Introduction
The SAML app on your platform enables you to configure single sign-on to the platform using a variety of identity providers. This article specifically covers how to configure SAML using OneLogin as the identity provider.
Please note that the platform provides two options for SAML configuration: Smart and Standard. Instructions are provided for both.
Prerequisites
The SAML app needs to be activated on your platform, as described in the article Managing apps and features.
You will also need to have a OneLogin developer account.
If you are planning to set up SAML single sign-on for a custom domain or for a secondary domain, you must configure the domain first in Domain management.
Access the SAML settings page in the platform
To begin, open up the SAML settings page and select the desired configuration type.
→ You must do this on the same platform (main platform or extended enterprise client) for which you are configuring single sign-on.
For a main platform:
- Select Admin menu > SAML > Manage.
For an extended enterprise client:
- Select Admin menu > Extended Enterprise > Manage.
- Click the gear icon next to the client for which you are configuring SSO.
- In the vertical navigation select SAML 2.0 settings. Then select Enable custom settings for this client.
Tip: Note that the SAML 2.0 settings page will look the same in both cases.
Once the SAML 2.0 settings page is open select whether to use the Smart or Standard configuration type.
- The configuration with the Smart option is slightly simpler, but if required you can also switch to the Standard configuration type.
- Please note that, if there is an existing SAML configuration on the page, changing from Smart to Standard or vice versa will lose your previous settings.
Then select the Active check box to enable the configuration fields.
Now move on to the setup in OneLogin as described in the following chapters, you will need to refer back and forth between OneLogin and this SAML settings page to complete the configuration.
Add the Docebo or Docebo Multi Domain app in OneLogin
Log in to your OneLogin account as an administrator.
In the header bar, click Administration to access the administration page, then select Applications>Applications. Here you will see any applications that you have previously added. You can click an existing app to view or edit its configuration.
You can click Add App to add a new one. Then search for “Docebo” to find the two apps of interest to use here, if you then click an app you can start to configure it.
- Select the Docebo app only if you have a main platform with a docebosaas URL. For example,
https://academy70.docebosaas.com/ - For all other cases, select the Docebo Multi Domain app. This includes, if you have a main platform with a custom domain, or any kind of extended enterprise client (whether with a subfolder-based docebosaas URL, or with a secondary domain).
After you select an app, a page will open where you can configure how the app will appear in the OneLogin portal. For example you can set an icon, a display name, and a description.
Complete these fields as needed and click Save.
Once you click Save, the app is created and you will see a vertical navigation menu on the left-hand side. You need to go through these items and complete the settings.
- Configuration: Depending on which app you are using, follow the instructions in the chapter OneLogin Configuration tab (Docebo app) or OneLogin Configuration tab (Docebo Multi Domain app)
-
Parameters: Configure the user fields you will use in the integration. Click on the plus button to add a new parameter. Pay close attention to spelling and capitalization as you make sure you match them exactly to your SAML configuration in Docebo.
→ Please note that parameters are case-sensitive. For example, "email" is not the same as "Email". - Rules: Add any rules that may need to be applied.
- SSO: Follow the instructions in the chapter OneLogin SSO tab
- Access: Select the access policies you require
- Users: Here you can assign which users will have access to the Docebo platform.
- Privileges: Set any specific privileges you might require.
OneLogin Configuration tab (Docebo app)
After you have added the Docebo app in OneLogin, in the Configuration tab you only need to enter the name of your platform in the Docebo Subdomain field. You should only enter the part of the URL that precedes docebosaas.
→ For example, for platform URL https://academy70.docebosaas.com/, just enter academy70.
Tip: Because docebosaas.com will be automatically appended to what you enter here, this field will not work for platforms that have a custom domain, or for any extended enterprise platform. For those you need to use the Docebo Multi Domain app.
OneLogin Configuration tab (Docebo Multi Domain app)
After you have added the Docebo Multi Domain app in OneLogin, in the Configuration tab you will need to configure a number of fields. You will retrieve the information to enter here from the SAML configuration page on your platform, as instructed in the rest of this chapter.
The procedure to follow depends on whether you are using the SAML Smart or Standard configuration type on the platform. If you have not already done so, access the SAML settings page in the platform and select the desired configuration type.
