Aller au contenu principal

Docebo Help

How can we help?

Docebo for Auth0

Last Updated
Docebo Module
  • Integrations
Reading Time
User Level
  • Administrators

Introduction

Your platform can integrate with Auth0, a multi-layer Identity Provider. With this integration, you can allow users to log into their Docebo platforms using credentials from active sessions of other web platforms. This integration can be used with subdomains, for those using Docebo’s Extended Enterprise app.

Please Note: Custom domains are not supported by Docebo for Auth0 authentication.

Activating the App in Docebo

Activate the Auth0 app as described in the Managing Apps & Features article of the Knowledge Base. The app is listed in the Single Sign On tab.

Once it’s activated, you can begin the configuration. Please refer to the section below to learn more.

Configuring the Integration in Auth0

Begin by logging into your Auth0 account, then press the New Application button in your Dashboard. In the pop-up box, add your app’s name, then choose the client type. For this integration, the client type does not matter. Refer to the Auth0 documentation (link opens in a new window) for more information about client types. Press Create when finished.

Once created, move to the Settings tab. Here, you need to pick up the Domain, Client ID, and Client Secret fields that were automatically generated. Click on the Review Client Secret button to the right of the Client Secret field. These three fields need to be inserted into the corresponding fields in the Settings page for Auth0 in your platform.

Auth0 config

Then, you need to insert the URL of your platform in your Allowed Callback URLs field as well as in the Allowed Web Origins field. For the Allowed Callback URLs field, you need to insert some information after your platform URL, it should look like this:

https://mylmsurl.docebosaas.com/learn/auth0/callback

If you activated Auth0 for your Mobile App, when rebranding your app with the Docebo Branded Mobile App Publisher, remember to set the Package Name (for Android) and the Bundle ID (for IOS) in the Allowed Callback URLs field. The callback URLs for mobile rebranded apps should look like this:

com.yourcompany.yourapp

Next, scroll down and press the Show Advanced Settings item in the Settings tab for the client in Auth0. In the Advanced Settings area, select the Certificates tab, then copy all of the text from the Signing Certificate field and paste it into the corresponding field on the Settings page for Auth0 in your platform. You can also download the certificate for reference, if needed, but it is not mandatory. The rest of the configuration now takes place directly in your platform.

Configuring the App in Docebo

Access the Admin Menu from the gear icon in the header, find the Auth0 section in the menu, then press the Manage subitem. On this page, insert the Domain, Client ID, Client Secret, and Signing Certificate that you retrieved directly from Auth0.

Auth0 Configuration

Then, select the username attribute from Auth0 that will be used to match the user to a user profile in Docebo. Simply type in the attribute (i.e. Username, email address, unique user field) into the corresponding text box.

If you do not want to configure the SSO behavior, logout behavior, or user provisioning, press Save Changes. Refer to the sections below if you want to configure any of these sections.

SSO Behavior

To configure the SSO behavior, you can flag between two different options. Choose whether you want to show the standard platform login page, or if you want to automatically redirect to the Identity Provider. If you flag the first option, you can then flag whether you want to show the SSO button on your platform’s login page.

Auth0 SSO

If you flag the option for an Automatic redirect to Identity Provider, you can set a specific logout landing page when your users log out of the platform instead of keeping the standard logout page. Use the text box to type in the URL of the logout landing page.

Logout Behavior

In the Logout Behavior section, you can flag the option for the user to automatically be logged out of the Identity Provider when he or she logs out of the platform.

Auth0 Logout

When this option is selected, you have to place the URL of your platform on the allow list in Auth0, or your users will not be allowed to log out. The platform URL must be declared in two areas of your Auth0 account, so log into your Auth0 account and perform the following actions:

  • Click on Applications in the left menu, find your Docebo application in the list and click on the gear icon in the application row to access the Settings page. Move to the Allowed Logout URLs section and type the URL of your platform followed by /auth0. For example:
    https://myplatform.docebosaas.com/auth0
  • Next, move to your profile menu by clicking on your avatar in the top right corner, and select Settings. Move to the Advanced tab and type your platform URL in the Allowed Logout URLs section. For example:
    https://myplatform.docebosaas.com

When using the Custom Domain app, enter both the URL of your custom domain and the docebosaas URL.

User Provisioning

DISCLAIMER: In order to properly perform user provisioning for this integration, you must first create rules in Auth0 in order to expose the Auth0 users’ claims so that Docebo can use this data to configure the user provisioning. Please refer to the Auth0 official documentation to learn more (link opens in a new window).

Once you've created the proper rules, you can configure the user provisioning in your platform. Please also note that when you create a new client in Auth0, the client is created as OIDC Conformant. Docebo does not work with OIDC Conformant clients, as it uses the legacy Auth0 pipeline. Please disable this setting in your Auth0 Admin account:

Auth0 OIDC

In your platform, it allows you to instantly create a user who is present in your Identity Provider but is not yet present in the platform database. Begin by flagging the Enable option. You can also flag the option to lock provisioned user fields, meaning that users cannot edit details in their user profiles that have been created via Auth0. When editing the user profile, the options will be greyed out.

If you have users that already exist in both databases, you should flag the option to update the user information for the existing users. Please note that not flagging these options result in needing to manually register (enable option) or update your users (update information) in the platform.

Auth0 user provisioning

Now, you need to specify which additional fields you want to associate between your Identity Provider and Docebo, then match the names of the fields in Docebo with the name of the fields in the Identity Provider (attribute statement). Please note that each field must be unique, meaning that you cannot apply the same claim to multiple fields.