Disclaimer: This article outlines how to use the new SAML interface, which will be publicly released to all clients later in the year 2026 (rollout schedule to be defined).
→ If you see differences between this article and your platform, please refer to the article on Legacy SAML configuration.
Note that there is currently a known issue with the new SAML interface and the Microsoft Entra ID (Azure) identity provider. If you are affected, please open a support ticket to reinstate the legacy SAML interface on your platform.
Introduction
The SAML app on your platform enables you to configure single sign-on (SSO) using a variety of identity providers. In this way, users can log into their learning platform using the credentials from active sessions of other web platforms.
Please note that the platform provides two options for SAML configuration: Smart and Standard. For an overview of the differences refer to the article Introduction to Docebo for SAML.
This article provides general instructions for both the Smart and Standard configurations.
Configuring SAML with specific identity providers
If you are configuring SAML to work in conjunction with Okta, Microsoft Entra ID (Azure AD), OneLogin or Google, refer also to the following articles which provide specific instructions:
- Okta configuration
- Microsoft Entra ID (Azure AD) Configuration
- OneLogin Configuration Example
- Google configuration (opens in a new tab)
Also, when configuring SAML, remember to set the Assertion Encryption to Unencrypted, as this setting is fully supported.
Important note for migration from legacy SAML configuration
With the introduction of the new SAML interface in November 2025 (sandboxes) and later in the year 2026 (staged rollout to all platforms), the SAML service provider metadata (Entity ID, Login URL and Logout URL) for your platform has been changed.
During the transition period for migration to new SAML:
- When your platform is migrated to new SAML, any pre-existing SAML configurations (done with the old values) will continue to work, provided you do not update the Service provider certificate option.
- However, if you do update the Service provider certificate option, you will need to also update the SAML service provider metadata on your Identity Provider (IdP) with the new values of Entity ID, Login URL and Logout URL, copied from the new SAML interface.
Note also that the {{course_saml_link}} shortcode will be deprecated by the end of the 2025, while the {{session_saml_link}} will be sunset in July 2026. It is recommended to replace them at the first opportunity with the {{course_link}} shortcode.
Following the transition period for migration to new SAML you must update your Identity provider with the new metadata values copied from the platform for your SAML integration to continue to work.
Prerequisites
The SAML app needs to be activated on your platform, as described in the article Managing apps and features.
If you are planning to set up SAML single sign-on for a custom domain or for a secondary domain, you must configure the domain first in Domain management.
Access the SAML settings page in the platform
To begin, open up the SAML settings page.
→ You must do this on the same platform (main platform or extended enterprise client) for which you are configuring single sign-on.
For a main platform:
- Log in to the main platform, eg
https://academy70.docebosaas.com -
Select Admin menu > SAML > Manage.
For an extended enterprise client:
- Log in to the extended enterprise client, eg
https://academy70.docebosaas.com/design2 - Select Admin menu > SAML > Manage.
Important: Note that the SAML 2.0 settings page will look the same in both cases (main platform or extended enterprise client). However:
- The SAML settings that you do when logged in to the extended enterprise client will apply only to that client.
- The SAML settings that you do when logged in to the main (root) platform will apply to the main platform and to any extended enterprise clients that do not have their own SAML configuration.
Once the SAML settings page is open, if SAML was already set up you will see your pre-existing configuration: see the chapter Configure or edit the SAML settings fields.
If SAML is not yet configured you will see an empty screen where you can start a new SAML configuration.
Legacy SAML interface for an extended enterprise client:
You can also access the SAML settings for an extended enterprise client in the following way:
- Select Admin menu > Extended Enterprise > Manage.
- Click the gear icon next to the client for which you are configuring SSO.
-
In the vertical navigation select SAML 2.0 settings. Then select Enable custom settings for this client.
However note that with this method you will have to configure the fields in the legacy interface. For this, please refer to the article SAML legacy configuration. This article instead covers the new SAML interface, which you can access by logging in to the required platform (root or extended enterprise) and accessing Admin menu > SAML > Manage.
Start a new SAML configuration
To start a new SAML configuration
- Access the SAML settings page and click the Configure SAML button.
- In the right panel that opens, select whether to use the Smart or Standard configuration type. The configuration with the Smart option is slightly simpler, but if required you can also choose the Standard configuration type.
- Then click Confirm.
The SAML settings for your chosen configuration type will be displayed. Move on to configure these as described in the chapter Configure or edit the SAML settings fields.
Please note: You will not be able to change an existing configuration from Smart to Standard or vice versa. If you wish to switch, you need to reset the current configuration and start over.
