Introduction
By activating the SAML app in Docebo, users can log into their learning platforms using credentials from active sessions of other web platforms. Docebo offers two types of configuration procedures for SAML integration, called Smart Configuration and Standard Configuration. This article will go through the differences between them so that you can understand which one suits you the best.
Want to learn more about getting started with SAML Single SignOn? Have a look at the dedicated course, SAML Single SignOn (opens in a new tab) on Docebo U!
Smart configuration vs standard configuration
When configuring the integration between Docebo and SAML, you can either select the Smart Configuration or the Standard Configuration procedure.
Best practice: When an SSO integration and a custom domain, configured in Domain Management, are set up at the same time, it is strongly suggested to configure the custom domain first. The endpoint URLs needed for the SSO integration are dependent on the URL of the platform.
If you have configured the integration with SAML before February 25, 2020, you have gone through the Standard Configuration procedure, while the Smart Configuration procedure is the default option for those integrating after February 25, 2020.
Independently from the configuration type currently selected in your platform, and on whether you have already configured the integration, you can re-configure it at any time.
Please note: If you reconfigure the integration, all of your settings will be lost, and you will have to start the configuration from scratch.
Here is a comparison between the two integration types:
Smart Configuration | Standard Configuration | |
---|---|---|
Guided Procedure | Guided configuration for the major IdP vendors, easy to use even without a strong technical background. | Adherence to the SAML standard protocol for advanced SSO scenarios. Unguided, but more flexible, requires technical seniority |
x509 Certificate Validation | Automatic x509 certificate validation for the major IdP vendors upon certificate upload. | No automatic x509 certificate validation upon certificate upload. The integration grants standard operativity on the basis of security specifications. The user configuring the integration is responsible for the certificate validation. |
PEM/CERT Certificate Validation | Automatic PEM/CERT certificate validation for the major IdP vendors upon certificate upload. | No automatic PEM/CERT certificate validation upon certificate upload. The integration grants standard operativity on the basis of security specifications. The user configuring the integration is responsible for the certificate validation. |
Certificate Expiration Notification | The platform automatically sends out a notification before the expiration of the x509 and PEM/CERT certificates, as an automatic renewal reminder. Notifications have a standard, not-editable format, and are sent 30, 15, 5, and one days before the certificate expires. If the Extended Enterprise App is active in your platform, notifications are sent both to the main domain and all sub-domains. | No notification is sent as a renewal reminder. The renewal process has to be manually executed by the person in charge of the integration. |
Find out more
Find out more about:
- the Docebo SAML Integration with Smart configuration
- the Docebo SAML Integration with Standard configuration
Authentication flow
As of October 26, 2021, Docebo has implemented a short-lived token in order to provide better security:
Previous authentication flow
Before October 26, 2021, the Docebo platform would send a request to the Identity Provider (IdP) and receive a persistent access token.
Each SSO has a slightly different process, but all of them return a link to Docebo with the access token in the URL:
https://mylms.docebosaas.com/learn/home;type=oauth2_response;reenter_cc=0;access_token=9b8de7ed2af145dee78aa4282bf1d3b17baf02cd;expires_in=3600;token_type=Bearer;scope=api
Short-lived token authentication flow
The updated authentication flow provides added security by replacing the IdP provided single-use short-lived token with an internally used access token:
Each SSO has a slightly different process, but all of them return a link to Docebo with the short lived token in the URL. The short lived token is a one use short lived (with a lifespan of 30 seconds) token that can be exchanged for real credentials:
https://mylms.docebosaas.com/learn/signin;type=token_exchange;exchange_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSU
Docebo automatically and internally using POST calls exchanges it for the real access token. This increases security but does not change the overall behavior of the SSO.