Introduction
By activating the SAML app in Docebo, users can log into their learning platforms using credentials from active sessions of other web platforms. This article will give you an example of configuring OneLogin as an Identity Provider using SAML.
In order to prepare for this integration, make sure you have the SAML app installed on your platform.
Configuring OneLogin with SAML
To configure OneLogin for the main Single Sign On capability on your platform, click on the gear icon to access the Admin Menu and locate SAML, then click on Manage.
Once there, scroll down to the SAML 2.0 SP Metadata DOWNLOAD button. Click to download the metadata file.
Open the file and search for the AssertionConsumerService Binding entry - as highlighted in the following example file:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://academy70.docebosaas.com/lms/index.php">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://academy70.docebosaas.com/lms/index.php?r=SimpleSamlApp/
SimpleSamlApp/modules/saml/sp/saml2-logout.php/default-sp"/>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://academy70.docebosaas.com/lms/index.php?r=SimpleSamlApp/
SimpleSamlApp/modules/saml/sp/saml2-logout.php/default-sp"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://academy70.docebosaas.com/lms/index.php?r=SimpleSamlApp/
SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp" index="0"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="https://academy70.docebosaas.com/lms/index.php?r=SimpleSamlApp/
SimpleSamlApp/modules/saml/sp/saml1-acs.php/default-sp" index="1"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://academy70.docebosaas.com/lms/index.php?r=SimpleSamlApp/
SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp" index="2"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="https://academy70.docebosaas.com/lms/index.php?r=SimpleSamlApp/
SimpleSamlApp/modules/saml/sp/saml1-acs.php/default-sp/artifact" index="3"/>
</md:SPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>Administrator</md:GivenName>
<md:EmailAddress>tech24@docebo.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
The URI in the entry will be used in the next steps. For example (replacing [YOURPLATFORMNAME] with the name of your platform):
https://[YOURPLATFORMNAME].docebosaas.com/lms/index.php?r=SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp
Next, log in to your OneLogin account as an administrator. Once there you will need to install the Docebo or Docebo Multi-Domain application from the OneLogin App library by navigating to the Applications tab in your administrator menu and clicking on the Add App button. Search for Docebo and select the appropriate app; either Docebo or, Docebo Multi Domain.
Configuring the Docebo App in OneLogin
Select the name you would like the app to be known as in your OneLogin Portal. You can choose if you wish for the application to be visible in your portal and, if you so choose, also select a different icon from the default. Next, enter the description, then click Save.
Your screen will change slightly and new tabs will appear to the left. Click on the Configuration tab to continue.
In the Docebo Subdomain text box, enter your platform name, which is the first part of your platform address:
[YOURPLATFORMNAME].docebosaas.com
Next, click on the Parameters tab to configure the user fields you will use in the integration. Click on the plus button to add a new parameter. Pay close attention to spelling and capitalization as you make sure you match them exactly to your SAML configuration in Docebo.
Click on the Rules tab and add any rules that may need to be applied, then move on to the SSO tab.
In this tab, you can gather the necessary information to fill in the Identity Provider ID information into Docebo SAML settings.
Open the View Details link under the X.509 Certificate selection in a new tab (Note: Do not open it via a simple left-button click as you will lose your current configuration). In the new tab, change the SHA fingerprint to SHA256 by clicking on the drop-down menu.
Next, download the X.509 certificate using the Download button and close this tab, returning you back to the SSO tab. The certificate you have downloaded will be uploaded into the SAML Configuration in Docebo.
In the Access tab, you can set any access policies you require, then move on to the Users tab where you can assign which users will have access to the Docebo platform.
Then move on to the Privileges tab to set any specific privileges you might require.
Once you have completed these steps, press the Save button. Then press the More Actions drop-down menu next to the disabled Save button. Select SAML Metadata to download the OneLogin Metadata XML file needed for the Docebo platform. Complete the SAML setup within Docebo.
Configuring the Docebo Multi-Domain App In OneLogin
Next, you will need to install the Docebo Multi-Domain application from the OneLogin App library.
Log in to OneLogin as an administrator and navigate to Applications in your administrator menu. Search for Docebo, select the Docebo Multi Domain app, and install the OneLogin SSO integration for a multi-domain instance of Docebo.
