Docebo for SAML – Smart Configuration

For those using SAML in Docebo on or after February 25, 2020

Last Updated

May 5th, 2020

Docebo Module

Integrations

Reading Time

9 min

User Level

Introduction

This article describes how to configure the integration between Docebo and SAML using the smart configuration process. This configuration option is the default one for those that have either activated their Docebo platform or activated the SAML app in their existing platform on or after February 25, 2020. Refer to this article for further information on the available options for integrating SAML with Docebo.

By activating the SAML app in Docebo, you allow users to log into their learning platforms using the credentials from active sessions of other web platforms. This article will give you a step-by-step process of how to activate and configure the app using the Smart Configuration procedure.

Please Note: To prevent improper SAML configurations, Docebo has implemented a blocker as of April 2018. If the connection continues to bounce back and forth, Docebo has added a stopper that will show an error page. Additionally, the browser that started the loop will be timed out for one hour.

Configuring SAML using Google, OKTA, Microsoft Azure and OneLogin

If you are configuring SAML to work in conjunction with OKTA, Microsoft Azure or OneLogin, have a look at the step-by-step configuration from our Solution Deployment Managers. Refer to this document for the OKTA configuration, to this document for the Microsoft Azure configuration and to this document for the OneLogin configuration. If you are configuring SAML in conjunction with Google, check out this guide written by Google. 

Activating the SAML App

To activate the app, log into your platform as the Superadmin. Access the Admin Menu from the gear icon in the header, then press the Add New Apps button. Select the Third Party Integrations tab from the tab menu. Find the SAML 2.0/ADFS Integration app in the list of apps in this tab, then press the Contact Us button in the app’s row.

You will be redirected to the platform Communication Center where you will be able to contact us in order to activate the SAML app on your behalf. Once it’s activated, you can begin the configuration. Please refer to the section below to learn more.

Configuring the SAML App with the Smart Configuration Process

To begin the configuration for this app, access the Admin Menu by scrolling your mouse over the gear icon. Then, find the SAML section in the Admin Menu, and press the Settings subitem. You will then be redirected to the SAML settings page. Begin by selecting the Smart Configuration Type and flag the checkbox in the Active section. By default, this setting is not flagged when you first activate the app on your platform. You will need to enable this switch to begin configuring the app on your platform.

Then, insert the SSO URL into the text field in the SSO URL section, as well as the Issuer in the text field in the Issuer section. Please note that both of these are mandatory fields. You should ask your IT manager to provide you with this information, as necessary, and both are used to authenticate the app with your identity provider.

X509 Certificate

You then need to upload your X509 certificate by pressing the Upload Certificate button in the X509 Certificate section. Again, this is a mandatory step in your configuration. When you upload this certificate, your platform validates the public key that you’re uploading. Once the upload is complete, a message will appear in the X509 Certificate section to inform you if the uploaded certificate is valid or not. You can press the View Details button to view how Docebo read and validated your certificate, including the validity status and expiration dates. Please note that if Docebo is unable to validate your certificate, you are not able to proceed with the configuration.

Your platform will automatically use the expiration dates in your uploaded X509 Certificate to send all platform Superadmins mandatory notifications about necessary updates to your SAML configuration when your expiration date is approaching (30, 15, 5 and one days before the certificate expiration). Notifications cannot be modified or disabled. In this way, you are able to update your SAML configuration before it expires, so your users aren’t blocked from logging into the platform. If the Extended Enterprise App is active in your platform, notifications will be sent both to the main domain and all sub-domains. 

Service Provider Signing

Then, you need to upload your Private Key File (PEM) and Certificate File (CRT) into the Service Provider Signing section using the corresponding Upload File(s) button. This is not a mandatory step in the configuration, but you must upload these certificates if you want to use the single logout (SLO) feature.

You cannot upload only one of these files. You must upload both the PEM and the CRT file. Please note that neither file can have any additional information (one can only have the private key, and the other can only have the cert), or you will receive an error when trying to configure the app. Here is an example of a cert in PEM format, and here is an example of a private key file in PEM format.

Just as with the X509 Certificate, your PEM and CRT certificates will be validated upon upload. Once the upload is complete, a message will appear in the X509 Certificate section under each Upload File(s) button to inform you if the uploaded file is valid or not. You can press the View Details button to view how Docebo read and validated your certificate, including the validity status and expiration dates. Please note that if Docebo is unable to validate your certificate, you are not able to proceed with the configuration.

Your platform will automatically use the expiration dates in your uploaded PEM and CERT files to send all platform Superadmins mandatory notifications about necessary updates to your SAML configuration, such as when your expiration date is approaching  (30, 15, 5 and one days before the certificate expiration). Notifications cannot be modified or disabled. In this way, you are able to update your SAML configuration before it expires, so your users aren’t blocked from logging into the platform. If the Extended Enterprise App is active in your platform, notifications will be sent both to the main domain and all sub-domains. 

Username Attribute

In the Username Attribute section, select one of the options that are auto-provided by the Identity Provider. The attribute that you select will be the username for your users in Docebo. When making your selection, make sure that the selected attribute is populated for all your users in the Identity Provider. Please note that the selected attribute must be a unique identifier. For example, if you select Family Name as username attribute, you must be sure that none of your users have the same family name. We suggest selecting Email as Username Attribute.

