Introduction

This article describes how to configure Salesforce as a SAML 2.0 identity provider (IdP) for Standard SAML SSO in Docebo. Instructions are available for both the Salesforce Classic and Salesforce Lightning experiences.

Best practice: When an SSO integration and a custom domain, configured in Domain Management, are set up at the same time, it is strongly suggested to configure the custom domain first. The endpoint URLs needed for the SSO integration are dependent on the URL of the platform.

Requirements and limitations

• The configuration detailed throughout this article refers to the Salesforce V2 Integration. Learn more about enabling the SSO for the Salesforce V3 integration.
• The Docebo for SAML integration must be active in your platform
• Configuring Salesforce as an identity provider for SAML SSO does not require the Docebo Salesforce app to be active in your platform. The Salesforce connected app described in this article is created specifically for SSO purposes and cannot be replaced by any connected app already configured for the Docebo Salesforce integration.
• Docebo does not provide support for Salesforce or other third-party technologies implementing the SAML 2.0 protocol. This article is intended only as a set of best practices for IT administrators. Docebo cannot be held liable for any damage or malfunction due to an incorrect Salesforce configuration.

Please note: This article covers Standard SAML SSO only. Smart SAML SSO configuration is not covered here.

Step 1: Configure your Salesforce Identity

Salesforce Identity connects your Salesforce organization users with external applications and services, while providing administrative tools for monitoring, maintaining, and reporting user applications and authorization. It's available in Salesforce Classic, Enterprise, Performance, Unlimited, Developer, and Database.com Editions.

Start by setting up My Domain (Set-up > Domain management > My Domain) by inserting your domain name and checking its availability, then register your domain. Once registered, press the Click here to Login button, then select Deploy to Users.

Salesforce Identity connects your Salesforce organization users with external applications and services, while providing administrative tools for monitoring, maintaining, and reporting user applications and authorization. It is available in Salesforce Classic, Enterprise, Performance, Unlimited, Developer, and Database.com Editions.

Start by setting up My Domain. In Salesforce, go to Setup, then Domain Management, then My Domain. Insert your domain name, check its availability and register it. Once registered, select the Click here to Login button, then select Deploy to Users.

Next, enable SAML. The path differs depending on your Salesforce experience:

• Classic: Setup, then Security Controls, then Single Sign-on Settings, then Federated Single Sign-On Using SAML. Select the Edit button, then enable SAML.
• Lightning: Setup, then Identity, then Single Sign-on Settings, then Federated Single Sign-On Using SAML. Select the Edit button, then enable SAML.

Step 2: Configure connected app

The navigation path for creating a connected app differs depending on your Salesforce experience:

• Classic: Setup, then Create, then Apps, then Connected App, then New.
• Lightning: Setup, then New External Client Apps Settings, then Connected Apps, then New Connected App.

Once you have opened the new connected app form, fill in the following basic information:

Then fill in the following information in the Webapp Settings area:

Please note: The Entity ID and ACS URL values must be copied from your Docebo SAML 2.0 metadata file. The metadata is available in Docebo under Admin Menu, Settings, SAML Settings. The values shown above are illustrative only and will differ depending on your platform configuration. If your platform uses the Extended enterprise app, the Entity ID and ACS URL may differ for each domain.

For lightning only: In the Security section, set the Signing Algorithm for SAML Messages to SHA256 and select a certificate in the Select an IDP Certificate field.

When finished, press Save.

Step 3: Download metadata

Next, download the Salesforce metadata you will need to configure SAML SSO in Docebo. The navigation path differs depending on your Salesforce experience:

• Classic: Setup, then Manage Apps, then Connected App, then DOCEBO.
• Lightning: Setup, then Connected App, then Manage Connected Apps, then DOCEBO.

Once you are on the DOCEBO app page, select the Download Metadata button in the SAML Login Information section.

Please note:

• When a user logs in through Salesforce SSO, Salesforce sends user attributes in the SAML response. By default, these include the user's username and email address. If your configuration requires additional attributes to be passed to Docebo, you can add custom attribute statements in the Connected App settings in Salesforce.
• If your configuration requires Single Logout (SLO), you must enable the Service Provider certificate in Docebo. You must also configure the corresponding certificate and request signature settings on the Salesforce side. Refer to the SAML SSO documentation for guidance on enabling request signing in Docebo.

Step 4: Deploy connected app to Salesforce users

Assign the connected app to the Salesforce profiles or permission sets that should be able to use it for SSO. The navigation path differs depending on your Salesforce experience:

• Classic: If your configuration requires Single Logout (SLO), you must enable the Service Provider certificate in Docebo. You must also configure the corresponding certificate and request signature settings on the Salesforce side. Refer to the SAML SSO documentation for guidance on enabling request signing in Docebo.
• Lightning: Setup, then Connected App, then Manage Connected Apps, then DOCEBO. On the app page, select Manage Profiles in the Profiles area, select the relevant profiles and select Save.

Please note: Users who are not assigned to one of the selected profiles or permission sets will not be able to log in to Docebo using Salesforce SSO.

Step 5: Configure SAML SSO inside Docebo

Now, you can configure the SAML app in Docebo using your information from Salesforce. Log into the platform as a Superadmin and access the Navigation menu >Add-ons and integrations (jigsaw icon)> SAML. Fill in the required fields as follows:

Identity Provider ID

Your Salesforce domain

XML Metadata

The metadata that you downloaded from Salesforce

Username attribute

In the Username attribute field, enter the Salesforce attribute that uniquely identifies each user in Docebo. In most configurations, this is the user's email address. Any Salesforce user attribute can be used, provided it matches the value of the Unique Field configured for your users in Docebo. The Unique Field can be set to Username, UUID or Email in your Docebo SAML settings.

Please note: The sfdc_user_type and sfdc_id attributes are only required when using the Docebo Salesforce app for user synchronization and provisioning. They are not required for Standard SAML SSO.

Refer to the SAML section of the Knowledge Base to complete the rest of the SAML fields in your learning platform.

Step 6: App Launcher in action

You can now see the app launcher for Docebo directly within Salesforce. Refer to the two following screenshots for examples of how the app launcher looks in the Salesforce interface: