Introduction
OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows you to verify the identity of users based on the authentication performed by an Authorization Server, and to obtain basic profile information about them in an interoperable way. Docebo supports the OpenID Connect Authorization Code flow, which is one of the available flows for authentication. Please refer to the OpenID Connect technical documentation for further information. By activating the OpenID Connect app in your Docebo LMS, users will be able to log into their Docebo platforms using the credentials from active sessions of other web platforms. When the app is active, users can press the OpenID Connect icon in the LMS login page to connect to the platform with the credentials of other web platforms, and will also be allowed to log into the LMS from the OpenID Connect dashboard, by pressing the LMS icon. If a user requesting to login does not exist in Docebo yet, he or she will be automatically created at the first login. This article will give you a step-by-step process of how to activate and configure the app. Please note that the integration with OpenID Connect is available for all customers using the 7.0 theme, and for Docebo’s Extended Enterprise App.Please Note: When using OpenID Connect, you can integrate a single Identity Provider per platform domain. If you need to integrate other identity providers for the same domain, please use another protocol.The mobile application Go. Learn supports OpenID Connect authentication.
Activating the OpenID Connect App
To activate the app, log into your LMS as the Superadmin. Access the Admin Menu from the gear icon in the header, then press the Add New Apps button. Select the Single Sign On tab from the left menu. Find the OpenID Connect app in the list of apps in this tab, then press the Try It For Free button in the app’s row. Read the description in the pop-up box, then press the Try It For Free button again to finalize the activation.
Configuring the OpenID Connect App
To begin the configuration for this app, log into your platform as Superadmin and access the Admin Menu from the gear icon on the top right corner. Then, find the OpenID Connect section in the Admin Menu and press the Manage subitem. You will be redirected to the OpenID Connect Settings page.

Username Attribute
In Username Attribute section, select one of the options that are auto-provided by the Identity Provider. The attribute that you select will be the username for your users in the LMS. When making your selection, make sure that the selected attribute is populated for all your users in the Identity Provider. Please note that the selected attribute must be a unique identifier. For example, if you select Family Name as username attribute, you must be sure that none of your users have the same family name. We suggest selecting Email as Username Attribute. Also remember that if you selected the First Name and Last Name are required in order to register option in the Self Registration tab of the Advanced Settings section of Docebo Admin Menu, the Identity Provider must provision the users' first and last names for a proper registration to the platform.Scope
The elements of the Scope list are also auto-populated and depend on the endpoint. This is a list of the available profile information retrieved by the Metadata URL inserted in the OpenID Client section. Select the user data you want to retrieve from the Identity Provider via ID Token by checking the corresponding checkboxes. Please note that Email and Profile are mandatory scopes and must always be checked. The selected options in this section identify the data that will populate the user profile when the user is created in the platform, at first login. If the ID Token includes additional fields, group or branch assignations to Docebo, this information will be taken into account, and populated in the LMS.Please Note: The integration works only with id_token to retrieve the access token. Currently, userinfo endpoint is not supported.
Token Exchange Method
Use this setting to define how the system sends the JWT data request to the Identity Provider. By default, Docebo sends requests via the URL using GET parameters. When using the POST option, Docebo sends requests via the URL using POST parameters, adding them to the BODY of the call. The GET option is simpler and sends the data through the URL, while the POST option is more complex, but uses a more effective encryption method.This option is set to GET by default. When using this setting, make sure you have properly configured your Identity Provider according to the selected option.Both the GET and the POST requests send the following data for the authorization code authentication type:
- Code. The Code value exchanged by the OpenID standard, when using the authorization code authentication type
- Redirect URI. URI where Docebo sends the JTW.
- Client ID
- Client Secret
Certification Rotation
When the Certification Rotation option is enabled, the LMS will retrieve the key that is valid at the time of the request from an URL defined by the OpenID Connect standard. The Identity Provider will auto-enable the option to refresh the certification autonomously. This is part of the standard relation, and it is either auto-flagged or not. If the Identity Provider does not support the certification rotation, but this option is enabled, an error message will be shown.SSO Behavior
The SSO behavior can be configured in two different ways. Define whether you want to show the standard LMS login page, or if you want to automatically redirect the users to the Identity Provider dashboard. When the first option is flagged, define whether you want to show the SSO button on your platform’s login page. When selecting the option for an Automatic redirect to Identity Provider, you can set a specific logout landing page when your users log out of the platform instead of keeping the standard logout page. Use the text box to type in the URL of the logout landing page.Logout Behavior
The Logout Behavior section allows you to configure if users will be automatically logged out from the Identity Provider when they log out from the LMS. As an additional option, you can select a custom third party logout endpoint, able to receive the logout message via GET in order to complete the Single LogOut; this option is supported by a few Identity Providers.User Provisioning
This section allows you to instantly create a user who is present in your Identity Provider but not yet present in the LMS database. Begin by flagging the Enable option. You can also flag the option to lock provisioned user fields, meaning that users cannot edit details in their user profiles that have been created via OpenID Connect. When editing the user profile, the options will be greyed out. If there are users existing in both databases, we suggest you flag the option to update the user information for the existing users. Please note that when these options are not flagged, you will have to manually register (enable option) or update your users (update information) in the LMS. Please note that OpenID Connect automatically populates the Identity Provider additional fields, so remember to select them one by one from the Add Fields dropdown menu and to associate them to the Docebo user additional fields in the section displayed for each additional fields after the selection. Please remember that if you set some user additional field as mandatory in your LMS, they must be mapped in this section in order to be populated in your platform. If the mandatory additional fields are not populated, the user will not be created. Click Save Changes to complete the configuration.Please Note:
The Additional Field types that are supported for user provisioning in this integration are:
- Dropdown (use dropdown ID in Attribute statement) - Text Field - Fiscal Code - Country (use ID of country in the Attribute statement) - Date Field (format: YYYY-MM-DD) - Yes/No Field Additional Field types that are not supported: - IFrame - File Field - Free Text Field
Configuration Examples
This section provides you with some examples on how to configure and integrate some of the most popular Identity Providers. If your vendor is not listed here, please refer to the above documentation.OKTA
When configuring OKTA with OpenID Connect, the OKTA app does not need to be activated in your platform. Start the by connecting to Okta web site as an Admin, click on Admin on the top right corner, then move to the Applications tab and click Add Application to create the Docebo App in Okta, registering it as a Service Provider. Click on Create New App. In the pop-up box, select Web as Platform Type and OpenID Connect as Sign On Method. Press Create to proceed. Type the Application Name (can either be Docebo, or the App as renamed for your company) and add a logo to identify the App in the OpenID Connect dashboard. The logo upload is optional, but can be very useful to quickly identify the LMS in the OpenID Connect dashboard.
{{url}}/.well-known/openid-configuration?client_id={{clientId}}where: - {{url}} is the Issuer Code (including the https or the http protocol), remove {{ }} - {{clientId}} is the Client ID value, remove {{ }} Copy the resulting URL and paste it as Metadata URL value in Docebo. On Okta web site, define the users allowed to use the app. Move to the Assignments tab and add the users, either one by one or with a mass action. Click Assign and select either Assign to People or Assign to Groups, depending on your needs. Select the users and/or the groups previously created in Okta, click on Assign and Done to complete the action.

