Introduction

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows you to verify the identity of users based on the authentication performed by an Authorization Server, and to obtain basic profile information about them in an interoperable way. Docebo supports the OpenID Connect Authorization Code flow, which is one of the available flows for authentication. Please refer to the OpenID Connect technical documentation for further information.

By activating the OpenID Connect app in your Docebo platform, users will be able to log into their Docebo platforms using the credentials from active sessions of other web platforms.  When the app is active, users can press the OpenID Connect icon in the Docebo login page to connect to the platform with the credentials of other web platforms, and will also be allowed to log into the Docebo platform from the OpenID Connect dashboard, by pressing the Docebo platform icon. If a user requesting to login does not exist in Docebo yet, he or she will be automatically created at the first login.

This article will give you a step-by-step process of how to activate and configure the app. Please note that the integration with OpenID Connect is available for all customers using the 7.0 theme, and for Docebo’s Extended Enterprise App.

Please Note: When using OpenID Connect, you can integrate a single Identity Provider per platform domain. If you need to integrate other identity providers for the same domain, please use another protocol.

The mobile application Go.Learn supports most OpenID Connect authentication configuration examples described in this article.

Activating the OpenID Connect App

Activate the OpenID Connect app as described in the Managing Apps & Features article of the Knowledge Base. The app is listed in the Single Sign On tab.

Once it’s activated, you can begin the configuration. Please refer to the section below to learn more.

Configuring the OpenID Connect App

To begin the configuration for this app, log into your platform as Superadmin and access the Admin Menu from the gear icon on the top right corner. Then, find the OpenID Connect section in the Admin Menu and press the Manage subitem. You will be redirected to the OpenID Connect Settings page.

The URLs listed in the Platform URLs section are automatically generated by your platform, and must be passed to your Identity Provider for a proper configuration of the Docebo platform in their platforms:

• Login URL. 3rd-party application login page for federated authentication using OpenID Connect
• Logout URL. Logout URL used to log the current user out of the 3rd-party application
• Code URL. Redirect URL of the 3rd-party application for OpenID Connect code responses. Please note that if you want to use OpenID Connect SSO on your Go.Learn or branded mobile app, you need to add the ?device=mobileparameter at the end of the code URL.

The OpenID Client section must be filled in with the details of the Identity Provider you are integrating. Copy and paste this data from the provider into this section in your Docebo platform. Check the technical documentation of your identity provider for information on how to obtain this data. If your Identity Provider is OKTA, OneLogin, Salesforce, Microsoft Azure Active Directory, Microsoft Azure AD B2C or Ping Identity, you’ll find Configuration Examples listed at the end of this article.

• Issuer. Authorization Server’s complete URL
• Client ID. Client ID of the client requesting to access the token
• Client Secret. This client secret is used in conjunction with the Client ID to authenticate the client application
• Metadata URL. Returns OpenID Connect metadata related to the specified authorization server. The Metadata URL provides all the data configurable in the second section of the OpenID Connect configuration page.

Use the Auth Type section to select whether to activate the Basic Auth or the Query String Authentication Type, depending on the Identity Provider you are using. The Basic Auth type is the default selection because it’s the most commonly used. Please refer to the documentation of your Identity Provider to retrieve this information.

Press Reset at any time to start the configuration from scratch, or press Continue to activate the second slot of parameters, and to proceed with the configuration. The upcoming options are self-populated by the Metadata URL.

Username Attribute

In Username Attribute section, select one of the options that are auto-provided by the Identity Provider. The attribute that you select will be the username for your users in the Docebo platform. When making your selection, make sure that the selected attribute is populated for all your users in the Identity Provider. Please note that the selected attribute must be a unique identifier. For example, if you select Family Name as username attribute, you must be sure that none of your users have the same family name. We suggest selecting Email as Username Attribute.

Also remember that if you selected the First Name and Last Name are required in order to register option in the Self Registration tab of the Advanced Settings section of Docebo Admin Menu, the Identity Provider must provision the users' first and last names for a proper registration to the platform.

Scope

The elements of the Scope list are also auto-populated and depend on the endpoint. This is a list of the available profile information retrieved by the Metadata URL inserted in the OpenID Client section. Select the user data you want to retrieve from the Identity Provider via ID Token by checking the corresponding checkboxes. Please note that Email and Profile are mandatory scopes and must always be checked.

The selected options in this section identify the data that will populate the user profile when the user is created in the platform, at first login. If the ID Token includes additional fields, group or branch assignments to Docebo, this information will be taken into account, and populated in the Docebo platform.

Notes About Scopes

• The integration works only with id_token to retrieve the access token. Currently, the userinfo endpoint is not supported.
• Scopes named custom are not supported

Token Exchange Method

Use this setting to define how the system sends the JWT data request to the Identity Provider. By default, Docebo sends requests via the URL using GET parameters. When using the POST option, Docebo sends requests via the URL using POST parameters, adding them to the BODY of the call.

The GET option is simpler and sends the data through the URL, while the POST option is more complex, but uses a more effective encryption method.

This option is set to GET by default. When using this setting, make sure you have properly configured your Identity Provider according to the selected option.

Both the GET and the POST requests send the following data for the authorization code authentication type:

• Code. The Code value exchanged by the OpenID standard, when using the authorization code authentication type
• Redirect URI. URI where Docebo sends the JTW.

When using the basic auth authentication type, the following data is also sent:

• Client ID
• Client Secret

Certification Rotation

When the Certification Rotation option is enabled, the Docebo platform will retrieve the key that is valid at the time of the request from an URL defined by the OpenID Connect standard. The Identity Provider will auto-enable the option to refresh the certification autonomously. This is part of the standard relation, and it is either auto-flagged or not.

If the Identity Provider does not support the certification rotation, but this option is enabled, an error message will be shown.

SSO Behavior

The SSO behavior can be configured in two different ways. Define whether you want to show the standard Docebo platform login page, or if you want to automatically redirect the users to the Identity Provider dashboard. When the first option is flagged, define whether you want to show the SSO button on your platform’s login page.

When selecting the option for an Automatic redirect to Identity Provider, you can set a specific logout landing page when your users log out of the platform instead of keeping the standard logout page. Use the text box to type in the URL of the logout landing page.

Logout Behavior

The Logout Behavior section allows you to configure if users will be automatically logged out from the Identity Provider when they log out from the Docebo platform. As an additional option, you can select a custom third party logout endpoint, able to receive the logout message via GET in order to complete the Single LogOut; this option is supported by a few Identity Providers.

User Provisioning

This section allows you to instantly create a user who is present in your Identity Provider but not yet present in the database. Begin by flagging the Enable option. You can also flag the option to lock provisioned user fields, meaning that users cannot edit details in their user profiles that have been created via OpenID Connect. When editing the user profile, the options will be greyed out.

If there are users existing in both databases, we suggest you flag the option to update the user information for the existing users. Please note that when these options are not flagged, you will have to manually register (enable option) or update your users (update information) in the Docebo platform.

Please note that OpenID Connect automatically populates the Identity Provider additional fields, so remember to select them one by one from the Add Fields dropdown menu and to associate them to the Docebo user additional fields in the section displayed for each additional fields after the selection. Please remember that if you set some user additional field as mandatory in your Docebo platform, they must be mapped in this section in order to be populated in your platform. If the mandatory additional fields are not populated, the user will not be created.

Click Save Changes to complete the configuration.

The Additional Field types that are supported for user provisioning in this integration are:

• Dropdown (use the dropdown ID in the Attribute statement)
• Text Field
• Fiscal Code - Country (use the ID of country in the Attribute statement)
• Date Field (format: YYYY-MM-DD)
• Yes/No Field  

Additional Field types that are not supported:

• IFrame
• File Field
• Free Text Field

Configuration Examples

This section provides you with some examples on how to configure and integrate some of the most popular Identity Providers. If your vendor is not listed here, please refer to the above documentation.

• OKTA Configuration Example
• OneLogin Configuration Example
• Salesforce Configuration Example
• Microsoft Azure AD Configuration Example
• Microsoft Azure AD B2C Configuration Example
• Ping Identity Configuration Example

OKTA

When configuring OKTA with OpenID Connect, the OKTA app does not need to be activated in your platform. Start by connecting to the Okta website as an Admin, click on Admin on the top right corner, then move to the Applications tab and click Add Application to create the Docebo App in Okta, registering it as a Service Provider. Click on Create New App.

In the pop-up box, select Web as Platform Type and OpenID Connect as Sign On Method. Press Create to proceed. Type the Application Name (can either be Docebo, or the App as renamed for your company) and add a logo to identify the App in the OpenID Connect dashboard. The logo upload is optional but can be very useful to quickly identify the Docebo platform in the OpenID Connect dashboard.

Open the OpenID Connect configuration page in Docebo (Admin Menu - OpenID Connect - Manage), and copy the values shown in the Platform URLs section in the corresponding fields of the Configure OpenID Connect section of the Create OpenID Connect Integration page in Okta. In the Login redirect URIs section, copy and paste the Login URL and the Code URL values from Docebo, in this order. Press Add URI button to insert a new row.  Copy and paste the Logout URL value from Docebo in the OKTA’s Logout redirect URIs section. Press Add URI button to insert a new row. Press Save to proceed.

Retrieve now the OpenID Connect information from the Configure OpenID Connect section of the Create OpenID Connect Integration page in Okta, and paste them into the Open ID Client section of the OpenID Connect configuration page in Docebo. Move to the General tab, copy the Client ID and the Client Secret values, and copy them in the corresponding fields in Docebo. Retrieve the Client Issuer code from your OKTA installation URL: copy the URL from https up to the end of the domain name (i.e https://{yourdomainname}.oktapreview.com/) and paste it in the Issuer.

Finally, compose the Metadata URL value as follows:

  {{url}}/.well-known/openid-configuration?client_id={{clientId}}

where:

• {{url}} is the Issuer Code (including the https or the http protocol), remove {{ }}
• {{clientId}} is the Client ID value, remove {{ }}

Copy the resulting URL and paste it as Metadata URL value in Docebo.

On the Okta website, define the users allowed to use the app. Move to the Assignments tab and add the users, either one by one or with mass action. Click Assign and select either Assign to People or Assign to Groups, depending on your needs. Select the users and/or the groups previously created in Okta, click on Assign and Done to complete the action.

The Docebo configuration on Okta is completed. Move back to Docebo, set the Auth Type value to Basic Auth and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the first part of this article.

OneLogin

When configuring OneLogin with OpenID Connect, the OneLogin app does not need to be activated in your platform. Start the configuration from the Identity Provider. Login to OneLogin, click on Administration on the page upper bar, select the Apps tab and click on Custom Connectors.

Create a custom connector in order to register Docebo as Service Provider. Click on New Connector on the top right corner. Enter your Docebo App Name (i.e yourtrial.docebosaas.com) and press Thick to confirm. You will see the Basic Configuration page. Add an icon to identify the App in the OpenID Connect dashboard. The icon upload is optional but can be very useful to quickly identify the Docebo platform in the OpenID Connect dashboard. In the Sign On Method section, select OpenID Connect.

Open the OpenID Connect configuration page in Docebo (Admin Menu - OpenID Connect - Manage), and copy the values shown in the Platform URLs section in the corresponding fields in OneLogin, as follows. In the OneLogin OpenID Connect section, paste the Docebo Code URL in the redirect URI field. Move to the Login URL section and paste the Login URL in the Login URL field. Press Save to continue.

Please note that OpenID Connect enables service-provider-initiated (SP-initiated) SSO, but not identity-provider-initiated (IdP-initiated) SSO. When you provide a Login URL, OneLogin mimics an IdP-initiated SSO experience: the user is taken to the app’s login page, where the SP-initiated authentication flow begins. Refer to the OneLogin Knowledge Base for further info. When configuring the integration with Docebo, type the pure platform URL (https://[platformname].docebosaas.com) in the Login URL field in OneLogin, and set the SSO behavior to Automatic Redirect in Docebo OpenID Connect configuration page.