→ Make sure to access the SAML settings page from the same main platform or extended enterprise client for which you are configuring single sign-on.
SAML Smart configuration:
On the SAML 2.0 settings page, if you selected the Smart configuration option in the platform, the necessary information is displayed directly in the SAML 2.0 SP metadata section.
Copy each of these links and paste them into the corresponding fields of the OneLogin configuration tab as follows:
| Copy from SAML smart page | Paste into Onelogin field (Configuration tab) | |
| Entity ID | → | Audience |
| Login URL | → | Docebo consumer URL |
| Logout URL | → | Single logout URL |
| Login URL | → | Recipient |
SAML Standard configuration:
If you instead selected the Standard configuration option in the platform, the links are not directly displayed, you need to download the XML metadata file to obtain them.
Scroll down to the SAML 2.0 SP Metadata section and click Download. Then open the downloaded file in a text editor.
Copy each of the indicated links from the file (you should copy the entire URL) and paste them into the corresponding fields of the OneLogin configuration tab as follows:
| Link to copy from XML metadata file (downloaded from SAML settings on platform) |
Paste into Onelogin field (Configuration tab) |
|
| EntityDescriptor | → | Audience |
| AssertionConsumerService | → | Docebo consumer URL |
| SingleLogoutService | → | Single logout URL |
| AssertionConsumerService | → | Recipient |
OneLogin SSO tab (both apps)
After you have added the Docebo app or the Docebo Multi Domain app in OneLogin, and filled out the Configuration tab, in the SSO tab you will find some further fields and settings. These are the same for both the Docebo app and the Docebo Multi Domain app.
You will need to copy some values from here into the SAML configuration page on your platform, as instructed in the rest of this chapter.
In the SAML Signature Algorithm field select the type of encryption algorithm to use. It is recommended to select SHA-256.
The remaining steps to follow depend on whether you are using the SAML Smart or Standard configuration type on the platform. Remember, as before, that you must access the SAML settings page from the same main platform or extended enterprise client for which you are configuring single sign-on.
SAML smart configuration
You will need to copy over the following information from OneLogin SSO tab to the platform SAML smart settings page: Issuer URL, SAML 2.0 endpoint and X509 certificate.
| Item to copy from OneLogin (SSO tab) |
Field to populate in SAML smart settings | |
| Issuer URL | → | Issuer |
| SAML 2.0 endpoint (HTTP) | → | SSO URL |
| X509 certificate PEM file (see instructions below) |
→ | X509 certificate |
| SLO endpoint (HTTP) (optional) |
→ | Logout behavior > logout URL (requires configuration of service provider signing) |
Instructions for X.509 certificate:
In the OneLogin SSO tab, under X.509 Certificate right-click the View Details link to open it in a new tab.
Note: Do not directly click the View details link as you will lose your current configuration.
In the new tab: change the SHA fingerprint to SHA256 by clicking on the drop-down menu. Then click the Save button in the top right corner, and download the X.509 certificate (PEM) using the Download button. When you are finished close this tab, returning you back to the SSO tab.
Now on the SAML settings page of your platform, scroll down to the X509 certificate section, click Upload certificate, and select the PEM file that you previously downloaded from OneLogin.
SAML standard configuration
You will need to copy over the following information from OneLogin SSO tab to the platform SAML standard settings page: Issuer URL and SAML Signature Algorithm.
You will also need to download the SAML metadata file from OneLogin and paste its contents into the XML metadata field in the platform.
| Item to copy from OneLogin (SSO tab) |
Field to populate in SAML standard settings | |
| Issuer URL | → | Identity provider ID |
| SAML Signature Algorithm | → | Signature algorithm (set the same value configured on the OneLogin) |
| SAML metadata (from header bar, see instructions below) |
→ | XML metadata |
Instructions for SAML metadata:
Once you have completed the settings in the OneLogin SSO tab for the signature algorithm on the OneLogin header bar click Save. Then from the More Actions menu select SAML Metadata. This will download the XML metadata file.
Open the downloaded file in a text editor, select all its contents and copy-paste them into the XML metadata field of the SAML standard settings page.
Complete the SAML configuration in the platform
The instructions provided in this article have covered how to complete the SAML configurations specific to the OneLogin identity provider.
For information about how to complete the remaining SAML settings in the platform, refer to the article: