Docebo for OpenID Connect

Integrate your Docebo LMS with OpenID Connect

Last Updated

October 7th, 2019

Reading Time

16 min

User Level

Introduction

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows you to verify the identity of users based on the authentication performed by an Authorization Server, and to obtain basic profile information about them in an interoperable way. Docebo supports the OpenID Connect Authorization Code flow, which is one of the available flows for authentication. Please refer to the OpenID Connect technical documentation for further information.

By activating the OpenID Connect app in your Docebo LMS, users will be able to log into their Docebo platforms using the credentials from active sessions of other web platforms.  When the app is active, users can press the OpenID Connect icon in the LMS login page to connect to the platform with the credentials of other web platforms, and will also be allowed to log into the LMS from the OpenID Connect dashboard, by pressing the LMS icon. If a user requesting to login does not exist in Docebo yet, he or she will be automatically created at the first login.

This article will give you a step-by-step process of how to activate and configure the app. Please note that the integration with OpenID Connect is available for all customers (both Growth plan and Enterprise plan clients) using the 7.0 theme, and for Docebo’s Multidomain App. It is not compatible with the 6.9 theme.

Please Note: When using OpenID Connect, you can integrate a single Identity Provider per platform domain. If you need to integrate other identity providers for the same domain, please use another protocol.

The mobile application does not support OpenID Connect Authentication. Only the desktop version of the website allows for OpenID Connect Authentication.

Activating the OpenID Connect App

To activate the app, log into your LMS as the Superadmin. Access the Admin Menu from the gear icon in the header, then press the Add New Apps button. Select the Single Sign On tab from the left menu. Find the OpenID Connect app in the list of apps in this tab, then press the Try It For Free button in the app’s row. Read the description in the pop up box, then press the Try It For Free button again to finalize the activation.

Once it’s activated, you can begin the configuration. Please refer to the section below to learn more.

Configuring the OpenID Connect App

To begin the configuration for this app, log into your platform as Superadmin and access the Admin Menu from the gear icon on the top right corner. Then, find the OpenID Connect section in the Admin Menu and press the Manage subitem. You will be redirected to the OpenID Connect Settings page.

The URLs listed in the Platform URLs section are automatically generated by your platform, and must be passed to your Identity Provider for a proper configuration of the LMS in their platforms:

– Login URL. 3rd-party application login page for federated authentication using OpenID Connect.

– Logout URL. Logout URL used to log the current user out of the 3rd-party application.

– Code URL. Redirect URL of the 3rd-party application for OpenID Connect code responses,

The OpenID Client section must be filled in with the details of the Identity Provider you are integrating. Copy and paste this data from the provider into this section in your LMS. Check the technical documentation of your identity provider for information on how to obtain this data. If your Identity Provider is OKTA, OneLogin, SalesForce, Microsoft Azure AD or Microsoft Azure AD B2C, you’ll find Configuration Examples listed at the end of this article.

Issuer. Authorization Server’s complete URL

Client ID. Client ID of the client requesting to access the token

Client Secret. This client secret is used in conjunction with the Client ID to authenticate the client application

Metadata URL. Returns OpenID Connect metadata related to the specified authorization server. The Metadata URL provides all the data configurable in second section of the OpenID Connect configuration page.

Use the Auth Type section to select whether to activate the Basic Auth or the Query String Authentication Type, depending on the Identity Provider you are using. The Basic Auth type is the default selection, because it’s the most commonly used. Please refer to the documentation of your Identity Provider to retrieve this information.

Press Reset at any time to start the configuration from scratch, or press Continue to activate the second slot of parameters, and to proceed with the configuration. The upcoming options are self-populated by the Metadata URL.

Username Attribute

In Username Attribute section, select one of the options that are auto-provided by the Identity Provider. The attribute that you select will be the username for your users in the LMS. When making your selection, make sure that the selected attribute is populated for all your users in the Identity Provider. Please note that the selected attribute must be a unique identifier. For example, if you select Family Name as username attribute, you must be sure that none of your users have the same family name. We suggest selecting Email as Username Attribute.

Also remember that if you selected the First Name and Last Name are required in order to register option in the Self Registration tab of the Advanced Settings section of Docebo Admin Menu, the Identity Provider must provision the users’ first and last names for a proper registration to the platform.

Scope

The elements of the Scope list are also auto-populated and depend on the endpoint. This is a list of the available profile information retrieved by the Metadata URL inserted in the OpenID Client section. Select the user data you want to retrieve from the Identity Provider via ID Token by checking the corresponding checkboxes. Please note that Email and Profile are mandatory scopes and must always be checked.

The selected options in this section identify the data that will populate the user profile when the user is created in the platform, at first login. If the ID Token includes additional fields, group or branch assignations to Docebo, this information will be taken into account, and populated in the LMS.