Move to the Apps tab, select Add Apps and search for OpenID Connect in the search bar. Select OpenId Connect (OIDC) among the search results listed in the Find Application page. Either confirm or select your subscription plan and press Continue. Insert the App name and description. In the Configuration tab, copy and paste the Login URL from Docebo in the Login Url fields and the Code URL and the Logout URL in the Redirect URI’s section, as separate lines. Press Save to proceed.

Retrieve now the OpenID Connect information from OneLogin. The Issuer code comes from the OneLogin website URL: copy the link from https to the last letter before the first single slash (do not copy the slash). Move now to the SSO tab.

Copy the Client ID and the Client Secret and paste them in the corresponding fields of the Open ID Client section of the OpenID Connect configuration page in Docebo (Admin Menu - OpenID Connect - Manage).

Finally, compose the Metadata URL value as follows:

{{url}}/oidc/.well-known/openid-configuration

Where url is the Identity Provider URL, remove {{ }}

Define now the users allowed to use the app. Move to the Users tab and insert the user accounts that will be able to connect using this Identity Provider.

The Docebo configuration on OneLogin is completed. Move back to Docebo, set the Auth Type value to Basic Auth and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the first part of this article.

Salesforce

When configuring Salesforce with OpenID Connect, the Salesforce app does not need to be activated in your platform. Start the configuration from the Identity Provider. Login to Salesforce, click on  Setup on the page upper bar. From the left-side menu, reach the Build section, select Create, and finally Apps.

From the Apps page, move to the Connected Apps section, and click New to add Docebo as new application.

In the New Connected App page that will open, type the Connected App Name and a Contact email address in the corresponding sections. Move now to the API (Enable OAuth Settings) section and flag the Enable OAuth settings option. When this option is selected, several configuration options will be shown underneath.

Open now the OpenID Connect configuration page in Docebo (Admin Menu - OpenID Connect - Manage), and copy the values shown in the Platform URLs section in the corresponding fields of this page. In the Callback URL, paste both the Login URL and the Code URL values on two separate lines, without separation characters.

Define now the Selected OAuth Scope by adding Allow access to your unique identifier and Access your basic information (id, profile, email, address, phone) to the Selected OAuth Scope box. Check the Configure ID Token option and select Include standard claim from the options shown underneath. If needed, enable the Enable Single Logout option and copy and paste the Docebo Logout URL.

Press Save to complete the configuration. Please note that once you save, it may take up to ten minutes for your App to be created. When the creation procedure is over, you will be redirected to the page of the app you have just created.

Retrieve now the OpenID Connect information for Docebo. The Issuer code comes from the website URL, copy the link from https to the last letter before the single slash. Copy the Consumer Key and the Consumer Secret values (click on Click to Reveal to see the code in clear) and paste them in the Client ID and in the Client Secret into the Open ID Client section of the OpenID Connect configuration page in Docebo (Admin Menu - OpenID Connect - Manage).

Finally, compose the Metadata URL value as follows:

{{url}}/.well-known/openid-configuration

Where url is the Identity Provider URL, remove {{ }}

The Docebo configuration on OneLogin is completed. Move back to Docebo, set the Auth Type value to Query String, and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the first part of this article.

When users log in to the platform for the first time using Salesforce, they will be asked to confirm that Docebo can access their data before proceeding. Please note that if users do not allow Docebo to access their data, then they will not be able to log in.

Microsoft Azure Active Directory

Start the configuration from the Identity Provider (if you are planning to use the integration with a custom domain, make sure your SSL certification is valid). Connect to the Microsoft Azure Active Directory web site as an Admin, and select Azure Active Directory on the left side panel of your dashboard to register the Docebo App, then App Registration from the sub-menu. Click New Application Registration from the top area of the App Registration page.

