This guide provides the steps required to configure Single Sign-On using Security Assertion Markup Language (SAML 2.0) and Provisioning using System for Cross-domain Identity Management (SCIM 2.0) for Udemy for Business.
Existing Okta and Udemy for Business customers who wish to enable SCIM Provisioning in Okta should use this configuration guide.
Notes:
- Single sign-on and provisioning are available to Udemy for Business Enterprise Plan customers.
- Users provisioned through Okta will not take up a license until they log into the Udemy for Business application for the first time.
- SCIM provisioning changes can only be synced from Okta to Udemy for Business, not the other way round.
- Users and Groups managed by SCIM in Okta cannot be changed within the Udemy for Business app - SCIM is the single source of truth for user and group data.
Contents
- Features
- Requirements
- Configuration Steps
- Schema Discovery
- Troubleshooting Tips
Features
The following provisioning features are supported:
- Identity Provider (IdP) Initiated SSO
- Users will be able to initiate the login process from their Okta dashboard
- Service Provider (SP) Initiated SSO
- Users will be able to access [your-subdomain.udemy.com] and initiate the login process their Udemy for Business login page.
- Just in Time (JIT) Provisioning
- Users authenticated through SSO will be provisioned to Udemy for Business on their first login.
- All user attributes which are configured to be sent will be updated whenever the user logs in. This does not apply to SCIM users since they are only managed by SCIM.
- Push Users with Ahead of Time Provisioning (SCIM)
- New users associated with Udemy for Business app on Okta will be created on Udemy for Business.
- Push Profile Updates (SCIM)
- Updates made to the user's profile through Okta will be pushed to Udemy for Business for users that are associated with the Udemy for Business on Okta.
- Push User Deactivation (SCIM)
- Deactivating the user or disabling the user's access to the application through Okta will deactivate the user on Udemy for Business and remove them from all groups.
- Note: For Udemy for Business, deactivating a user means removing access to login, but maintaining the user's information on Udemy for Business as a deactivated user.
- Reactivate Users
- User accounts can be reactivated on Udemy for Business.
- Group Push (SCIM)
- Groups and their memberships will be pushed to Udemy for Business. Manage groups is limited to groups pushed originally from Okta as we do not send information of groups created on Udemy for Business.
Configuration Steps
1a - To get started, log into your Udemy for Business account and go to Settings > Single Sign-On (SSO). Click Start setup, choose your Identity Provider from the list and follow the instructions to configure SSO and input your Identity Provider Metadata to automatically create the SSO connection with Udemy for Business.
1b - While still within your Udemy for Business account you can access the necessary details to set up SCIM Provisioning which automates user and group management.
Access the tab under SSO called Provisioning (SCIM). Click Start setup, choose your Identity Provider and follow the instructions from there to enable SCIM and generate your credentials for inputting into your Identity Provider as part of the configuration process.
2 - From your Okta's Dashboard, use the top menu to access the Applications page.
3 - Click on the button Add Application, search for Udemy for Business and click Add.
4 - Adding Udemy for Business app will redirect you to the Application General Settings - Required page as shown below.
5 - Add the Audience URI (SP Entity ID) value below into the corresponding field and click Done.
d905a6ca-adf9-45e2-9b9d-0d6485f27206
6 - Click on Sign On tab to start the SSO configuration.
7 - Click on Identity Provider metadata, save the metadata file or copy the metadata URL with your organization's metadata.
Access the SSO section of your Udemy for Business account again, and on the configuration page, choose the appropriate metadata configuration method and follow the instructions to create the SSO connection with your Identity Provider and Udemy for Business.
8 - To enable Auto Provisioning (SCIM) click on the tab Provisioning and Configure API integration.
9 - Click on Enable API integration and add your subdomain, CLIENT_ID as username, and SECRET_ID as password.
[You can generate or view these credentials in your Udemy for Business account by accessing the User Access page under Settings.]
10 - Click on Test API Credentials and you should see a message like below. Otherwise, send a message to the Udemy for Business Support Team (ufbsupport@udemy.com) with the given error message.
11 - Click on Save and you will be redirected to the Application Provisioning configuration page.
12 - On To App link click on Edit to enable individual features. To use all the capabilities we recommend to enable Create Users, Update User Attributes and Deactivate Users on this page.
13 - Click on Save
14 - Click on the Assignments tab to assign Udemy for Business to single users or entire groups. Assigned users will be automatically provisioned after added, modified when updated their profiles, and deactivated when they are removed from assignments.
15 - Click on the Push Groups tab to send groups and their membership information to Udemy for Business.
16- Click on + Push Groups and select the groups you want to push to Udemy for Business.
You will be able to select each group, or you can create an automatic rule.
17 - Select the group search criteria and fill the requested information for the groups you would like to send information to Udemy for Business
18 - After selecting the group, check Push group memberships immediately to send not only the group but the members within the group as soon as you select the group, and click on Save.
19 - Follow the previous steps for groups selection for all groups you would like to send to Udemy for Business.
Note: After Okta sends User or Group information to Udemy for Business, we will consider Okta as the source of truth, and not allow modifications to user profiles or groups on Udemy for Business.
For SP-initiated SSO
1- Go to https://[your-subdomain].udemy.com
2- Click on Continue with SSO