Also remember that if you selected the First Name and Last Name are required in order to register option in the Self Registration tab of the Advanced Settings section of Docebo Admin Menu, the Identity Provider must provision the users’ first and last names for a proper registration to the platform.

Now, you have configured all of the mandatory fields (Issuer, SSO URL and X509). If you do not want to configure the unique field, SSO behavior, logout behavior, or user provisioning, you can simply press Save Changes. Once you press the Save Changes button at the bottom of the page, you should then copy the Login URL and the Logout URL that you see in the SAML 2.0 SP Metadata section to pass to your identity provider.

If desired, you can press the Download button in the SAML 2.0 SP Metadata section to download the metadata file, but the only mandatory fields that you need to pass are the Login URL and Logout URL provided in the same section.

If you would like to configure the logout behavior, SSO Behavior, and/or User Provisioning, then do not press Save Changes yet. You can refer to the sections below to learn more about each function.

SSO Behavior

To configure the SSO behavior, you can choose between two different options. Choose whether you want to show the standard platform login page, or if you want to automatically redirect to the Identity Provider. If you flag the first option, you can then flag whether you want to show the SSO button on your platform’s login page.

If you flag the option for an Automatic redirect to Identity Provider, you can set a specific logout landing page when your users log out of the platform instead of keeping the standard logout page. Use the text box to type in the URL of the logout landing page.

The Show standard login page option is supported by Docebo’s Go.Learn mobile app. If you set this option and you use SAML on your mobile app, remember that it is necessary to set also the Show SSO button on login page. The Automatic redirect to identity provider setting (and as a consequence the possibility to add a specific logout landing page) is not supported by the Go.Learn mobile app.

Logout Behavior

In the Logout Behavior section, you can flag the option for the user to automatically be logged out of the Identity Provider when he or she logs out of the platform. Please note that you cannot enable this option unless you have already uploaded validated PEM and CRT files on your platform. In order for the logout request to be accepted by an Identity Provider, typically the logout request must be signed, hence why you need both files to flag this option.

When this option is selected, the Logout Endpoint text field is shown for you to define the URL where users will land upon logging out from the platform and from the Identity Provider. Thanks to this configuration, users can land on a different URL from the one used for SSO. When the Logout Behaviour option is selected, it is mandatory to insert a logout endpoint. 

User Provisioning

This section allows you to instantly create a user who is present in your Identity Provider but is not yet present in the learning platform database. Begin by flagging the Enable option. You can also flag the option to lock provisioned user fields, meaning that users cannot edit details in their user profiles that have been created via SAML. When editing the user profile, the options will be greyed out.

If you have users that already exist in both databases, you should flag the option to update the user information for the existing users. Please note that not flagging these options results in needing to manually register (enable option) or update your users (update information) in the platform.

Now, you need to specify which additional fields you want to associate between your Identity Provider and Docebo, then match the names of the fields in Docebo with the name of the fields in the Identity Provider (attribute statement).

Please note that each field must be unique, meaning that you cannot apply the same claim to multiple fields. In the text box, type in the name of the additional field in the platform, then press the Add button. The additional field will appear in a list below, with the field name and field category automatically filled in by your platform. Insert your Identity Provider attribute statement into the corresponding text box.

You can define the language for the users created in the platform via SAML using the Language field. In doing this, once a user is created, the platform of said user will be in the language set via the SAML claim that you configured. Once you’ve added the Language field, insert the same string into the Attribute Statement textbox that you inserted into the field in your identity provider that you’re matching.

In your language field in your identity provider, the string must use one of the codes that the platform uses to identify languages (en = English, de = German, etc.). For a full list of these codes, refer to this list. If the code given for this field for a specific user does not match any of the language codes of the platform, the user will be given the set default language of the platform upon activation.

When you’re finished, press Save Changes. Now you can download the XML file and import it inside of your Identity Provider in order to set up the related authorization and complete the process.

Best Practices

In order to make the most of this integration, you should set up groups that are auto-populated, then use Docebo’s Enrollment Rules App to automatically enroll these groups into courses or learning plans. Thus, when a new user is created, you do not have to manually assign them to groups, courses or learning plans.

Please note that in order to correctly pair newly added SAML fields and newly added platform additional fields and use them to auto-populate groups, you must always log out of both the learning platform and the identity provider. Therefore, please make sure you’ve enabled the option in the Logout Behavior section. Without flagging this option, this user provisioning process will not occur.

Additionally, you can use the following SSO links to automatically access some areas of your Docebo platform with an SSO login:

  • LMS homepage: /lms/index.php?r=site/sso&sso_type=saml
  • Into a Specific Course: /lms/index.php?r=site/sso&sso_type=saml&id_course=18
  • Catalogs Area: /lms/index.php?r=site/sso&sso_type=saml&destination=catalog
  • Learning Plans: /lms/index.php?r=site/sso&sso_type=saml&destination=learningplan

For certain SAML Identity providers, the standard SAML endpoints provided by the XML metadata are not allowed. In this case, Docebo has simplified endpoints. Docebo has SAML 2.0 metadata without the query string part available, thus making it acceptable by OpenSAML:

  • http(s)://exampleLMS.docebosaas.com/simplesaml/modules/saml/sp/saml2-logout.php/default-sp
  • http(s)://exampleLMS.docebosaas.com/simplesaml/modules/saml/sp/saml2-acs.php/default-sp

AWS Certification

Please note that Docebo is available in the AWS SSO Catalog. For more information, refer to this PDF.