Configure or edit the SAML settings fields
When you open the SAML settings page, you will see a left navigation divided into four areas:
-
Connection settings: Here you set up the connection between the platform and your identity provider for single sign-on.
→ Some of these settings will vary depending on whether you have chosen the Smart or Standard configuration type. - User provisioning: (optional) automatically create a new user in the platform if the SSO authentication is valid but that user does not yet exist in the platform.
- Login and logout options: (optional) customize how users access and exit the platform with SAML single sign-on.
- Reset configuration: Select this option if you need to redo the configuration from scratch.
The following table summarizes which are the settings applicable for each configuration type, with links to the relevant chapters.
Newly-created SAML configurations are by default in the Inactive state. When you finish setting up the SAML configuration and Save changes, remember to also switch it to Active using the button at the bottom of the screen.
Connection settings > SSO URL and Entity ID (Smart configuration only)
For the smart configuration, in this area you need to enter the following information, needed to establish the connection with the identity provider.
→ Both these values are obtained from your identity provider
Single sign-on URL: The HTTP SAML endpoint of your identity provider. This is the actual web address where the SAML requests are sent to initiate authentication
Identity provider ID: This is a unique identifier for the SAML service of your account with the identity provider. For example, for OneLogin it is the Issuer URL, for Microsoft Entra it is the Microsoft Entra Identifier.
Connection settings > X.509 certificate (Smart configuration only)
Here you need to upload the X.509 certificate that you obtain from the identity provider.
→ Your X.509 certificate will be validated upon upload. See the notes on Certificate validation and expiration, below.
Please note: when downloading the X.509 certificate from the identity provider, set the SHA fingerprint to the SHA-256 encryption algorithm, as this is the one used on the platform. SHA-1 is no longer supported.
Certificate validation and expiration
The platform automatically validates the uploaded certificates, and also tracks and notifies you of their expiration. This applies to both the X.509 certificate and the Service provider certificate.
Validation: Once the X.509 certificate file upload is complete, a message will appear to inform you if the uploaded file is valid or not.
You can press the View details button to check how the platform read and validated your certificate files, including the validity status and expiration dates.
Expiration:
Your platform will automatically use the expiration dates in your uploaded certificates to send all platform Superadmins mandatory notifications about necessary updates to your SAML configuration when your expiration date is approaching (30, 15, 5 and one days before the certificate expiration). Notifications cannot be modified or disabled. In this way, you are able to update your SAML configuration before it expires, so your users aren’t blocked from logging into the platform. For extended enterprise platforms, notifications will be sent for SAML configurations on both the main platform and on all extended enterprise clients
Connection settings > XML metadata (Standard configuration only)
For the standard configuration, in this area you will need to paste in the contents of the XML metadata file obtained from your identity provider.
→ The metadata file typically contains the identity provider’s Entity ID, SSO URL, SLO URL and certificates.
Connection settings > Username attribute
In this area, you need to set which identity provider field (Username attribute) will be used to uniquely identify the user within the learning platform.
- The selected field must be populated for all your users on the identity provider side, and also distinct for every user.
- The identity provider field you select in Username attribute will be matched by default* to the Username field in the platform.
*Only for the standard configuration, you can optionally map the Username attribute to a different platform field. See the next chapter on Unique field.
Connection settings > Unique field (Standard configuration only)
The Unique field lets you set which user field within the platform (Username, UUID, Email) will be mapped to the identity provider field set in Username attribute.
- If the two fields match, the user authenticating via SSO is considered to already exist in the platform, and will be logged in to that account.
- Otherwise, the SSO user does not yet exist in the platform (but can be automatically created if you configure User provisioning).
→ Here it is recommended to set the Username field.
Note: The UUID is a read-only unique user identifier within the platform
Important notes about Unique fields:
- When the selected Unique Field is Email, in case multiple user accounts in your platform have the same email address, when one of the user accounts is logging into the platform via SAML, the most recently created user account will be the account that is logged into the platform.
- You are not able to create new users via SAML if you select the UUID attribute, as the UUID does not exist until a user is created in the platform.
Connection settings > SAML service provider metadata
You can copy the Entity ID, Login URL and Logout URL displayed here to enter them into the configuration of your identity provider.
Here you can also download the metadata file, if required by your provider.
Important: If you have a SAML configuration migrated from legacy, you will need to update your Identity provider with the new metadata values copied from here. This will ensure your integration continues to work after the transition period is over, or after you update the Service provider certificate. For details see Important note for migration from legacy SAML configuration.
Connection settings > Service provider certificate
This certificate enables the platform to sign SAML authentication requests and assertions sent to the identity provider. Some identity providers / federations may require that service providers hold a certificate.