Please Note: The integration works only with id_token to retrieve the access token. Currently, userinfo endpoint is not supported.

Certification Rotation

When the Certification Rotation option is enabled, the LMS will retrieve the key that is valid at the time of the request from an URL defined by the OpenID Connect standard. The Identity Provider will auto-enable the option to refresh the certification autonomously. This is part of the standard relation, and it is either auto-flagged or not.

If the Identity Provider does not support the certification rotation, but this option is enabled, an error message will be shown.

SSO Behavior

The SSO behavior can be configured in two different ways. Define whether you want to show the standard LMS login page, or if you want to automatically redirect the users to the Identity Provider dashboard. When the first option is flagged, define whether you want to show the SSO button on your platform’s login page.

When selecting the option for an Automatic redirect to Identity Provider, you can set a specific logout landing page when your users logout of the platform instead of keeping the standard logout page. Use the text box to type in the URL of the logout landing page.

Logout Behavior

The Logout Behavior section allows you to configure if users will be automatically logged out from the Identity Provider when they log out from the LMS. As an additional option, you can select a custom third party logout endpoint, able to receive the logout message via GET in order to complete the Single LogOut; this option is supported by a few Identity Providers.

User Provisioning

This section allows you to instantly create a user who is present in your Identity Provider but not yet present in the LMS database. Begin by flagging the Enable option. You can also flag the option to lock provisioned user fields, meaning that users cannot edit details in their user profiles that have been created via OpenID Connect. When editing the user profile, the options will be greyed out.

If there are users existing in both databases, we suggest you flag the option to update the user information for the existing users. Please note that when these options are not flagged, you will have to manually register (enable option) or update your users (update information) in the LMS.

Please note that OpenID Connect automatically populates the the Identity Provider additional fields, so remember to select them one by one from the Add Fields dropdown menu and to associate them to the Docebo user additional fields in the section displayed for each additional fields after the selection. Please remember that if you set some user additional field as mandatory in your LMS, they must be mapped in this section in order to be populated in your platform. If the mandatory additional fields are not populated, the user will not be created. Also note that dropdown user additional fields are currently not supported.

Click Save Changes to complete the configuration. Please note that the additional fields that are supported for user provisioning in this integration are: dropdown, text field, fiscal code, country, date field (format: YYYY-MM-DD), and yes/no fields. Additional fields that are not supported with this integration are iFrame, file and text area fields.

Configuration Examples

This section provides you with some examples on how to configure and integrate some of the most popular Identity Providers. If your vendor is not listed here, please refer to the above documentation.

OKTA

When configuring OKTA with OpenID Connect, the OKTA app does not need to be activated in your platform. Start the by connecting to Okta web site as an Admin, click on Admin on the top right corner, then move to the Applications tab and click Add Application to create the Docebo App in Okta, registering it as a Service Provider. Click on Create New App.

In the pop up box, select Web as Platform Type and OpenID Connect as Sign On Method. Press Create to proceed. Type the Application Name (can either be Docebo, or the App as renamed for your company) and add a logo to identify the App in the OpenID Connect dashboard. The logo upload is optional, but can be very useful to quickly identify the LMS in the OpenID Connect dashboard.

Open the OpenID Connect configuration page in Docebo (Admin Menu -> OpenID Connect -> Manage), and copy the values shown in the Platform URLs section in the corresponding fields of the Configure OpenID Connect section of the Create OpenID Connect Integration page in Okta. In the Login redirect URIs section, copy and paste the Login URL and the Code URL values from Docebo, in this order. Press Add URI button to insert a new row.  Copy and paste the Logout URL value  from Docebo in the OKTA’s Logout redirect URIs section. Press Add URI button to insert a new row.Press Save to proceed.

Retrieve now the OpenID Connect information from the Configure OpenID Connect section of the Create OpenID Connect Integration page in Okta, and paste them into the Open ID Client section of the OpenID Connect configuration page in Docebo. Move to the General tab, copy the Client ID and the Client Secret values, and copy them in the corresponding fields in Docebo. Retrieve the Client Issuer code from your OKTA installation URL: copy the URL from https up to the end of the domain name (i.e https://{yourdomainname}.oktapreview.com/) and paste it in the Issuer.

Finally, compose the Metadata URL value as follows:

{{url}}/.well-known/openid-configuration?client_id={{clientId}}

where:

{{url}} is the Issuer Code (including the https or the http protocol), remove {{ }}
{{clientId}} is the Client ID value, remove {{ }}

Copy the resulting URL and paste it as Metadata URL value in Docebo.