You will be redirected to the app creation page. Insert a Name for the app and select the Web app/API Application Type. Now open the OpenID Connect configuration page in Docebo (Admin Menu - OpenID Connect - Manage), and copy the Login URLs value into the Sign-on URL field. Press Create to proceed. The Docebo app has been created and registered in Microsoft Azure Active Directory. Now, select the Docebo app from the dashboard, click Settings from the app page and move to the Reply URLs option of the General menu. Once again, open the OpenID Connect configuration page in Docebo (Admin Menu - OpenID Connect - Manage), and copy the Code URL in the right panel. Press Save to confirm.

While you’re still on the Settings page, move to the Keys option of the API Access menu to set the access key that will be needed later to complete the Microsoft Azure Active Directory configuration in Docebo. Insert a Description for your access key, and set the Expires value to Never Expires so that you won’t need to change it in the future. Press Save to generate the access key value. The value is automatically generated by Microsoft Azure Active Directory and displayed in the Value text area in the row of your access key. Copy the access key value and store it in a safe place, as you will not be able to retrieve it again after leaving this page.

The Docebo app configuration in Microsoft Azure Active Directory is complete. Now, move to your Docebo platform (logged in as a Superadmin) to configure the integration on the Docebo platform side (Admin Menu - OpenID Connect - Manage). Refer to this article of the Microsoft Azure Active Directory Knowledge Base to retrieve Metadata URL value. The Issuer will be made available in the Metadata URL output. The Client ID value corresponds to the Application ID value displayed in the Settings page of the Docebo app in Microsoft Azure Active Directory. Finally, fill in the Client Secret field with the access key value generated in the Keys section in Microsoft Azure Active Directory.

The configuration of the communication between Docebo and Microsoft Azure Active Directory is complete. Set the Auth Type value to Query String and press Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the first part of this article.

When a user logs in Docebo via Microsoft Azure Active Directory for the first time after the configuration, a pop-up message will ask him/her to confirm that he/she allows the Docebo app to access the data stored in Microsoft Azure Active Directory and to view his/her basic profile.

Press Accept to continue. Please note that if you do not provide your permission, the integration will not work.

Microsoft Azure AD B2C

Start the configuration from the Identity Provider (if you are planning to use the integration with a custom domain, make sure your SSL certification is valid). Connect to the Microsoft Azure Active Directory website as an Admin. From the search bar in the top area of the All Services page, look for Azure AD B2C and select it from the search results.

Once on the Azure AD B2C page, select Applications from the Manage menu. In the Azure AD B2C - Applications page, click Add to add Docebo. Start adding the Docebo app by typing the app name and by setting the options in the Web App / Web API section (Include web app / web API and Allow implicit flow) to Yes.

Please note that the go.Learn mobile app is incompatible with Microsoft Azure AD B2C when at the time of registering a new app you select either of the following from the list of Supported Account Types:

• Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
• Personal Microsoft accounts only

Retrieve the value for the Reply URL field from your Docebo platform. Open the OpenID Connect configuration page in Docebo (Admin Menu - OpenID Connect - Manage), copy the Code URL and paste it into this field. Press Create to confirm the app creation. The Docebo app is now listed in the Applications page. Click on the app name to access its Properties page. In the Reply URL section, type the Login URLs value retrieving it from the OpenID Connect configuration page in Docebo (Admin Menu - OpenID Connect - Manage) and press Save to confirm your entry.

Now move to the Keys option of the General menu to set the access key that will be later needed to complete the Microsoft Azure AD B2C configuration in Docebo. Click Generate Key.

Enter a description for your key and press Save. Upon saving, the system will generate the access key. Copy the access key value and store it in a safe place since you will not be able to retrieve it again after leaving this page.

