Partager via

Tutorial: Configure Automated User Management for LinkedIn Learning via OneLogin

  • Article

Overview

This tutorial describes the steps you need to perform in both LinkedIn Learning and OneLogin to configure automatic user provisioning. When configured, OneLogin automatically provisions and de-provisions users and groups to LinkedIn Learning using SCIM provisioning.

For additional details on what this service does, see OneLogin – Understanding SCIM.

Capabilities Supported

  • Create user profiles and assign licenses in LinkedIn Learning.
  • Remove user licenses in LinkedIn Learning when they do not require access anymore.
  • Keep user attributes synchronized between OneLogin and LinkedIn Learning.
  • Create groups and manage group memberships in LinkedIn Learning.
  • Single sign-on to LinkedIn Learning.

Prerequisites

The scenario outlined in this tutorial assumes that you already have the following prerequisites:

  • OneLogin tenant with admin permissions.
  • LinkedIn Learning admin access.
  • An admin user account in OneLogin to configure a custom application - (e.g., SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML)).
  • Accurate user data in LinkedIn Learning. See this guide for instructions on cleaning up your user data if necessary for existing Learning accounts.

OneLogin has LinkedIn Learning native application to setup SSO, but the standard native application does not support SCIM.

If configuring just SSO, native LinkedIn Learning App from OneLoging will suffice, however, if configuring both SSO and SCIM, it is required to add a custom application from the available applications (SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML)). Please see below for more details.

Configure LinkedIn Learning to Support SCIM Provisioning with OneLogin

  1. Log into LinkedIn Learning as an admin and navigate to Me > Authenticate.

authenticate menu

  1. Click on Automate user management and expand the Configure SCIM section.

Configure scim

  1. In the Configure SCIM section, Select Add SCIM.

Add SCIM

  1. Enter a name for the configuration and set Auto-assign licenses to On. Then, click Generate token.

Generate SCIM token

  1. Copy the Access token for use in the next section.

Copy access token

Determine who will be in scope for provisioning

OneLogin allows you to assign the application to specific users or groups. When SCIM provisioning is enabled, all users assigned to the application will be automatically provisioned in LinkedIn Learning.

Start small. Test with a small set of users and/or groups before assigning the application to your full user group.

Tip

When new users are provisioned in LinkedIn Learning, an invitation email is sent out automatically. If you want to assign users to the application without notifying them, make sure to disable emails to new learners in the LinkedIn Learning admin settings. Make sure to re-enable these settings when you are ready to notify your learners. You can also re-send the invitation email at any time in the admin settings.

Configure Automatic User Provisioning to LinkedIn Learning

This section guides you through the steps to configure the OneLogin SCIM provisioning service to create, update, and disable users in LinkedIn Learning based on user assignments in the OneLogin custom application.

To configure automatic user provisioning for LinkedIn Learning in OneLogin:

  1. Sign into the OneLogin admin portal and navigate to Applications > Search for the custom application - SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML).

    Custom app selection

  2. Select the app and click Save to see the fields on the configuration tab.

    Config page

    Config save

To Setup SCIM, first setup SSO as it it a prerequisite for the custom application to have SSO config in place.

SSO section

a. After you log in to LinkedIn Learning, if you are not already in the Admin screen, select Go to Admin, then click Me > Authenticate.

authenticate menu

b. Select Configure single sign-on under Authenticate and click Add new SSO.

add new sso saml

c. Select SAML from the Add new SSO drop down.

d. Under Basics tab, give your SSO connection a name (ex: Azure AD SSO) and click Next.

sso basics

e. Navigate to Identity provider settings tab, click Load and copy information from fields to download the meta data file from LinkedIn to be able to upload into OneLogin SSO settings.

Copy the required fields (Entity ID and Assertion Consumer Service (ACS) URL) and save them for use in the next section.

automate user saml

f. Download the XML file from OneLogin Go to SSO Section - Click View Details - Download. The file then can be uploaded into LinkedIn Learning.

SSO section

OneLogiin-SSO section

g. To Upload the XML to LinkedIn Learning - Go to SSO Settings - click Upload XML file.

SHA fingerprint

h. SAML Signature Algorithm: Please select based on the above step under the SSO settings. Then Save the settings.

