Enable SSO in Docebo through Microsoft ADFS 2.0

Discover how to enable SSO in Docebo through Microsoft ADFS

Last Updated

February 8th, 2019

Reading Time

7 min

User Level

Introduction

By integrating your Docebo LMS with Microsoft ADFS 2.0 (and thus, Docebo’s SAML App), your Docebo users will be able to log into their LMS platforms without entering Docebo user credentials, provided that they are already logged into your AD domain.

Important Note: Docebo does not provide support for ADFS or other third party technologies implementing the SAML 2.0 protocol. This document is to be intended only as a set of best practices for IT administrators. Docebo cannot be held liable for any damage or malfunctioning due to an incorrect ADFS configuration.

This SAML integration will also work with Azure AD, though the Azure setup may differ slightly from the steps and screenshots provided here for ADFS Enterprise. For setting up OpenID Connect with Azure AD, refer to this article.

This app is available for Docebo Enterprise plan clients and it is optional for Growth plan clients.

Step 1: Enable HTTPS on your LMS

ADFS requires that any Service Provider (such as Docebo) implements the HTTPS protocol. You should therefore ensure that you have HTTPS enabled on your LMS before going through the next steps. If you’re not sure how to do so, please refer to this manual.

Step 2: Retrieve SAML 2.0 Configuration from ADFS

Now, you need to open the ADFS 2.0 Management via StartAdministrative ToolsADFS 2.0 Management. Then, right click on Service in the left panel, and choose Edit Federation Service Properties from the menu.

ADFS edit FS properties

The General Tab contains the Federation Service Identifier, which is the Identity Provider URL. Copy this URL into your clipboard, as you’ll have to enter it into your Docebo LMS later. Our Identity Provider example for this tutorial will be http://adfs.adatum.com/adfs/services/trust.

ADFS federation service properties

Step 3: Activating the SAML Docebo App

To activate the app, log into your LMS as the Superadmin. Access the Admin Menu from the gear icon in the header, then press the Add New Apps button.

Select the Third Party Integrations tab from the tab menu. Find the SAML 2.0/ADFS Integration app in the list of apps in this tab, then press the Contact Us button in the app’s row. Read the description in the pop up box, then press the Contact Us Now button.

SAML/ADFS contact us

From here, Docebo will reach out to you regarding activating the app in your platform. Docebo will activate the app in your platform on your behalf. Once it’s activated, you can begin the configuration.

Step 4: Configuring the SAML Docebo App

To begin the configuration for this app, access the Admin Menu by scrolling your mouse over the gears icon. Then, find the SAML Settings section in the Admin Menu, and press the Settings subitem. You will then be redirected to the settings page. Select Active checkbox in order to enable the configuration. This option is not enabled when activating the app in your LMS. Therefore, enable it to proceed with the app configuration in your LMS.

Begin by inserting your identity provider ID, XML metadata, and username attribute into the corresponding text boxes on this page:

  • Identity Provider ID. This is the Federation Service Identifier from Step 2.
  • XML Metadata. Open your web browser and go to the following URL https://<domain name>/FederationMetadata/2007-06/FederationMetadata.xml. Replace the domain name section with your ADFS 2.0 domain name, such as adatum.com. Then, open the downloaded XML file with a text editor, such as Notepad, and copy its entire content. Then, paste it into the XML Metadata field in your LMS.
  • Username Attribute. This is the attribute statement identifier configured in Step 5. (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress).

Please note that Download button only appears after you have inserted all of the mandatory information on this page and pressed Save Changes. Once it appears, press the Download button at the bottom of the page, then save the XML file to your computer.

SAML settings

Now, you can flag which encryption algorithm (SHA-1 vs SHA-256) to use to validate IDP. For new configurations, the default value will be SHA-256. If you already have a valid configuration in your platform, the default value will be SHA-1. SHA-256 is recommended for security reasons.

Then, you can flag the option to enable a service provider certificate. Some Identity Providers or Federations may require that Service Providers hold a certificate. If you enable a certificate for your Service Provider, you will be able to sign requests and responses sent to the Identity Provider. If you flag this option, press the Choose File buttons that will appear below to upload your Private Key File and your Certificate File. Please note that you cannot upload only one of these files. You must upload both files.

SSO Behavior

To configure the SSO behavior, you can flag between two different options. Choose whether you want to show the standard LMS login page, or if you want to automatically redirect to the Identity Provider. If you flag the first option, you can then flag whether you want to show the SSO button on your platform’s login page.

sso button

If you flag the option for an Automatic redirect to Identity Provider, you can set a specific logout landing page when your users logout of the platform instead of keeping the standard logout page. Use the text box to type in the URL of the logout landing page.

