By integrating your Docebo LMS with Microsoft ADFS 2.0 (and thus, Docebo’s SAML App), your Docebo users will be able to log into their LMS platforms without entering Docebo user credentials, provided that they are already logged into your AD domain.
Important Note: Docebo does not provide support for ADFS or other third party technologies implementing the SAML 2.0 protocol. This document is to be intended only as a set of best practices for IT administrators. Docebo cannot be held liable for any damage or malfunctioning due to an incorrect ADFS configuration.
This SAML integration will also work with Azure AD, though the Azure setup may differ slightly from the steps and screenshots provided here for ADFS Enterprise. For setting up OpenID Connect with Azure AD, refer to this article.
This app is available for Docebo Enterprise plan clients and it is optional for Growth plan clients.
Step 1: Enable HTTPS on your LMS
ADFS requires that any Service Provider (such as Docebo) implements the HTTPS protocol. You should therefore ensure that you have HTTPS enabled on your LMS before going through the next steps. If you’re not sure how to do so, please refer to this manual.
Step 2: Retrieve SAML 2.0 Configuration from ADFS
Now, you need to open the ADFS 2.0 Management via Start → Administrative Tools → ADFS 2.0 Management. Then, right click on Service in the left panel, and choose Edit Federation Service Properties from the menu.
The General Tab contains the Federation Service Identifier, which is the Identity Provider URL. Copy this URL into your clipboard, as you’ll have to enter it into your Docebo LMS later. Our Identity Provider example for this tutorial will be http://adfs.adatum.com/adfs/services/trust.
Step 3: Activating the SAML Docebo App
To activate the app, log into your LMS as the Superadmin. Access the Admin Menu from the gear icon in the header, then press the Add New Apps button.
Select the Third Party Integrations tab from the tab menu. Find the SAML 2.0/ADFS Integration app in the list of apps in this tab, then press the Contact Us button in the app’s row. Read the description in the pop up box, then press the Contact Us Now button.
From here, Docebo will reach out to you regarding activating the app in your platform. Docebo will activate the app in your platform on your behalf. Once it’s activated, you can begin the configuration.
Step 4: Configuring the SAML Docebo App
To begin the configuration for this app, access the Admin Menu by scrolling your mouse over the gears icon. Then, find the SAML Settings section in the Admin Menu, and press the Settings subitem. You will then be redirected to the settings page. Select Active checkbox in order to enable the configuration. This option is not enabled when activating the app in your LMS. Therefore, enable it to proceed with the app configuration in your LMS.
Begin by inserting your identity provider ID, XML metadata, and username attribute into the corresponding text boxes on this page:
- Identity Provider ID. This is the Federation Service Identifier from Step 2.
- XML Metadata. Open your web browser and go to the following URL https://<domain name>/FederationMetadata/2007-06/FederationMetadata.xml. Replace the domain name section with your ADFS 2.0 domain name, such as adatum.com. Then, open the downloaded XML file with a text editor, such as Notepad, and copy its entire content. Then, paste it into the XML Metadata field in your LMS.
- Username Attribute. This is the attribute statement identifier configured in Step 5. (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress).
Please note that Download button only appears after you have inserted all of the mandatory information on this page and pressed Save Changes. Once it appears, press the Download button at the bottom of the page, then save the XML file to your computer.
Now, you can flag which encryption algorithm (SHA-1 vs SHA-256) to use to validate IDP. For new configurations, the default value will be SHA-256. If you already have a valid configuration in your platform, the default value will be SHA-1. SHA-256 is recommended for security reasons.
Then, you can flag the option to enable a service provider certificate. Some Identity Providers or Federations may require that Service Providers hold a certificate. If you enable a certificate for your Service Provider, you will be able to sign requests and responses sent to the Identity Provider. If you flag this option, press the Choose File buttons that will appear below to upload your Private Key File and your Certificate File. Please note that you cannot upload only one of these files. You must upload both files.
To configure the SSO behavior, you can flag between two different options. Choose whether you want to show the standard LMS login page, or if you want to automatically redirect to the Identity Provider. If you flag the first option, you can then flag whether you want to show the SSO button on your platform’s login page.
If you flag the option for an Automatic redirect to Identity Provider, you can set a specific logout landing page when your users logout of the platform instead of keeping the standard logout page. Use the text box to type in the URL of the logout landing page.