Generating this certificate is optional, but required if you want to configure Logout behavior.
To generate a certificate:
Select the check box Enable service provider certificate. When you Save the configuration, the certificate will be generated and the following buttons will appear:
- Download certificate
- Copy certificate
- Generate new certificate
Note that when you click Generate new certificate, the new certificate is generated without the need to Save changes, and the Download and Copy buttons will already provide the new certificate.
If you deselect the check box and save changes, the generated certificate is removed
→ You will then need to download the certificate and upload it to the identity provider.
Important: If you have a SAML configuration migrated from legacy, when you update the Service provider certificate you will also need to update your Identity provider with the new Service Provider metadata values, if you have not already done so. For details, see Important note for migration from legacy SAML configuration.
Expiration notifications: The platform will send out notifications to warn when the Service provider certificate is about to expire. For more information see the chapter Certificate validation and expiration.
User provisioning
User provisioning allows you to automatically create a new user in the platform if the SSO authentication is valid but that user does not yet exist in the platform. It also allows you to automatically update the details of a user in the platform based on the corresponding information in the identity provider.
→ You can configure it in the User provisioning tab of the SAML settings.
Tip: By default, a user is considered to already exist in the platform if their Username matches the identity provider field you set as the Username attribute.
Only in the Standard SAML configuration, you can if needed set a different matching field (UUID or Email instead of Username) in the Unique field.
Enable creation of provisioned users:
To begin, flag the option Activate user provisioning. With provisioning enabled, a user logging in via SSO who does not yet exist in the platform will be created on the fly, by default with platform Username = the provider field set in Username attribute (in Connection settings).
→ Note for standard configuration: If instead of Username a different unique field for matching is set, please note that the UUID option will not permit the creation of provisioned users, and that the Email option will work correctly only if all users have distinct emails.
Note on default branch placement: For SSO on the root platform, newly created users will be placed in the root branch. For SSO on an extended enterprise client, newly created users will be placed in the branch associated with the client.
Add more provisioned fields:
In addition to the Username, you may want to populate other details of a provisioned user using the information retrieved from the identity provider.
You configure this in the Field matching section.
Here, click the Add fields button and, in the Add user fields panel that opens, select the platform user field or user additional field that you want to add.
- You can also select more than one field at a time.
- When selecting the fields, refer to the list of supported user fields for SAML provisioning below.
When you are ready click Add.
→ The platform fields that you added will now appear in the Field matching area.
Now, in the SAML attribute box for each added field, enter the matching attribute from the identity provider that you want to use for that field.
Note that each platform field and identity provider field can be used only once. You cannot match multiple platform fields to the same attribute, or vice versa.
Supported user fields for SAML provisioning:
Username, First name, Last name, Email, Branch name, Branch code, Language and Additional fields.
| Field in platform | Notes |
| Username | |
| First name Last name |
If in the platform Advanced settings > Self-registration you flagged the option First and last name are required to register, ensure that you include these fields in the Add fields section, so that the provisioned users can be created. |
| Branch name | |
| Branch code | |
| Language | In the language field in your identity provider, the entry must use one of the language codes that the platform uses to identify languages (en = English, de = German, etc.). If the code given for this field for a specific user does not match any of the language codes of the platform, the user will be given the set default language of the platform upon activation. |
| Additional fields |
If you wish to populate the country user additional field via SSO, an acceptable value would be either the Country ID or Country Name as listed in the article titled List of ISO 3166-1 countries. If you have set some user additional fields as mandatory in the platform, make sure these are mapped here so they can be populated, as otherwise the user cannot be correctly created. |
Lock provisioned user fields:
Select the Lock provisioned user fields check box to prevent users from editing, in My profile, any user fields that are provisioned. Those fields will appear grayed out and marked disabled, so that the user cannot change the value obtained from the identity provider.
→ For some important limitations and issues that can arise with locked fields, please refer to the article General guidance for SSO configuration > Lock provisioned user fields.
Update the provisioned fields:
Select the If user already exists, update the user information check box to automatically update, within the platform, the values of any provisioned fields that have been changed on the identity provider end. If you do not select this option, you will need to manually copy over any changes to keep the provisioned fields aligned.
Login and logout options
In this section you can customize how users access and exit the platform with SAML single sign-on.
SSO login method
Here, you can configure how users log in to the platform with SSO. You can either:
- Display the standard login window, and from there users click a button to continue to the SSO provider
- Automatically redirect them to the provider without showing the login window
For more information see the article General guidance for SSO configuration > SSO behavior.
Identity provider logout
Select this option if you want users to be automatically logged out of the identity provider when they log out of the platform.
