Introduction

This article provides you with some examples of how to configure and integrate some of the most popular Identity Providers. If your vendor is not listed here, please refer to the general configuration instructions in the article Docebo for OpenID Connect.

• Okta configuration example
• OneLogin configuration example
• Salesforce configuration example
• Microsoft Entra ID configuration example
• Microsoft Azure AD B2C configuration example
• Ping Identity configuration example

Okta

When configuring Okta with OpenID Connect, the Okta app does not need to be activated in your platform. Start by connecting to the Okta website as an Admin, click on Admin on the top right corner, then move to the Applications tab and click Add Application to create the Docebo App in Okta, registering it as a Service Provider. Click on Create New App.

In the pop-up box, select Web as Platform Type and OpenID Connect as Sign On Method. Press Create to proceed. Type the Application Name (can either be Docebo, or the App as renamed for your company) and add a logo to identify the App in the OpenID Connect dashboard. The logo upload is optional but can be very useful to quickly identify the Docebo platform in the OpenID Connect dashboard.

Open the OpenID Connect configuration page in Docebo (Admin Menu → OpenID Connect → Manage), and copy the values shown in the Platform URLs section in the corresponding fields of the Configure OpenID Connect section of the Create OpenID Connect Integration page in Okta. In the Login redirect URIs section, copy and paste the Login URL and the Code URL values from Docebo, in this order. Press Add URI button to insert a new row.  Copy and paste the Logout URL value from Docebo in the OKTA’s Logout redirect URIs section. Press Add URI button to insert a new row. Press Save to proceed.

Retrieve now the OpenID Connect information from the Configure OpenID Connect section of the Create OpenID Connect Integration page in Okta, and paste them into the Open ID Client section of the OpenID Connect configuration page in Docebo. Move to the General tab, copy the Client ID and the Client Secret values, and copy them into the corresponding fields in Docebo. Retrieve the Client Issuer code from your OKTA installation URL: copy the URL from https up to the end of the domain name (i.e https://{yourdomainname}.oktapreview.com/) and paste it in the Issuer.

Finally, compose the Metadata URL value as follows:

  {{url}}/.well-known/openid-configuration?client_id={{clientId}}

according to:

{{url}}

The Issuer Code (including the https or the http protocol), remove {{ }}

{{clientId}}

The Client ID value, remove {{ }}

Copy the resulting URL and paste it as Metadata URL value in Docebo.

On the Okta website, define the users allowed to use the app. Move to the Assignments tab and add the users, either one by one or with mass action. Click Assign and select either Assign to People or Assign to Groups, depending on your needs. Select the users and/or the groups previously created in Okta, click on Assign and Done to complete the action.

The Docebo configuration on Okta is completed. Move back to Docebo, set the Auth Type value to Basic Auth and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the article Docebo for OpenID Connect.

OneLogin

When configuring OneLogin with OpenID Connect, the OneLogin app does not need to be activated in your platform. Start the configuration from the Identity Provider. Login to OneLogin (link opens in a new tab), click on Administration on the page upper bar, select the Apps tab and click on Custom Connectors.

Create a custom connector in order to register Docebo as Service Provider. Click on New Connector on the top right corner. Enter your Docebo App Name (i.e yourtrial.docebosaas.com) and press Thick to confirm. You will see the Basic Configuration page. Add an icon to identify the App in the OpenID Connect dashboard. The icon upload is optional but can be very useful to quickly identify the Docebo platform in the OpenID Connect dashboard. In the Sign On Method section, select OpenID Connect.

Open the OpenID Connect configuration page in Docebo (Admin Menu → OpenID Connect → Manage), and copy the values shown in the Platform URLs section in the corresponding fields in OneLogin, as follows. In the OneLogin OpenID Connect section, paste the Docebo Code URL in the redirect URI field. Move to the Login URL section and paste the Login URL in the Login URL field. Press Save to continue.