This section allows you to instantly create a user who is present in your Identity Provider but is not yet present in the LMS database. Begin by flagging the Enable option. If you have users that already exist in both databases, you should flag the option to update the user information for the existing users. Please note that not flagging these options results in needing to manually register (enable option) or update your users (update information) in the LMS.
Now, you need to specify which additional fields you want to associate between your Identity Provider and Docebo, then match the names of the fields in Docebo with the names of the fields in the Identity Provider (attribute statement). In the text box, type in the name of the additional field in the LMS, then press the Add button. The additional field will appear in a list below, with the field name and field category automatically filled in by your platform. Insert your Identity Provider attribute statement into the corresponding text box. When you’re finished, press Save Changes.
Step 5: ADFS 2.0 Relying Party Trust Configuration
The quickest way to configure the Relying Party Trust in ADFS is to download the Service Provider metadata XML file from Docebo, then import it inside ADFS. Begin by logging into your LMS (remember to use https) as a Superadmin. Then access the Admin menu by scrolling your mouse over the gears icon. Then, in the SAML Settings section, press the Settings subitem.
Now, return to your ADFS Management Console, then select Relying Party Trusts in the left panel under Trust Relationships. Right click on Relying Party Trusts and choose Add Relying Party Trust from the menu that will appear.
Step 6: ADFS 2.0 Claim Rules Configuration
In order to configure a proper communication between your ADFS and Docebo, you should define the Claim Rules by right clicking on the relying party you’ve just created (e.g. Docebo ADFS) and then selecting Edit Claim Rules.
On the Issuance Transform Rules tab, press Add Rules. Then, select Send LDAP Attributes as Claims and press Next. Now, define the Claim Rule name and select Active Directory in the Attribute Store dropdown menu. Under Mapping of LDAP attributes to outgoing claim types, select all of the attributes that you want to export as claims for the SSO. Examples are:
- LDAP Attribute: E-Mail-Addresses; Outgoing Claim Type: E-Mail Address
- LDAP Attribute: Given-Name; Outgoing Claim Type: Given Name
- LDAP Attribute: User-Principal-Name; Outgoing Claim Type: UPN
Add a second rule by following the same procedure. Select Transform an Incoming Claim, then press Next.
Now, define the Claim Rule name, and set the Incoming claim type as one of the previously configured attributes. Then, set the Outgoing claim type as Name ID. Finally, set the Outgoing name ID format as Transient Identifier. Then, press Finish. The incoming claim type should match the username of your users inside Docebo for the SSO to work properly.
Step 7: SSO in Action
Even after you’ve successfully configured SAML for ADFS, you’ll notice that your users will still see the standard Docebo login form (with username and password). To change this, you need to give your LMS access to a subset of users currently not in your AD user registry. Alternatively, if you want to let your users use SSO inside Docebo, you should use this URL: https://<your lms domain>/lms/index.php?r=site/sso&sso_type=saml
Replace <your lms domain> with your custom LMS domain.
Appendix: User Provisioning from AD to Docebo
Once SAML and ADFS are properly configured, any user logged into your Windows AD domain can access the LMS without entering any credentials. However, this requires that the following requirements are met:
- The user trying to use SSO should have a valid LMS account created before SSO is attempted. You can learn more about creating users with SAML here, or you can learn more about creating users in your LMS here.
- There must be a match between the LMS username and the Username claim attributed (see Step 5).
Best Practices for this Integration
In order to make the most of this integration, you should set up groups that are auto-populated, then use Docebo’s Enrollment Rules App to automatically enroll these groups into courses or learning plans. Thus, when a new user is created, you do not have to manually assign them to groups, courses or learning plans.
Additionally, you can use the following SSO links to automatically access some areas of your Docebo LMS with an SSO login:
- LMS homepage: /lms/index.php?r=site/sso&sso_type=saml
- Into a Specific Course: /lms/index.php?r=site/sso&sso_type=saml&id_course=18
- Catalogs Area: /lms/index.php?r=site/sso&sso_type=saml&destination=catalog
- Learning Plans: /lms/index.php?r=site/sso&sso_type=saml&destination=learningplan
Additionally, clients can rely on a growing set of REST APIs to implement their own user provisioning logic (see our API documentation page).