Tutorial: Configure Automated User Management for LinkedIn Learning via OneLogin
Overview
This tutorial describes the steps you need to perform in both LinkedIn Learning and OneLogin to configure automatic user provisioning. When configured, OneLogin automatically provisions and de-provisions users and groups to LinkedIn Learning using SCIM provisioning.
For additional details on what this service does, see OneLogin – Understanding SCIM.
Capabilities Supported
- Create user profiles and assign licenses in LinkedIn Learning.
- Remove user licenses in LinkedIn Learning when they do not require access anymore.
- Keep user attributes synchronized between OneLogin and LinkedIn Learning.
- Create groups and manage group memberships in LinkedIn Learning.
- Single sign-on to LinkedIn Learning.
Prerequisites
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
- OneLogin tenant with admin permissions.
- LinkedIn Learning admin access.
- An admin user account in OneLogin to configure a custom application - (e.g., SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML)).
- Accurate user data in LinkedIn Learning. See this guide for instructions on cleaning up your user data if necessary for existing Learning accounts.
OneLogin has LinkedIn Learning native application to setup SSO, but the standard native application does not support SCIM.
If configuring just SSO, native LinkedIn Learning App from OneLoging will suffice, however, if configuring both SSO and SCIM, it is required to add a custom application from the available applications (SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML)). Please see below for more details.
Configure LinkedIn Learning to Support SCIM Provisioning with OneLogin
- Log into LinkedIn Learning as an admin and navigate to Me > Authenticate.
- Click on Automate user management and expand the Configure SCIM section.
- In the Configure SCIM section, Select Add SCIM.
- Enter a name for the configuration and set Auto-assign licenses to On. Then, click Generate token.
- Copy the Access token for use in the next section.
Determine who will be in scope for provisioning
OneLogin allows you to assign the application to specific users or groups. When SCIM provisioning is enabled, all users assigned to the application will be automatically provisioned in LinkedIn Learning.
Start small. Test with a small set of users and/or groups before assigning the application to your full user group.
Tip
When new users are provisioned in LinkedIn Learning, an invitation email is sent out automatically. If you want to assign users to the application without notifying them, make sure to disable emails to new learners in the LinkedIn Learning admin settings. Make sure to re-enable these settings when you are ready to notify your learners. You can also re-send the invitation email at any time in the admin settings.
Configure Automatic User Provisioning to LinkedIn Learning
This section guides you through the steps to configure the OneLogin SCIM provisioning service to create, update, and disable users in LinkedIn Learning based on user assignments in the OneLogin custom application.
To configure automatic user provisioning for LinkedIn Learning in OneLogin:
Sign into the OneLogin admin portal and navigate to Applications > Search for the custom application - SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML).
Select the app and click Save to see the fields on the configuration tab.
To Setup SCIM, first setup SSO as it it a prerequisite for the custom application to have SSO config in place.
SSO section
a. After you log in to LinkedIn Learning, if you are not already in the Admin screen, select Go to Admin, then click Me > Authenticate.
b. Select Configure single sign-on under Authenticate and click Add new SSO.
c. Select SAML from the Add new SSO drop down.
d. Under Basics tab, give your SSO connection a name (ex: Azure AD SSO) and click Next.
e. Navigate to Identity provider settings tab, click Load and copy information from fields to download the meta data file from LinkedIn to be able to upload into OneLogin SSO settings.
Copy the required fields (Entity ID and Assertion Consumer Service (ACS) URL) and save them for use in the next section.
f. Download the XML file from OneLogin Go to SSO Section - Click View Details - Download. The file then can be uploaded into LinkedIn Learning.
g. To Upload the XML to LinkedIn Learning - Go to SSO Settings - click Upload XML file.
h. SAML Signature Algorithm: Please select based on the above step under the SSO settings. Then Save the settings.
i. Enable login hint and Login Connection Display
Configuration section
a. SAML Audience URL - Entity ID
Copy the Entity ID from LinkedIn Learning and paste it in SAML Audience URL
b. RelayState - Leave blank.
c. Recipient field - Leave blank.
d. ACS (Consumer) URL Validator
Copy the link from Assertion Consumer Services (ACS) URL and paste it in the ACS (Consumer) URL Validator field.
Please note: This field will not allow any special characters hence the ACS URL will transform as per below.
e. ACS (Consumer) URL
Copy the ACS Consumer Services URL (ACS) URL to ACS (Consumer) URL. This field accepts special characters.
f. Single Logout URL: Leave blank.
g. Login URL: This is required when SP as the SAML Initiator -Leave blank for default setting.
h. SAML not valid before - set to: 3
i. SAML not valid on or after – set to: 3
j. SAML initiator
k. SAML nameID format: This is the common attribute for SSO as well as SCIM.
l. SAML issuer type
m. SAML signature element
n. Encrypt assertion - Uncheck.
o. SAML encryption method – TRIPLEDES-CBC
p. Send NameID format in SLO Request - Uncheck
q. Generate AttributeValue tag for empty values - Uncheck
r. SAML sessionNotOnOrAfter - set to 1440
s. Sign SLO Request - Uncheck
t. Sign SLO Response - Uncheck
u. SCIM Base URL: set to – 'https://api.linkedin.com/scim'
v. SCIM JSON Template: No change required.
w. Custom Headers - Leave Blank
x. SCIM Bearer Token
This is the Token value generated from step 5 from the above
Once completed, make sure to save all changes before going to next section - Parameters section.
Parameters section
Determine what parameters are in scope from Provisioning. By default, Groups, Manager ID, SAML NameID (Subject) - map it to email, Department, scimusername, title are available.
Add givenName, surname as custom parameters to be sent back to LinkedIn Learning via SAML response as per below (If only required).
Please Save all changes before proceeding to next - SSO section.
Provisioning section
Enable Provisioning only once all config has been setup.
De-select “Create User”, “Delete User” and “Update User” from the permissions as it requires manual approval to add users via SCIM to LinkedIn Learning (recommended).
Users section
Add users individually or in bulk. (Please test with at least 2 or 3 users first before adding all users)
Once the user has been provisioned, there will a green tick against the user.
Congratulations! SSO and SCIM from OneLogin has been setup successfully.
Technical Issues
If you have technical issues with the SSO or SCIM setup, contact your account team or application support team through the LinkedIn Learning Help Centre.
Monitor Your Deployment
Now that you have finished configuring SCIM provisioning, all users assigned to the application in OneLogin should be automatically provisioned with a license in LinkedIn Learning, and any pushed groups should be automatically created and populated in LinkedIn Learning.
The initial sync may take longer if you have a large employee population, but subsequent changes and user updates should reflect in LinkedIn Learning in near real-time.
Note
Any future changes after the initial successful setup of SCIM implementation, it is highly recommended to stop the provisioning tool before making any changes on OneLogin side to avoid unnecessary sync process. This may lead to revoking licenses in error. Hence strongly suggest stopping the provisioning tool before making any changes first and turn back on provisioning once ready to sync.
If you wish to discuss any questions, please contact LinkedIn Learning Account team.
Appendix
Additional resources
LinkedIn’s Privacy and Data Security Policy
https://www.linkedin.com/legal/privacy-policy
LinkedIn Security Contacts
If you have any security questions or you would like to report a security issue, write to us at security@linkedin.com.
Commentaires
https://aka.ms/ContentUserFeedback.
Bientôt disponible : Tout au long de 2024, nous allons supprimer progressivement GitHub Issues comme mécanisme de commentaires pour le contenu et le remplacer par un nouveau système de commentaires. Pour plus d’informations, consultezEnvoyer et afficher des commentaires pour