Please note: OpenID Connect enables service-provider-initiated (SP-initiated) SSO, but not identity-provider-initiated (IdP-initiated) SSO. When you provide a Login URL, OneLogin mimics an IdP-initiated SSO experience: the user is taken to the app’s login page, where the SP-initiated authentication flow begins. Refer to the OneLogin Knowledge Base (opens in a new tab) for further info. When configuring the integration with Docebo, type the pure platform URL (https://[platformname].docebosaas.com) in the Login URL field in OneLogin, and set the SSO behavior to Automatic Redirect in Docebo OpenID Connect configuration page.

Move to the Apps tab, select Add Apps and search for OpenID Connect in the search bar. Select OpenId Connect (OIDC) among the search results listed in the Find Application page. Either confirm or select your subscription plan and press Continue. Insert the App name and description. In the Configuration tab, copy and paste the Login URL from Docebo in the Login Url fields and the Code URL and the Logout URL in the Redirect URI section, as separate lines. Press Save to proceed.

Retrieve the OpenID Connect information from OneLogin. The Issuer code comes from the OneLogin website URL: copy the link from HTTPS to the last letter before the first single slash (do not copy the slash). Next, move to the SSO tab.

Copy the Client ID and the Client Secret and paste them in the corresponding fields of the Open ID Client section of the OpenID Connect configuration page in Docebo (Admin Menu → OpenID Connect → Manage).

Finally, compose the Metadata URL value as follows:

{{url}}/oidc/.well-known/openid-configuration

Where url is the Identity Provider URL, remove {{ }}

Define now the users allowed to use the app. Move to the Users tab and insert the user accounts that will be able to connect using this Identity Provider.

The Docebo configuration on OneLogin is completed. Move back to Docebo, set the Auth Type value to Basic Auth and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the article Docebo for OpenID Connect.

Salesforce

When configuring Salesforce with OpenID Connect, the Salesforce app does not need to be activated on your platform. Start the configuration from the Identity Provider. Login to Salesforce (link opens in a new tab), click on  Setup on the page upper bar. From the left-side menu, reach the Build section, select Create, and finally Apps.

From the Apps page, move to the Connected Apps section, and click New to add Docebo as new application.

In the New Connected App page that will open, type the Connected App Name and a Contact email address in the corresponding sections. Move now to the API (Enable OAuth Settings) section and flag the Enable OAuth settings option. When this option is selected, several configuration options will be shown underneath.

Open now the OpenID Connect configuration page in Docebo (Admin Menu → OpenID Connect → Manage), and copy the values shown in the Platform URLs section in the corresponding fields of this page. In the Callback URL, paste both the Login URL and the Code URL values on two separate lines, without separation characters.

Define now the Selected OAuth Scope by adding Allow access to your unique identifier and Access your basic information (id, profile, email, address, phone) to the Selected OAuth Scope box. Check the Configure ID Token option and select Include standard claim from the options shown underneath. If needed, enable the Enable Single Logout option and copy and paste the Docebo Logout URL.

Press Save to complete the configuration. Please note that once you save, it may take up to ten minutes for your App to be created. When the creation procedure is over, you will be redirected to the page of the app you have just created.

Retrieve now the OpenID Connect information for Docebo. The Issuer code comes from the website URL, copy the link from HTTPS to the last letter before the single slash. Copy the Consumer Key and the Consumer Secret values (click on Click to Reveal to see the code in clear) and paste them in the Client ID and in the Client Secret into the Open ID Client section of the OpenID Connect configuration page in Docebo (Admin Menu → OpenID Connect → Manage).

Finally, compose the Metadata URL value as follows:

{{url}}/.well-known/openid-configuration

Where url is the Identity Provider URL, remove {{ }}

The Docebo configuration on Salesforce is completed. Move back to Docebo, set the Auth Type value to Query String, and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the article Docebo for OpenID Connect.

When users log in to the platform for the first time using Salesforce, they will be asked to confirm that Docebo can access their data before proceeding. Please note that if users do not allow Docebo to access their data, then they will not be able to log in.

Microsoft Entra ID (formerly Microsoft Azure Active Directory)

Start the configuration from the Identity Provider (if you are planning to use the integration with a custom domain, make sure your SSL certification is valid).