→ To be able to configure this, you must first have enabled and generated the Service provider certificate
When this option is selected, the Logout URL text field appears. Here you must define the URL where users will land upon logging out from the platform and from the identity provider. Thanks to this configuration, users can land on a different URL from the one used for SSO.
Reset or deactivate a SAML configuration
If you want to remove SAML single sign-on from a platform, you can either:
- Deactivate SAML: to temporarily disable it, without losing any of your settings
- Reset SAML: to entirely clear the existing SAML configuration
Deactivate SAML:
To deactivate the current SAML configuration, click the Active button at the bottom of the screen and select the Inactive option.
→ SAML single sign-on will be temporarily disabled on the platform until you re-activate the SAML configuration.
Reset SAML:
This option will remove all the current SAML settings and revert SAML to its unconfigured state.
To do this, click the Reset SAML button and, in the window that opens, select the check box to confirm and click Reset SAML again.
→ SAML single sign-on will no longer be available on the platform. To reinstate it you will need to redo the configuration from scratch.
Tip: SAML and extended enterprise clients
Remember that, for extended enterprise clients, the following rules apply:
- If an extended enterprise client has its own active SAML configuration, then that is the configuration that will apply for that client (irrespective of the SAML settings on the main platform).
- However, if SAML is not configured (or configured but inactive) on an extended enterprise client, then the client will inherit the SAML configuration of the main platform.
In practice, this means that:
- If you deactivate or reset SAML on the main platform: SAML single sign-on will also be removed from any extended enterprise clients that do not have their own SAML configuration.
- If you deactivate or reset SAML on an extended enterprise client: The client will revert to the SAML configuration of the main platform (if available). If SAML is not configured/active on the main platform, then the client will no longer have SAML single sign-on available.
Comparison of user fields with SAML and Automation app
Depending on the field, you can import them via CSV, via SAML, or via Automation App.
This is a comparison of the fields you can import via Automation or via SAML SSO:
| Docebo user data field | Automation app | SAML SSO |
|---|---|---|
| Username | Yes | Yes |
| First name | Yes | Yes |
| Last name | Yes | Yes |
| Yes | Yes | |
| Level | Yes | |
| Profile name | Yes | |
| Branch name | Yes | Yes |
| Branch code | Yes | Yes |
| Branch name path | Yes | |
| Branch code path | Yes | |
| Password | Yes | |
| Hashed password | Yes | |
| Active | Yes | |
| Force password change | Yes | |
| Expire on | Yes | |
| Language | Yes | Yes |
| Date format | Yes | |
| Time zone | Yes | |
| New username | Yes | |
| User ID | ||
| Is manager | Yes | |
| UUID | ||
| Direct manager | Yes (Note: to populate this, the field is called Is Manager) |
|
| Other manager types | ||
| Additional fields | Yes | Yes |
Please note: Branch creation in SAML is not supported via CSV import. All users will be automatically placed in the root branch in single-domain configurations or, if the Extended Enterprise App is active, in the branch corresponding to the relevant sub-domain.
When determining your provisioning strategy, consider whether you want to monitor your users or send notifications prior to go live. If you do, you will need to preload these users.
Best practices
Auto populating groups
In order to make the most of this integration, you can set up automatic groups, then use Docebo’s Enrollment Rules App to automatically enroll these groups into courses or learning plans. Thus, when a new user is created, you do not have to manually assign them to groups, courses, or learning plans.
Please note that in order to correctly pair newly added SAML fields and newly added platform additional fields and use them to auto-populate groups, you must always log out of both the learning platform and the Identity Provider. Therefore, please make sure you’ve enabled the option in the Logout Behavior section. Without flagging this option, this user provisioning process will not occur.
Configuring a domain after SAML SSO has been configured
If a custom domain or secondary domain needs to be configured after SAML SSO has already been configured, you will need to:
- First, fully set up up the custom domain or secondary domain in your platform, as instructed in the corresponding article: Domain management: Configuring custom domains or Domain management: Configuring secondary domains.
- Next, access the SAML settings page and, in the SAML service provider metadata section, copy the new information (such as Entity ID, Login URL or Logout URL) and use it to update the configuration on the identity provider side. In this way, the identity provider will be connected to the newly configured domain rather than to the previous platform URL.
AWS certification
Docebo is available in the AWS SSO Catalog.
Other notes
Please Note: To prevent improper SAML configurations, Docebo has implemented a blocker as of April 2018. If the connection continues to bounce back and forth, Docebo has added a stopper that will show an error page. Additionally, the browser that started the loop will be timed out for one hour.