Set up an IdP with OAuth 2.0 to create and manage accounts
Use SCIM 2.0 protocol with your identity provider (IdP) to create, read, update and deactivate accounts in LearnUpon.
For customers using an IdP with bearer/token authentication like Microsoft Entra ID (previously Microsoft Azure), SCIM (System for Cross-domain Identity Management) makes managing user identities in LearnUpon easier.
For basic authentication, see Portal: set up SCIM 2.0 with basic authentication.
Availability: depends on your LearnUpon plan
SCIM 2.0 overview
The SCIM protocol is an application-level REST protocol for provisioning and managing identity data on the web. The protocol supports creation, discovery, retrieval, and modification of core identity resources.
LearnUpon lets you set up an identity provider, such as Microsoft Entra ID, that uses SCIM 2.0 to create, read, update and deactivate accounts from a single source.
Currently, this provisioning works in one direction. You create or update accounts in the identity provider, and SCIM creates or updates the same details for a new account in LearnUpon.
You can't create new accounts in LearnUpon and export them to your identity provider.
Background
LearnUpon is not responsible for content outside this site.
- SCIM: System for Cross-Domain Identity Management
- Add SCIM provisioning to app integrations | Okta
- Microsoft Entra: what is app provisioning in Microsoft Entra ID?
- Tutorial: Develop and plan provisioning for a SCIM endpoint in Microsoft Entra ID
Prerequisites
For SCIM 2.0 using OAuth 2.0 your LearnUpon portal requires the following features turned on:
- LearnUpon API. See Use the LearnUpon API
- SSO. See Set up SAML SSO for your portal
- OAuth 2.0. See Use OAuth 2.0 to connect applications to LearnUpon
With these features in place, you set up an app for bearer/token authentication in your identity provider, such as Microsoft Entra ID (previously Microsoft Azure).
Access permissions
- admins with full portal permissions: can set up this feature
SCIM 2.0 is available in sub-portals. You set up each portal individually as required.
Add SCIM provisioning
Follow the instructions from your identity provider, such as Microsoft Entra ID, for bearer/token authentication. For example, see Authentication methods in Microsoft Entra ID - OAuth tokens.
Note: if your portal uses advanced passwords, you need to set up password synchronization in your identity provider.
See: Set advanced password requirements for the portal
Create an OAuth app in LearnUpon for connecting to your IdP
See Use OAuth 2.0 to connect applications to LearnUpon
Look for the required Redirect URL in your IdP’s documentation, something similar to
https://system-admin.your_idp.com/admin/app/cpc/{appName}/oauth/callback
, where {appName}
is the name of your organization’s app in your IdP settings.
For Microsoft Entra ID: create a new application for provisioning details to LearnUpon
For LearnUpon use, you create a new application, described as non-gallery, aka not available in the Microsoft Entra Gallery.
This app “pushes” content from the IdP to LearnUpon, using OAuth 2.0 as an authentication protocol. In this app you select what details you want to share between the IdP and LearnUpon.
See Set up attribute mapping from your identity provider to LearnUpon in this article.
Within this app you set up Admin Credentials. Microsoft Entra’s Tenant URL is what LearnUpon calls the SCIM connector base URL. See Required LearnUpon details for setup in this article.
For the associated Secret Token, use an authenticator app such as Microsoft Authenticator, Google Authenticator or Postman to generate a token.
Required LearnUpon details for setup
- SCIM connector base URL:
https://yourportal.learnupon.com/api/v1/scim/
- Unique identifier field for users: email or userName
- Supported provisioning actions:
- Import New Users and Profile Updates
- Push New Users
- Push Profile Updates
- Authentication Mode: bearer/token, aka OAuth 2.0
Parameters available for update through SCIM 2.0
You can update the following parameters through SCIM. When you change them in your identity provider, the changes appear in LearnUpon:
- first_name
- last_name
- display_name
- username
- login_enabled
- portal_membership_type
Note: You cannot currently update custom user data fields through SCIM.
Set up attribute mapping from your identity provider to LearnUpon
In your identity provider app, you need to specify what data you want the IdP to share with LearnUpon, and where “push” it to LearnUpon when creating or changing a user’s profile.
For example, in Microsoft Entra ID:
-
userPrincipalName
attribute should contain your portal's unique identifier, either email or username -
userType
attribute in Microsoft Entra needs to map to one of the LearnUpon user types (case sensitive):admin
-
member
(a legacy term for learner) manager
instructor
If your organization uses different userTypes, you can map them to one of the LearnUpon user types. For example, your organization can map director to the LearnUpon admin user type. Your identity provider will set up an admin account for every director in your organization.
See Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Microsoft Entra ID. LearnUpon is not responsible for content off this site.
See:
- Portal: set up SCIM 2.0 with basic authentication
- Use OAuth 2.0 to connect applications to LearnUpon
- Email deliverability: best practices to avoid email bounces