By integrating your Docebo LMS with Okta, you can create a Docebo application inside Okta, this allowing your learners that are logged into Okta to be automatically logged into your Docebo LMS. Okta is an integrated identity and mobility management service that connects people to their applications from any device. You’ll begin this integration by configuring the SAML template on OKTA. Once this is complete, you will activate the Okta app in your Docebo LMS. This manual will show you both of these steps.
Please Note: To prevent improper OKTA configurations, Docebo has implemented a blocker as of April 2018. If the connection continues to bounce back and forth, Docebo has added a stopper that will show an error page. Additionally, the browser that started the loop will be timed out for one hour.
This app is available for Docebo Enterprise plan clients and it is optional for Growth plan clients.
For a step-by-step look at the OKTA configuration from one of Docebo’s Implementation Specialists, refer to this document.
Configuring the SAML App on OKTA
Begin by accessing your Okta account as an Admin, then reach the Applications tab from the tab menu at the top. In the Add Application section, click on Create New App. Then, select Platform > Web and Sign On Method > SAML 2.0. Set a name for the App.
Now you should configure the application using the following parameters:
- Single sign on URL: https://mylms.docebosaas.com/lms/index.php?r=SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp.
- Audience URI (SP Entity ID): https://mylms.docebosaas.com/lms/index.php
- Name ID format: transient
If you have the Extended Enterprise App active and you need the Assertion Consumer Service information, you should download the SP Metadata file and retrieve it from there.
Both the Post Back URL and the Recipient fields should contain the Assertion Consumer Service, while the Audience Restriction must be set to the LMS Entity ID (replace the mylms.docebosaas.com with the actual LMS URL you are linking to OKTA).
Both Response and Assertion must be signed and the Destination field should have the Assertion Consumer Service. Finally, move to the Attribute Statements field, which contains the set of attributes passed to Docebo, describing the user that has successfully performed an SSO on Okta. Docebo will read one of those attributes to identify the user and match it against the username inside the LMS.
Please note that if the user who tries SSO in OKTA is not present inside the Docebo user base, the SSO will fail, and you will receive an error message.
Now, press Next. You’ll be required to assign the application to your Okta users so that they can see the application in their My Application sections.
Once the previous steps are saved, you will be redirected to the App Settings page. Select the Sign On tab, then click the View Setup Instructions button.
The new page contains a few configuration instructions for the created SAML 2.0 template. From this page, you should copy the External Key and IDP Metadata into the SAML settings page in your Docebo LMS.
Activating the OKTA App in Docebo
To activate the app, log into your LMS as the Superadmin, then access the Admin Menu from the gear icon in the top right corner of the platform. Then press the Apps & Features item in the Admin Menu. In order to activate this app, select the Single Sign On tab from the tab menu on the left side of the page. Then, find the OKTA app in the list of apps in this tab, and press the Buy Now! button in the app’s row. Read the description in the pop up box, then press the Contact Us Now button.
From here, Docebo will reach out to you regarding activating the app in your platform. Docebo will activate the app in your platform on your behalf. Once it’s activated, you can begin the configuration.
Managing the OKTA App in Docebo
Access the Admin Menu by scrolling your mouse over the gear icon. Then, find the OKTA Settings section and press the Manage subitem.
You will then be redirected to the settings page. Begin by flagging the check box in the Active section. By default, this setting is not flagged when you first activate the app in your platform. You will need to enable this switch to begin configuring the app in your LMS.
Then, insert your identity provider ID, XML metadata, and username attribute into the corresponding text boxes on this page. You then need to upload your private key file (PEM) and your certificate file (CRT) using the corresponding Choose File buttons. Please note that these are all mandatory fields. You should ask your IT manager to provide you with this information, as necessary.
You also need to flag which encryption algorithm (SHA-1 vs SHA-256) to use to validate IDP. For new configurations, the default value will be SHA-256. If you already have a valid configuration in your platform, the default value will be SHA-1.
Now, you have configured all of the mandatory fields. If you do not want to configure SSO behavior or user provisioning, you can simply press Save Changes. Now you can download the XML file and import it inside of your Identity Provider in order to setup the related authorization and complete the process.
If you would like to configure SSO behavior and/or user provisioning, then do not press Save Changes yet. You can refer to the sections below to learn more about each function.
To configure the SSO behavior, you can flag between two different options. Choose whether you want to show the standard LMS login page, or if you want to automatically redirect to the Identity Provider. If you flag the first option, you can then flag whether you want to show the SSO button on your platform’s login page (please note that this option is only available for those using Docebo 6.8 or higher).
If you flag the option for an Automatic redirect to Identity Provider, you can set a specific logout landing page when your users logout of the platform instead of keeping the standard logout page. Use the text box to type in the URL of the logout landing page.
In the Logout Behavior section, you can flag the option for the user to automatically be logged out of the Identity Provider when he or she logs out of the LMS.
This section allows you to instantly create a user who is present in your Identity Provider but is not yet present in the LMS database. Begin by flagging the Enable option. If you have users that already exist in both databases, you should flag the option to update the user information for the existing users. Please note that not flagging these options result in needing to manually register (enable option) or update your users (update information) in the LMS.
Now, you need to specify which additional fields you want to associate between your Identity Provider and Docebo, then match the names of the fields in Docebo with the name of the fields in the Identity Provider (attribute statement). In the text box, type in the name of the additional field in the LMS, then press the Add button. The additional field will appear in a list below, with the field name and field category automatically filled in by your platform. Insert your Identity Provider attribute statement into the corresponding text box.
When you’re finished, press Save Changes. Now you can download the XML file and import it inside of your Identity Provider in order to setup the related authorization and complete the process.
In order to make the most of this integration, you should set up groups that are auto-populated, then use Docebo’s Enrollment Rules App to automatically enroll these groups into courses or learning plans. Thus, when a new user is created, you do not have to manually assign them to groups, courses or learning plans. Please note in order to correctly pair newly added SAML fields and newly added LMS additional fields and use them to auto-populate groups, you should also set up the SAML app in Docebo as well.
Completing the SSO Process
Once you’ve completed the configuration, Docebo and OKTA will be able to communicate via SAML 2.0 SSO. You can then start the SSO process in the following two ways:
- SP Initiated. By using this URL: https://mylms.docebosaas.com/lms/index.php?r=site/sso&sso_type=saml
- IDP Initiated. By clicking on the Docebo app icon inside OKTA