The Docebo app configuration on Microsoft Azure AD B2C is complete. Move now to Docebo to configure the integration on the Docebo platform side (Admin Menu - OpenID Connect - Manage). Refer to this article of the Microsoft Azure Active Directory Knowledge Base to retrieve Metadata URL value. The Issuer will made available in the Metadata URL output. The Client ID value corresponds to the Application ID value displayed in the Properties page of the Docebo app in Microsoft Azure AD. Finally, fill the Client Secret field with the access key value generated in the Keys section in Microsoft Azure AD B2C.

The configuration of the communication between Docebo and Microsoft Azure AD B2C is complete. Set the Auth Type value to Query String and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the first part of this article. When a user logs in Docebo via Microsoft Azure AD B2C for the first time after the configuration, a pop-up message will ask him/her to confirm that he/she allows the Docebo app to access the data stored in Microsoft Azure Active Directory and to view his/her basic profile. Press Accept to continue. Please note that if you do not provide your permission, the integration will not work.

Ping Identity

When configuring Ping Identity with OpenID Connect, there is no Ping Identity app to be activated in your platform. Start the configuration from the Identity Provider.

Log in to Ping Identity with your administrator account and in the Applications Tab under Connections, choose Add Application by clicking on the plus icon.

You will next be presented with a choice of application type, press the Web App button followed by the Configure button in the resulting pop-up.

Next give the application a name of your choice, add an icon (if desired) and press the Next button.

Next, you will need to find the appropriate URLs to use within the platform. Open a new tab and in the Docebo LMS click on the gear icon, find OpenID Connect and click on Manage. The top three URLs are what you are going to need for the next step in Ping Identity.

Paste the three URLs into the Redirect URLs box and press the Save and Continue button.

You will next be presented with a list of available scopes to use with your configuration. In order to minimize the amount of unnecessary data being exchanged between systems and for security purposes choose only the OpenID scopes that are necessary for the platform and press the Save and Continue button.

In the next screen you may customize the Attribute Mapping to suit your needs, if necessary. The default settings do not need to be changed in order for Ping Identity to function properly. Press the Save and Close button to continue.

In the next screen press the pencil button to the right of the displayed configuration to edit your newly created configuration. Find the Redirect URIS box and copy / paste the URL ending in “logout” to the Signoff URLs box below. Then press the Save button.

You will then be presented with a list of URLs that need to be copied into the OpenID Connect Management screen, in the Docebo platform. The fields needed within the platform correspond to the same information given in Ping Identity except for Metadata URL which is the URL named OIDC Discovery Endpoint in Ping Identity. Then click on the Continue button.

Next in the Scope section select all required entries corresponding to the scopes you defined in Ping Identity. Under Token Exchange Method choose Post and under SSO Behavior check the box next to Show SSO button on login page. Then move to the User Provisioning section and check Enable and If user already exists, update the user information.

Press the Save Changes button in OpenID Connect and you will now be able to log into your platform using Ping Identity.

Authentication Flow

As of October 26, 2021, Docebo has implemented a short-lived token in order to provide better security:

Previous Authentication Flow

Before October 26, 2021, the Docebo platform would send a request to the Identity Provider (IdP) and receive a persistent access token.

Each SSO has a slightly different process, but all of them return a link to Docebo with the access token in the URL:

https://mylms.docebosaas.com/learn/home;type=oauth2_response;reenter_cc=0;access_token=9b8de7ed2af145dee78aa4282bf1d3b17baf02cd;expires_in=3600;token_type=Bearer;scope=api

Short Lived Token Authentication Flow

The updated authentication flow provides added security by replacing the IdP provided single-use short-lived token with an internally used access token:

Each SSO has a slightly different process, but all of them return a link to Docebo with the short lived token in the URL. The short lived token is a one use short lived (with a lifespan of 30 seconds) token that can be exchanged for real credentials:

https://mylms.docebosaas.com/learn/signin;type=token_exchange;exchange_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSU

Docebo automatically and internally using POST calls exchanges it for the real access token. This increases security but does not change the overall behavior of the SSO.

Best Practices

When an SSO integration and a custom domain are set up at the same time, it is strongly suggested to configure the Custom Domain first. The endpoint URLs needed for the SSO integration are dependent on the URL of the platform.