Docebo for Auth0

Discover how the Auth0 app in Docebo works

Last Updated

November 14th, 2019

Reading Time

6 min

User Level

Introduction

Your platfomr can integrate with Auth0, a multi-layer Identity Provider. With this integration, you can allow users to log into their Docebo platforms using credentials from active session of other web platforms. This integration is available for Docebo Enterprise plan and Growth plan clients, and can be used with subdomains, for those using Docebo’s Multidomain app.

Activating the App in Docebo

To activate the Auth0 app in your platform, log into your platform as the Superadmin. Access the Admin Menu from the gear icon in the header, then press the Add New Apps button.

auth0 activate

Select the Third Party Integrations tab from the tab menu. Find the Auth0 app in the list of apps in this tab, then press the Activate Now button in the app’s row. Read the description in the pop up box, then press the Activate Now button. The app is now active in your platform.

Configuring the Integration in Auth0

Begin by logging into your Auth0 account, then press the New Client button in your Dashboard. In the pop up box, add your app’s name, then choose the client type. For this integration, the client type does not matter. Refer to the Auth0 documentation for more information about client types. Press Create when finished.

Once created, move to the Settings tab. Here, you need to pick up the Domain, Client ID, and Client Secret fields that were automatically generated. Flag the Review Client Secret option below the Client Secret field. These three fields need to be inserted into the corresponding fields in the Settings page for Auth0 in your platform.

auth0 config

Then, you need to insert the URL of your platform in your Allowed Callback URLs field as well as in the Allowed Web Origins field. For the Allowed Callback URLs field, you need to insert some information after your platform URL, it should look like this: https://mylmsurl.docebosaas.com/learn/auth0/callback. If you activated Auth0 for your Mobile App, when rebranding your app with the Docebo Branded Mobile App Publisher, remember to set the Package Name (for Android) and the Bundle ID (for IOS) in the Allowed Callback URLs field. The callback URLs for mobile rebranded apps should look like this: com.yourcompany.yourapp.

Next, scroll down and press the Show Advanced Settings item in the Settings tab for the client in Auth0. In the Advanced Settings area, select the Certificates tab, then copy all of the text from the Signing Certificate field and paste it into the corresponding field on the Settings page for Auth0 in your platform. You can also download the certificate for reference, if needed, but it is not mandatory. The rest of the configuration now takes place directly in your platform.

Configuring the App in Docebo

Access the Admin Menu from the gear icon in the header, find the Auth0 section in the menu, then press the Manage subitem. On this page, insert the Domain, Client ID, Client Secret, and Signing Certificate that you retrieved directly from Auth0.

auth0 configure

Then, select the username attribute from Auth0 that will be used to match the user to a user profile in Docebo. Simply type in the attribute (i.e. Username, email address, unique user field) into the corresponding text box.

If you do not want to configure the SSO behavior, logout behavior, or user provisioning, press Save Changes. Refer to the sections below if you want to configure any of these sections.

SSO Behavior

To configure the SSO behavior, you can flag between two different options. Choose whether you want to show the standard platform login page, or if you want to automatically redirect to the Identity Provider. If you flag the first option, you can then flag whether you want to show the SSO button on your platform’s login page.

auth0 sso

If you flag the option for an Automatic redirect to Identity Provider, you can set a specific logout landing page when your users logout of the platform instead of keeping the standard logout page. Use the text box to type in the URL of the logout landing page.

Logout Behavior

In the Logout Behavior section, you can flag the option for the user to automatically be logged out of the Identity Provider when he or she logs out of the platform.

auth0 logout

When this option is selected, you have to whitelist the URL of your platform in Auth0, or your users will not be allowed to logout. The platform URL must be declared in two areas of your Auth0 account, so log into your Auth0 account and

– click on Applications in the left menu, find your Docebo application in the list and click on the gear icon in the application row to access the Settings page. Move to the Allowed Logout URLs section and type the URL of your platform followed by /auth0 (ex. https://myplatform.docebosaas.com/auth0).

– move now to your profile menu by clicking on your avatar in the top right corner, and select Settings. Move to the Advanced tab and type your platform URL in the Allowed Logout URLs section  (ex. https://myplatform.docebosaas.com) .

When using the Custom Domain app, enter both the URL of your custom domain and the docebosaas URL.

User Provisioning

DISCLAIMER: In order to properly perform user provisioning for this integration, you must first create rules in Auth0. Please refer to this official documentation from Auth0 to learn more. Once you’ve created the proper rules, you can configure the user provisioning in your platform. Please also note that when you create a new client in Auth0, the client is created as OIDC Conformant. Docebo does not work with OIDC Conformant clients, as it uses the legacy Auth0 pipeline. Please disable this setting in your Auth0 Admin account:

auth0 OIDC

In your platform, section allows you to instantly create a user who is present in your Identity Provider but is not yet present in the LMS database. Begin by flagging the Enable option. You can also flag the option to lock provisioned user fields, meaning that users cannot edit details in their user profiles that have been created via Auth0. When editing the user profile, the options will be greyed out.

If you have users that already exist in both databases, you should flag the option to update the user information for the existing users. Please note that not flagging these options result in needing to manually register (enable option) or update your users (update information) in the platform.

auth0 user provisioning

Now, you need to specify which additional fields you want to associate between your Identity Provider and Docebo, then match the names of the fields in Docebo with the name of the fields in the Identity Provider (attribute statement). Please note that each field must be unique, meaning that you cannot apply the same claim to multiple fields.

In the text box, type in the name of the additional field in the platform, then press the Add button. The additional field will appear in a list below, with the field name and field category automatically filled in by your platform. Insert your Identity Provider attribute statement into the corresponding text box.

When you’re finished, press Save Changes.

Auth0 for Multidomain Clients

If you want to set up Auth0 for a specific client that you’ve created using the Multidomain app, access the Admin Menu, find the Multidomain section, then press the Manage subitem. Find your client in the list, then press the gears icon in the client’s row. Then, reach the Auth0 Settings tab on the left side of the page. Now, follow the steps outlined above to fill in the settings page.

auth0 multidomain

Logging in Using Auth0 credentials

To log in to your platform using your Auth0 credentials, press the Login button on the platform’s sign in page, then press the Auth0 item in the pop up box.

Configuring Auth0 for the Go.Learn App

If you’re using Auth0 for SSO on Docebo’s Go.Learn app, you need to configure the Application Type and Allowed Callback URLs field in Auth0 in order for your learners to log into the app using Auth0.

auth0 go.learn

The Application Type must be set to Native, and you must add the following URLs into the Allowed Callback URLs section (replacing {AUTH0_DOMAIN} with your own Auth0 domain, using the FQDN – Fully qualified domain name):

– com.docebo.eolo.staging://{AUTH0_DOMAIN}/ios/com.docebo.eolo.staging/callback

– com.docebo.eolo.staging://{AUTH0_DOMAIN}/android/com.docebo.eolo.staging/callback

Please note: You should configure these fields as soon as possible to ensure that your users are able to access the Go.Learn app using Auth0. As of April 2, 2019, if you have not configured these fields properly, your users will not be able to access Go.Learn using Auth0 SSO.