SAML signature algorithm

i. Enable login hint and Login Connection Display

Login hint

Configuration section

a. SAML Audience URL - Entity ID

Entity ID

Copy the Entity ID from LinkedIn Learning and paste it in SAML Audience URL

SAML Audience URL

b. RelayState - Leave blank.

c. Recipient field - Leave blank.

this field is not required

d. ACS (Consumer) URL Validator

ACS URL Validator

ACS URL LinkedIn

Copy the link from Assertion Consumer Services (ACS) URL and paste it in the ACS (Consumer) URL Validator field.

Please note: This field will not allow any special characters hence the ACS URL will transform as per below.

ACS Transform URL

e. ACS (Consumer) URL

Copy the ACS Consumer Services URL (ACS) URL to ACS (Consumer) URL. This field accepts special characters.

ACS consumer URL

ACS URL LinkedIn

f. Single Logout URL: Leave blank.

Single Logout URL

g. Login URL: This is required when SP as the SAML Initiator -Leave blank for default setting.

Login URL

h. SAML not valid before - set to: 3

SAML not valid before

i. SAML not valid on or after – set to: 3

SAML not valid on or after

j. SAML initiator

SAML initiator

k. SAML nameID format: This is the common attribute for SSO as well as SCIM.

SAML nameID format

l. SAML issuer type

SAML issuer type

m. SAML signature element

SAML signature element

n. Encrypt assertion - Uncheck.

Encrypt assertion

o. SAML encryption method – TRIPLEDES-CBC

SAML encryption method

p. Send NameID format in SLO Request - Uncheck

Send NameID format

q. Generate AttributeValue tag for empty values - Uncheck

OneLogin AttributeValue

r. SAML sessionNotOnOrAfter - set to 1440

sessionNotOnOrAfter

s. Sign SLO Request - Uncheck

Sign SLO Request

t. Sign SLO Response - Uncheck

Sign SLO Response

u. SCIM Base URL: set to – 'https://api.linkedin.com/scim'

Capture the above URL in the field

v. SCIM JSON Template: No change required.

JSON template nothing to change

w. Custom Headers - Leave Blank

x. SCIM Bearer Token

SCIM Bearer Token

This is the Token value generated from step 5 from the above

token step 5

Once completed, make sure to save all changes before going to next section - Parameters section.

Parameters section

Determine what parameters are in scope from Provisioning. By default, Groups, Manager ID, SAML NameID (Subject) - map it to email, Department, scimusername, title are available.

Add givenName, surname as custom parameters to be sent back to LinkedIn Learning via SAML response as per below (If only required).

add user parameters in this section

Please Save all changes before proceeding to next - SSO section.

Provisioning section

Enable Provisioning only once all config has been setup.

De-select “Create User”, “Delete User” and “Update User” from the permissions as it requires manual approval to add users via SCIM to LinkedIn Learning (recommended).

create delete or update user

Users section

Add users individually or in bulk. (Please test with at least 2 or 3 users first before adding all users)

Once the user has been provisioned, there will a green tick against the user.

OneLogin users section

Congratulations! SSO and SCIM from OneLogin has been setup successfully.

Technical Issues

If you have technical issues with the SSO or SCIM setup, contact your account team or application support team through the LinkedIn Learning Help Centre.

Monitor Your Deployment

Now that you have finished configuring SCIM provisioning, all users assigned to the application in OneLogin should be automatically provisioned with a license in LinkedIn Learning, and any pushed groups should be automatically created and populated in LinkedIn Learning.

The initial sync may take longer if you have a large employee population, but subsequent changes and user updates should reflect in LinkedIn Learning in near real-time.

Note

Any future changes after the initial successful setup of SCIM implementation, it is highly recommended to stop the provisioning tool before making any changes on OneLogin side to avoid unnecessary sync process. This may lead to revoking licenses in error. Hence strongly suggest stopping the provisioning tool before making any changes first and turn back on provisioning once ready to sync.

If you wish to discuss any questions, please contact LinkedIn Learning Account team.

Appendix

Additional resources

LinkedIn’s Privacy and Data Security Policy

https://www.linkedin.com/legal/privacy-policy

LinkedIn Security Contacts

If you have any security questions or you would like to report a security issue, write to us at security@linkedin.com.

Back to Top