On Okta web site, define the users allowed to use the app. Move to the Assignments tab and add the users, either one by one or with a mass action. Click Assign and select either Assign to People or Assign to Groups, depending on your needs. Select the users and/or the groups previously created in Okta, click on Assign and Done to complete the action.

The Docebo configuration on Okta is completed. Move back to Docebo, set the Auth Type value to Basic Auth and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the first part of this article.

OneLogin

When configuring OneLogin with OpenID Connect, the OneLogin app does not need to be activated in your platform. Start the configuration from the Identity Provider. Login to OneLogin, click on Administration on the page upper bar, select the Apps tab and click on Custom Connectors.

Create a custom connector in order register Docebo as Service Provider. Click on New Connector on the top right corner. Enter your Docebo App Name (i.e yourtrial.docebosaas.com) and press Thick to confirm. You will see the Basic Configuration page. Add an icon to identify the App in the OpenID Connect dashboard. The icon upload is optional, but can be very useful to quickly identify the LMS in the OpenID Connect dashboard. In the Sign On Method section, select OpenID Connect.

Open the OpenID Connect configuration page in Docebo (Admin Menu -> OpenID Connect -> Manage), and copy the values shown in the Platform URLs section in the corresponding fields in OneLogin, as follows. In the OneLogin OpenID Connect section, paste the Docebo Code URL in the redirect URI field. Move to the Login URL section and paste the Login URL in the Login URL field. Press Save to continue.

Move to the Apps tab, select Add Apps and search for OpenID Connect in the search bar. Select OpenId Connect (OIDC) among the search results listed in the Find Application page. Either confirm or select your subscription plan and press Continue. Insert the App name and description. In the Configuration tab, copy and paste the Login URL from Docebo in the Login Url fields and the Code URL and the Logout URL in the Redirect URI’s section, as separate lines. Press Save to proceed.

Retrieve now the OpenID Connect information from OneLogin. The Issuer code comes from the OneLogin website URL: copy the link from https to the last letter before the first single slash (do not copy the slash). Move now to the SSO tab.

Copy the Client ID and the Client Secret and paste them in the corresponding fields of the Open ID Client section of the OpenID Connect configuration page in Docebo (Admin Menu -> OpenID Connect -> Manage).

Finally, compose the Metadata URL value as follows:

{{url}}/oidc/.well-known/openid-configuration

Where url is the Identity Provider url, remove {{ }}

Define now the users allowed to use the app. Move to the Users tab and insert the user accounts that will be able to connect using this Identity Provider.

The Docebo configuration on OneLogin is completed. Move back to Docebo, set the Auth Type value to Basic Auth and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the first part of this article.

Salesforce

When configuring SalesForce with OpenID Connect, the SalesForce app does not need to be activated in your platform. Start the configuration from the Identity Provider. Login to SalesForce, click on Setup on the page upper bar. From the left-side menu, reach the Build section, select Create, and finally Apps.

From the Apps page, move to the Connected Apps section, and click New to add Docebo as new application.

In the New Connected App page that will open, type the Connected App Name and a Contact email address in the corresponding sections. Move now to the API (Enable OAuth Settings) section and flag the Enable OAuth settings option. When this option is selected, several configuration options will be shown underneath.

Open now the OpenID Connect configuration page in Docebo (Admin Menu -> OpenID Connect -> Manage), and copy the values shown in the Platform URLs section in the corresponding fields of this page. In the Callback URL, paste both the Login URL and the Code URL values on two separate lines, without separation characters.

Define now the Selected OAuth Scope by adding Allow access to your unique identifier by adding them to the Selected OAuth Scope box. Check the Configure ID Token option and select Include standard claim from the options shown underneath. If needed, enable the Enable Single Logout option and copy and paste the Docebo Logout URL.

Press Save to complete the configuration. Please note that once you save, it may take up to ten minutes for your App to be created.When the creation procedure is over, you will be redirected to the page of the app you have just created.

Retrieve now the OpenID Connect information for Docebo. The Issuer code comes from website URL, copy the link from https to the last letter before the single slash. Copy the Consumer Key and the Consumer Secret values (click on Click to Reveal to see the code in clear) and paste them in the Client ID and in the Client Secret into the Open ID Client section of the OpenID Connect configuration page in Docebo (Admin Menu -> OpenID Connect -> Manage).

Finally, compose the Metadata URL value as follows:

{{url}}/.well-known/openid-configuration

Where url is the Identity Provider url, remove {{ }}

The Docebo configuration on OneLogin is completed. Move back to Docebo, set the Auth Type value to Query String and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the first part of this article.

When users login to the platform for the first time using SalesForce, they will be asked to confirm that Docebo can access their data before proceeding. Please note that if users do not allow Docebo to access their data, than they will not be able to login.