SSO behavior 2

Logout Behavior

In the Logout Behavior section, you can flag the option for the user to automatically be logged out of the Identity Provider when he or she logs out of the LMS.

saml logout behavior

User Provisioning

This section allows you to instantly create a user who is present in your Identity Provider but is not yet present in the LMS database. Begin by flagging the Enable option. If you have users that already exist in both databases, you should flag the option to update the user information for the existing users. Please note that not flagging these options results in needing to manually register (enable option) or update your users (update information) in the LMS.

saml user provisioning

Now, you need to specify which additional fields you want to associate between your Identity Provider and Docebo, then match the names of the fields in Docebo with the names of the fields in the Identity Provider (attribute statement). In the text box, type in the name of the additional field in the LMS, then press the Add button. The additional field will appear in a list below, with the field name and field category automatically filled in by your platform. Insert your Identity Provider attribute statement into the corresponding text box. When you’re finished, press Save Changes.

Step 5: ADFS 2.0 Relying Party Trust Configuration

The quickest way to configure the Relying Party Trust in ADFS is to download the Service Provider metadata XML file from Docebo, then import it inside ADFS. Begin by logging into your LMS (remember to use https) as a Superadmin. Then access the Admin menu by scrolling your mouse over the gears icon. Then, in the SAML Settings section, press the Settings subitem.

Now, return to your ADFS Management Console, then select Relying Party Trusts in the left panel under Trust Relationships. Right click on Relying Party Trusts and choose Add Relying Party Trust from the menu that will appear.

ADFS add relying party trust
Then, flag the option to Import data about the relying party from a file. Next, press Browse, then locate the Metadata XML file that you downloaded from Docebo. Press Next, ignore the popup message, enter a distinctive display name, and click Next again. Now, select Permit all users to access the relying party, and press Next to finish.
ADFS select data source
In the column in the center, right click on the relying party you’ve just created, then select Properties. In the Advanced Tab, select SHA-1 as the Secure Hash Algorithm, and then press OK.
ADFS talentlms properties

Step 6: ADFS 2.0 Claim Rules Configuration

In order to configure a proper communication between your ADFS and Docebo, you should define the Claim Rules by right clicking on the relying party you’ve just created (e.g. Docebo ADFS) and then selecting Edit Claim Rules.

ADFS edit claim rules

On the Issuance Transform Rules tab, press Add Rules. Then, select Send LDAP Attributes as Claims and press Next. Now, define the Claim Rule name and select Active Directory in the Attribute Store dropdown menu. Under Mapping of LDAP attributes to outgoing claim types, select all of the attributes that you want to export as claims for the SSO. Examples are:

  • LDAP Attribute: E-Mail-Addresses; Outgoing Claim Type: E-Mail Address
  • LDAP Attribute: Given-Name; Outgoing Claim Type: Given Name
  • LDAP Attribute: User-Principal-Name; Outgoing Claim Type: UPN

ADFS configure claim rule

Add a second rule by following the same procedure. Select Transform an Incoming Claim, then press Next.

Now, define the Claim Rule name, and set the Incoming claim type as one of the previously configured attributes. Then, set the Outgoing claim type as Name ID. Finally, set the Outgoing name ID format as Transient Identifier. Then, press Finish. The incoming claim type should match the username of your users inside Docebo for the SSO to work properly.

ADFS configure claim rule 2

Step 7: SSO in Action

Even after you’ve successfully configured SAML for ADFS, you’ll notice that your users will still see the standard Docebo login form (with username and password). To change this, you need to give your LMS access to a subset of users currently not in your AD user registry. Alternatively, if you want to let your users use SSO inside Docebo, you should use this URL: https://<your lms domain>/lms/index.php?r=site/sso&sso_type=saml

Replace <your lms domain> with your custom LMS domain.

Appendix: User Provisioning from AD to Docebo

Once SAML and ADFS are properly configured, any user logged into your Windows AD domain can access the LMS without entering any credentials. However, this requires that the following requirements are met:

  • There must be a match between the LMS username and the Username claim attributed (see Step 5).

Best Practices for this Integration

In order to make the most of this integration, you should set up groups that are auto-populated, then use Docebo’s Enrollment Rules App to automatically enroll these groups into courses or learning plans. Thus, when a new user is created, you do not have to manually assign them to groups, courses or learning plans.

Additionally, you can use the following SSO links to automatically access some areas of your Docebo LMS with an SSO login:

  • LMS homepage: /lms/index.php?r=site/sso&sso_type=saml
  • Into a Specific Course: /lms/index.php?r=site/sso&sso_type=saml&id_course=18
  • Catalogs Area: /lms/index.php?r=site/sso&sso_type=saml&destination=catalog
  • Learning Plans: /lms/index.php?r=site/sso&sso_type=saml&destination=learningplan

 Additionally, clients can rely on a growing set of REST APIs to implement their own user provisioning logic (see our API documentation page).