.
Choose the Scope of how you want to sync your users and groups.
You can sync only users and groups who are assigned the Udemy for Business app if you need to restrict access to certain employees or departments. Or, you can sync all users and groups if every employee is going to have access.
In order to provision more users and groups with Udemy for Business access:
Click Users and groups
Click on Add User (which will give you the option to add both Users and Groups)
Select all users or the groups you want to add to the application and click Select.
Troubleshooting
In relation to Mappings:
If you experience this error when provisioning:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":400,"detail":"{'emails': ['This field is required.']}"}
You should change the mapping of the User.
emails[type eq "work"].value needs to be mapped to userPrincipalName that is, if userPrincipalName is where the email is.
If you go to the user profile, you should be able to see which field contains the email there.