Move to your Docebo platform, access the Admin Menu and select Manage under Extended Enterprise. Locate the gears icon in the row of the domain you are setting up Single Sign On for.
Then, navigate to the SAML 2.0 Settings section. Select Enable custom settings for this client to activate it, and then scroll down to and click the SAML 2.0 SP Metadata download button to download the metadata file for this multi-domain instance.
This will be an incomplete metadata file at this time but will have the information you need to complete the configuration within OneLogin. Here is an example of the metadata file:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php|
https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php]">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1protocol
urn:oasis:names:tc:SAML:2.0protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=
SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-logout.php/default-sp-2|https:
//YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp/
SimpleSamlApp/modules/saml/sp/saml2-logout.php/default-sp-2]"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=
SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-logout.php/default-sp-2
|https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp
/SimpleSamlApp/modules/saml/sp/saml2-logout.php/default-sp-2]"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=
SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp-2
|https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp
/SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp-2]" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0profiles:
browser-post" Location="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/
index.php?r=SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml1-acs.php/
default-sp-2|https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=
SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml1-acs.php/default-sp-2]" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
HTTP-Artifact" Location="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/
index.php?r=SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-acs.php/
default-sp-2|https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=
SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp-2]" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0profiles:
artifact-01" Location="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/
index.php?r=SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml1-acs.php/default-sp-2
/artifact|https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=
SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml1-acs.php/default-sp-2/artifact]"
index="3"/>
</md:SPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>Administrator</md:GivenName>
<md:EmailAddress>tech24@docebo.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
Docebo Multi Domain
Select whether you would like the app to be visible in the OneLogin Portal. Choose the icon that is appropriate. Write a description.
You can select a self-service option and write a brief description for your app catalog in OneLogin as well. Save. Once saved, you have access to the configuration, parameters, rules, SSO, access, users, and privileges menus.
Under Configuration, fill in the following fields:
- Application Details: This information data is retrieved from your SP Metadata file.
- Docebo Consumer URL: Enter the complete Consumer URL from your SAML metadata file.
Example URL:
[https://YOURPLATFORMNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp
/SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp-2)|https://YOURLMSNAME.
docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp/SimpleSamlApp/modules/
saml/sp/saml2-acs.php/default-sp-2)]
- Audience: Enter the Audience URL from your SAML metadata file.
Example URL:
[https://YOURPLATFORMNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp/
SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp-2)|https://YOURLMSNAME.
docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp/SimpleSamlApp/modules/
saml/sp/saml2-acs.php/default-sp-2)]
- Patameters: This section allows you to choose which user fields you will use for assertions in the integration. When configuring the parameters, pay particular attention to the spelling of any fields you enter or use and make sure you match them exactly in the SAML configuration in Docebo. These parameters are case sensitive.
Please Note! “email” does not equal “Email” when noting an attribute.
- Rules: Enter any rules that need to be applied to this app.
- SSO: In this section, you can gather the necessary information to complete the Identity Provider ID information in the Docebo SAML settings. Copy the URL from the Issuer URL field and place that into the Identity Provider ID field in Docebo SAML settings.
Example URL:
[https://app.onelogin.com/saml/metadata/1ea1b785-efef-4d5c-b6ed-080856490828
|https://app.onelogin.com/saml/metadata/1ea1b785-efef-4d5c-b6ed-080856490828]
OneLogin will provide the necessary certificate for securing this integration. Click on the More Details section of the certificate, and on the subsequent page, select the SHA256 setting from the Fingerprint dropdown menu. Then download the x.509 PEM file. This will be uploaded to Docebo in the SAML settings.
- Access: Set any access policies you need in this section.
- Users: In this section, you can assign your users who need access to your Docebo platform.
- Privileges: Set any appropriate privileges in this section.
Once complete, navigate to the More Actions drop-down button in the upper right and select XML MetaData. Download and open the file. Select all and copy the file data, then paste it into the XML Metadata section of the SAML settings within Docebo.
Now you should have three items ready to use to complete your SAML setup in Docebo:
- Issuer URL copied somewhere
- The x.509 certificate file
- XML metadata
You should now be able to test this SAML integration. A good practice is to use a tool such as SAML-tracer to see the SAML statements that are being passed for troubleshooting.