Sign in to the Microsoft Entra admin center (opens in a new tab) as an administrator.

Register the app:

1. Browse to Identity > Applications > App registrations and select New registration.
2. Enter the display Name for your application and the supported account types.
3. Select Register to complete the initial application registration.

Client ID:

When registration finishes, the Overview panel shows the details of your newly registered app. Copy the application (client) ID and paste it into the Client ID field on the Docebo Open ID connect configuration page.

Redirect URIs:

Now in the left navigation panel, under Manage, select Authentication. Then under Platform configurations, select Add a platform, and under Configure platforms, select the Web tile.

1. In the Web expander, under the Redirect URIs section, add the Login URL and Code URL, both copied from the Docebo Open ID connect configuration page.
2. Under Implicit grant and hybrid flows, select the types of tokens you want to be issued by the authorization endpoint (ID tokens, Access tokens, or both).
   1. Note that Access tokens must be selected if you set the option to retrieve claims through the user info endpoint on the Docebo Open ID connect configuration page.

Client secret:

1. In the left navigation panel, under Manage, select Certificates & Secrets.
2. Select the Client secrets tab and click New client secret.
3. Add a description for your client secret and set its expiration, then click Add.

Copy the secret’s Value and store it in a safe place. This secret value is never displayed again after you leave this page.

• Paste the secret Value into the Client secret field of the Docebo Open ID connect configuration page.

Metadata and Issuer:

Return to the app Overview panel, and from there in the top navigation select Endpoints.

1. Copy the OpenID Connect metadata document URI and paste it into the Metadata URL field of the Docebo Open ID connect configuration page.
2. Next, paste the same OpenID Connect metadata document URI into the browser address bar and navigate to the page, which is a JSON file.
3. Search the JSON page for the string issuer and note the issuer URL which should look similar to this https://login.microsoftonline.com/{tenantid}/v2.0.
4. Copy this issuer URL and paste it into the Issuer field of the Docebo Open ID connect configuration page.

Check open ID Connect configuration fields on Docebo platform

At this point of the configuration, you should have completed all the fields in the OpenID client section of the Docebo Open ID Connect configuration page: Issuer, Client ID, Client secret, and Metadata URL.

Finishing steps:

To complete the configuration of the communication between Docebo and Microsoft Entra ID:

• Set the Auth Type value as required by your identity provider. Refer to the article Docebo for OpenID Connect for more information.
• Click Continue to proceed and activate the parameters of the second part of the configuration.
• Complete the configuration by following the instructions provided in the article Docebo for OpenID Connect. When you are finished click Save changes.

When a user logs in to Docebo via Microsoft Entra ID for the first time after the configuration, a pop-up message will prompt the user to grant the necessary permissions to the Docebo app.

• The user must press Accept to continue. Please note that without this access permission, the integration will not work.

Microsoft Azure AD B2C

Please note: The go.Learn mobile app is incompatible with Microsoft Azure AD B2C when at the time of registering a new app you select either of the following from the list of Supported Account Types:

• Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
• Personal Microsoft accounts only

Start the configuration from the Identity Provider (if you are planning to use the integration with a custom domain, make sure your SSL certification is valid). Connect to the Microsoft Azure Active Directory website as an Admin. From the search bar in the top area of the All Services page, look for Azure AD B2C and select it from the search results. For more information about connecting to the B2C Azure website please read the notification on Microsoft's website (opens in a new tab).

Once on the Azure AD B2C page, select App registrations from the Manage menu. Next, in the App registrations page, press the New registration button.

Next, press the Authentication tab in the Manage menu and press the Add a platform button. In the following Configure platforms screen, press the Web button in the Web applications section.

Then, in a separate browser window open your Docebo Platform and navigate to the Admin Menu, locate the OpenID Connect section and press Manage. In the resulting window, locate the Platform URLs section and copy the Code URL value to your clipboard.

Return to the Azure AD B2C browser tab and in the Configure Web window, paste the URL into the first text box labeled Enter the redirect URI of the application. Then, return to the Docebo Platform tab and copy the Logout URL to your clipboard. Returning to the Azure AD B2C browser tab, paste the URL into the Front-channel logout URL text box.