OneLogin
When configuring OneLogin with OpenID Connect, the OneLogin app does not need to be activated in your platform. Start the configuration from the Identity Provider. Login to OneLogin, click on Administration on the page upper bar, select the Apps tab and click on Custom Connectors.

Please note that OpenID Connect enables service-provider-initiated (SP-initiated) SSO, but not identity-provider-initiated (IdP-initiated) SSO. When you provide a Login URL, OneLogin mimics an IdP-initiated SSO experience: the user is taken to the app’s login page, where the SP-initiated authentication flow begins. Refer to the OneLogin Knowledge Base for further info. When configuring the integration with Docebo, type the pure platform URL (https://[platformname].docebosaas.com) in the Login URL field in OneLogin, and set the SSO behavior to Automatic Redirect in Docebo OpenID Connect configuration page.Move to the Apps tab, select Add Apps and search for OpenID Connect in the search bar. Select OpenId Connect (OIDC) among the search results listed in the Find Application page. Either confirm or select your subscription plan and press Continue. Insert the App name and description. In the Configuration tab, copy and paste the Login URL from Docebo in the Login Url fields and the Code URL and the Logout URL in the Redirect URI’s section, as separate lines. Press Save to proceed.


{{url}}/oidc/.well-known/openid-configurationWhere url is the Identity Provider url, remove {{ }} Define now the users allowed to use the app. Move to the Users tab and insert the user accounts that will be able to connect using this Identity Provider. The Docebo configuration on OneLogin is completed. Move back to Docebo, set the Auth Type value to Basic Auth and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the first part of this article.
Salesforce
When configuring Salesforce with OpenID Connect, the Salesforce app does not need to be activated in your platform. Start the configuration from the Identity Provider. Login to Salesforce, click on Setup on the page upper bar. From the left-side menu, reach the Build section, select Create, and finally Apps. From the Apps page, move to the Connected Apps section, and click New to add Docebo as new application.


{{url}}/.well-known/openid-configurationWhere url is the Identity Provider url, remove {{ }} The Docebo configuration on OneLogin is completed. Move back to Docebo, set the Auth Type value to Query String and click on Continue to proceed and activate the parameters of the second part of the configuration. Complete the configuration by following the instructions provided in the first part of this article. When users log in to the platform for the first time using Salesforce, they will be asked to confirm that Docebo can access their data before proceeding. Please note that if users do not allow Docebo to access their data, then they will not be able to log in.
Microsoft Azure AD
Start the configuration from the Identity Provider (if you are planning to use the integration with a custom domain, make sure your SSL certification is valid). Connect to the Microsoft Azure AD web site as an Admin, and select Azure Active Directory on the left side panel of your dashboard to register the Docebo App, then App Registration from the sub-menu. Click New Application Registration from the top area of the App Registration page.



Microsoft Azure AD B2C
Start the configuration from the Identity Provider (if you are planning to use the integration with a custom domain, make sure your SSL certification is valid). Connect to the Microsoft Azure AD web site as an Admin. From the search bar in the top area of the All Services page, look for Azure AD B2C and select it from the search results. Once in the Azure AD B2C page, select Applications from the Manage menu. In the Azure AD B2C - Applications page, click Add to add Docebo. Start adding the Docebo app by typing the app name and by setting the options in the Web App / Web API section (Include web app / web API and Allow implicit flow) to Yes.
