Introduction
Docebo's LDAP integration is for companies using different IT systems and needing to link their larger user databases with one system in order to access company data in a central location. LDAP (Lightweight Directory Access Protocol) is a set of protocols used for accessing information directories.
This app is a single authentication app that facilitates the interaction between your platform and your company’s database. This way, users can use a single set of login credentials. When users add their login credentials, Docebo verifies if these credentials coincide with the central registry. If the system does not find this user, it automatically checks the platform database.
Please note: If you aren't sure where to find the appropriate credentials needed to complete this configuration, you should contact your company's IT Manager.
Best practice: When an SSO integration and a custom domain, configured in Domain Management, are set up at the same time, it is strongly suggested to configure the custom domain first. The endpoint URLs needed for the SSO integration are dependent on the URL of the platform.
Activating the LDAP app
Activate the LDAP app as described in the Managing Apps & Features article of the Knowledge Base. The app is listed in the Single Sign On tab.
Once it’s activated, you can begin the configuration. Please refer to the section below to learn more.
Configuring the app
To access the LDAP app, reach your Admin Menu. Then find the LDAP section, and press the Manage subitem. Once you're on the management page, begin by flagging the Activate LDAP authentication box.
Now, add your server and port information. The port is usually 389. In the Username for LDAP users text box, follow the instructions outlined on the interface by using $user
as a username example. Then, use the domain from which the platform will retrieve the necessary user information and data (example: $user@domain2.domain1
). Please note that the $user
information will be replaced with the actual username of the user that is being authenticated. For example, if the username in LDAP is paul.red@docebo1.docebo2
, then the username in Docebo will be paul.red
.
Now, add your Base DN into the corresponding text box. The Base DN describes from where (i.e. subfolder) the system will download your users. Finally, you can flag the options to User LDAPS protocol and/or Check LMS login before LDAP. If the latter option remains unflagged, the login will first try user authentication through LDAP, then through the platform user registry. By flagging this option, the process is reversed.
You can also flag the option to Enable LDAP Administrative Functionality. By enabling this functionality, you can list, create, and delete entries. Once this option is enabled, you will need to add your LDAP Admin username and passwords into the corresponding text boxes. You will also need to add your Username field, Username filter, First name, Last Name, and email LDAP fields. You can match these fields with your Docebo user fields. When you've configured this page as desired, press Save Changes to complete your integration.
Importing users via LDAP
After you activate and properly configure the LDAP App, you can import users from your LDAP Active Directory. Reach your Admin Menu and select Users from the E-Learning section. On the User Management page, press the folder button in the top right section of the page, then press the Import Users via LDAP.
The platform will connect to your LDAP Active Directory, retrieve the available users, and will list them displaying their username, first and last names, email, and synchronization status. A black X identifies the users that are not synchronized. It is not possible to select the users to synchronize, so the synchronization process always includes all of the available users.
Please note: If you wish to populate the country user additional field via SSO, an acceptable value would be either the Country ID or Country Name as listed in the article titled List of ISO 3166-1 Countries.
Click Import LDAP Users on top of the users' list to launch the synchronization. A message in the pop-up box will confirm when the synchronization is over and on the number of imported users. In case of synchronization errors, the message in the pop-up will also provide you with a link to the Log file, so that you can check what went wrong. When users are synchronized, the Synched column shows a green checkmark.
Please note: When the username of a user is modified in the Active Directory, a new user is created in Docebo when the synchronization is run as usernames are unique.
Logging into Docebo with LDAP credentials
Once synchronized, your users will be able to log in using their LDAP credentials. If a user is not registered into the company’s database, but only inside the Docebo platform, they can still log in using their Docebo credentials. The system cross-examines the databases in case the user shows no results, and will subsequently search inside Docebo. This way, the platform is accessible both by LDAP and Docebo users.