Next, access the Certificates & secrets entry in the Manage menu and in the Client Secrets tab, press the New client secret button. Then, in the Add a client secret window, enter a description for the client secret, select the Recommended expiration duration of 180 days and press the Add button.

Returning to the Client secrets tab, your new client secret value will be visible in the list. Press the Copy to Clipboard icon next to the client secret value and then return to the Docebo Platform tab. There, navigate to the Admin Menu and access the Advanced Settings item located in the Settings menu.

In the Advanced Settings, access the OpenID Connect Settings menu item and In the OpenID Client section, paste the contents of your clipboard into the Client Secret field.

Next, to retrieve the value to paste into the Issuer field in the OpenID Client section, return to the Azure AD B2C tab of your browser and access the Overview area located above the Manage menu. Copy and paste the Tenant ID displayed on this page into a text editor, such as Notepad, as you will need to insert it later. Then, press the Endpoints button and in the resulting window, press the copy to clipboard button located in the OpenID Connect Metadata Document field.

Paste this URL into your text editor for later use, also.

Next open a new tab in your browser and paste the URL into the address bar. Perform a search on the page for the string issuer and note the URL which should look similar to this:

https://login.microsoftonline.com/{tenantid}/v2.0

Replacing {tenantid} with your Tenant ID will give you the URL you need to paste into the Issuer value in the OpenID Connect Client section.

To find the Metadata URL, return to your text editor and in the URL you pasted there, replace the word organizations with your Tenant ID. You can now paste this updated URL into the Metadata URL field of the OpenID Connect Client section.

https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration

The configuration of the communication between Docebo and Microsoft Azure AD B2C is complete. Set the Auth Type value to Query String and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the article Docebo for OpenID Connect. When a user logs in to Docebo via Microsoft Azure AD B2C for the first time after the configuration, a pop-up message will ask him/her to confirm that he/she allows the Docebo app to access the data stored in Microsoft Azure Active Directory and to view his/her basic profile. Press Accept to continue. Please note that if you do not provide your permission, the integration will not work.

Ping Identity

When configuring Ping Identity with OpenID Connect, there is no Ping Identity app to be activated in your platform. Start the configuration from the Identity Provider.

Log in to Ping Identity with your administrator account and in the Applications Tab under Connections, choose Add Application by clicking on the plus icon.

You will next be presented with a choice of application type, press the Web App button followed by the Configure button in the resulting pop-up.

Next, give the application a name of your choice, add an icon (if desired) and press the Next button.

Next, you will need to find the appropriate URLs to use within the platform. Open a new tab and in Docebo click on the gear icon, find OpenID Connect and click on Manage. The top three URLs are what you are going to need for the next step in Ping Identity.

Paste the three URLs into the Redirect URLs box and press the Save and Continue button.

You will next be presented with a list of available scopes to use with your configuration. In order to minimize the amount of unnecessary data being exchanged between systems and for security purposes choose only the OpenID scopes that are necessary for the platform and press the Save and Continue button.

In the next screen, you may customize the Attribute Mapping to suit your needs, if necessary. The default settings do not need to be changed in order for Ping Identity to function properly. Press the Save and Close button to continue.

On the next screen press the pencil button to the right of the displayed configuration to edit your newly created configuration. Find the Redirect URIS box and copy/paste the URL ending in “logout” to the Signoff URLs box below. Then press the Save button.

You will then be presented with a list of URLs that need to be copied into the OpenID Connect Management screen, in the Docebo platform. The fields needed within the platform correspond to the same information given in Ping Identity except for Metadata URL which is the URL named OIDC Discovery Endpoint in Ping Identity. Then click on the Continue button.

Next in the Scope section select all required entries corresponding to the scopes you defined in Ping Identity. Under Token Exchange Method choose Post and under SSO Behavior check the box next to Show SSO button on login page. Then move to the User Provisioning section and check Enable and If user already exists, update the user information.

Press the Save Changes button in OpenID Connect and you will now be able to log into your platform using Ping Identity.