Microsoft Azure AD

Start the configuration from the Identity Provider (if you are planning to use the integration with a custom domain, make sure your SLL certification is valid). Connect to the Microsoft Azure AD web site as an Admin, and select Azure Active Directory on the left side panel of your dashboard to register the Docebo App, then App Registration from the sub-menu. Click New Application Registration from the top area of the App Registration page.

You will be redirected to the app creation page. Insert a Name for the app and select the Web app/API Application Type. Now open the OpenID Connect configuration page in Docebo (Admin Menu -> OpenID Connect -> Manage), and copy the Login URLs value into the Sign-on URL field. Press Create to proceed. The Docebo app has been created and registered in Microsoft Azure AD. Now, select the Docebo app from the dashboard, click Settings from the app page and move to the Reply URLs option of the General menu. Once again, open the OpenID Connect configuration page in Docebo (Admin Menu -> OpenID Connect -> Manage), and copy the Code URL in the right panel. Press Save to confirm.

While you’re still in the Settings page, move to the Keys option of the API Access menu to set the access key that will be needed later to complete the Microsoft Azure AD configuration in Docebo. Insert a Description for your access key, and set the Expires value to Never Expires so that you won’t need to change it in the future. Press Save to generate the access key value. The value is automatically generated by Microsoft Azure AD and displayed in the Value text area in the row of your access key. Copy the access key value and store it in a safe place, as you will not be able to retrieve it again after leaving this page.

The Docebo app configuration in Microsoft Azure AD is complete. Now, move to your Docebo platform (logged in as a Superadmin) to configure the integration on the LMS side (Admin Menu -> OpenID Connect -> Manage). Refer to this article of the Microsoft Azure AD Knowledge base to retrieve Metadata URL value. The Issuer will made available in the Metadata URL output. The Client ID value corresponds to the Application ID value displayed in the Settings page of the Docebo app in Microsoft Azure AD. Finally, fill in the Client Secret field with the access key value generated in the Keys section in Microsoft Azure AD.

The configuration of the communication between Docebo and Microsoft Azure AD is complete. Set the Auth Type value to Query String and press Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the first part of this article.

When a user logs in Docebo via Microsoft Azure AD for the first time after the configuration, a pop-up message will ask him/her to confirm the he/she allows the Docebo app to access the data stored in Microsoft Azure AD and to view his/her basic profile.

Press Accept to continue. Please note that if you do not provide your permission, the integration will not work.

Microsoft Azure AD B2C

Start the configuration from the Identity Provider (if you are planning to use the integration with a custom domain, make sure your SLL certification is valid). Connect to the Microsoft Azure AD web site as an Admin. From the search bar in the top area of the All Services page, look for Azure AD B2C and select it from the search results.

Once in the Azure AD B2C page, select Applications from the Manage menu. In the Azure AD B2C – Applications page, click Add to add Docebo. Start adding the Docebo app by typing the app name and by setting the options in the Web App / Web API section (Include web app 7 web API and Allow implicit flow) to Yes.

Retrieve the value for the Reply URL field from your LMS. Open the OpenID Connect configuration page in Docebo (Admin Menu -> OpenID Connect -> Manage), copy the Code URL and paste it into this field. Press Create to confirm the app creation. The Docebo app is now listed in the Applications page. Click on the app name to access its Properties page. In the Reply URL section, type the Login URLs value retrieving  it from the OpenID Connect configuration page in Docebo (Admin Menu -> OpenID Connect -> Manage) and press Save to confirm your entry.

Now move to the Keys option of the General menu to set the access key that will be later needed to complete the Microsoft Azure AD B2C configuration in Docebo. Click Generate Key.

Enter a description for your key and press Save. Upon saving, the system will generate the access key. Copy the access key value and store it in a safe place since you will not be able to retrieve it again after leaving this page.

The Docebo app configuration on Microsoft Azure AD B2C is complete. Move now to Docebo to configure the integration on the LMS side (Admin Menu -> OpenID Connect -> Manage). Refer to this article of the Microsoft Azure AD Knowledge base to retrieve Metadata URL value. The Issuer will made available in the Metadata URL output. The Client ID value corresponds to the Application ID value displayed in the Properties page of the Docebo app in Microsoft Azure AD. Finally, fill the Client Secret field with the access key value generated in the Keys section in Microsoft Azure AD B2C.

The configuration of the communication between Docebo and Microsoft Azure AD B2C is complete. Set the Auth Type value to Query String and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the first part of this article. When a user logs in Docebo via Microsoft Azure AD B2C for the first time after the configuration , a pop-up message will ask him/her to confirm the he/she allows the Docebo app to access the data stored in Microsoft Azure AD and to view his/her basic profile. Press Accept to continue. Please note that if you do not provide your permission, the integration will not work.