Introduction

By activating the SAML app in Docebo, users can log into their learning platforms using credentials from active sessions of other web platforms. This article will give you an example for configuring OneLogin as an Identity Provider using SAML.

In order to prepare for this integration, you should make sure you have the SAML Single Sign On application installed on your platform. Please see this article for instructions.

Configuring OneLogin with SAML

To configure OneLogin for the main Single Sign On capability on your platform, click on the gears icon to access the admin screen and locate SAML, then click on Manage.

Once there, scroll down to the SAML 2.0 SP Metadata DOWNLOAD button. Click to download the metadata file. 

Open the file and search for the AssertionConsumerService Binding entry -  as highlighted in the example file shown here:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
entityID="https://academy70.docebosaas.com/lms/index.php">
   <md:SPSSODescriptor 
   protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol 
   urn:oasis:names:tc:SAML:2.0:protocol">
   <md:SingleLogoutService 
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
   Location="https://academy70.docebosaas.com/lms/index.php?r=SimpleSamlApp/
   SimpleSamlApp/modules/saml/sp/saml2-logout.php/default-sp"/>
   <md:SingleLogoutService 
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
   Location="https://academy70.docebosaas.com/lms/index.php?r=SimpleSamlApp/
   SimpleSamlApp/modules/saml/sp/saml2-logout.php/default-sp"/>
   <md:AssertionConsumerService 
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
   Location="https://academy70.docebosaas.com/lms/index.php?r=SimpleSamlApp/
   SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp" index="0"/>
   <md:AssertionConsumerService 
   Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" 
   Location="https://academy70.docebosaas.com/lms/index.php?r=SimpleSamlApp/
   SimpleSamlApp/modules/saml/sp/saml1-acs.php/default-sp" index="1"/>
   <md:AssertionConsumerService 
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" 
   Location="https://academy70.docebosaas.com/lms/index.php?r=SimpleSamlApp/
   SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp" index="2"/>
   <md:AssertionConsumerService 
   Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" 
   Location="https://academy70.docebosaas.com/lms/index.php?r=SimpleSamlApp/
   SimpleSamlApp/modules/saml/sp/saml1-acs.php/default-sp/artifact" index="3"/>
   </md:SPSSODescriptor>
   <md:ContactPerson contactType="technical">
      <md:GivenName>Administrator</md:GivenName>
      <md:EmailAddress>tech24@docebo.com</md:EmailAddress>
   </md:ContactPerson>
</md:EntityDescriptor>

The URI located there will be used in the next steps. For example (replacing [YOURLMSNAME] with the name of your platform):

https://[YOURLMSNAME].docebosaas.com/lms/index.php?r=SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp

Next, log in to your OneLogin account as an admin. Once there you will need to install the Docebo or Docebo Multi-Domain application from the OneLogin App library by navigating to the Applications tab in your administrator menu and click on the Add App button. Search for Docebo and select the appropriate app; either Docebo or, Docebo Multi Domain.

Configuring the Docebo App in OneLogin

Select the name you would like the app to be known as in your OneLogin Portal. You can choose if you wish for the application to be visible in your portal and, if you so choose, also select a different icon from the default. Next, enter the description, then click Save.

Your screen will change slightly and new tabs will appear to the left. Click on the Configuration tab to continue.

In the Docebo Subdomain text box, enter your LMS name which is the first part of your LMS address:

[YOURLMSNAME].docebosaas.com

Next, click on the Parameters tab. Here you can configure the user fields you will use in the integration. Click on the blue plus button to add a new parameter. Pay close attention to spelling and capitalization as you make sure you match them exactly to your SAML configuration in Docebo. 

Next, click on the Rules tab and add any rules which may need to be applied, then move on to the SSO tab.

In this tab you can gather the necessary information to fill in the Identity Provider ID information into Docebo SAML settings.

Open the View Details link under the X.509 Certificate selection in a new tab (Note: Do not open it via a simple left-button click as you will lose your current configuration). In the new tab you can then change the SHA fingerprint to SHA256 by clicking on the drop-down menu. Next, download the X.509 certificate using the Download button and close this tab, returning you back to the SSO tab. The certificate you have downloaded will be uploaded into the SAML Configuration in Docebo.

In the Access tab, you can set any access policies you require, then move on to the Users tab where you can assign which users will have access to the Docebo platform.

Then move on to the Privileges tab to set any specific privileges you might require.

Once you have completed these steps, press the Save button. Then press the More Actions drop-down menu next to the greyed out Save button. Select SAML Metadata to download the OneLogin Metadata XML file needed for the Docebo platform.

Refer to this article to complete the SAML setup within Docebo.

Configuring the Docebo Multi-Domain App In OneLogin

Next, you will need to install the Docebo Multi-Domain application from the OneLogin App library.

Log in to OneLogin as an administrator and navigate to Applications in your administrator menu. Search for Docebo, select the Docebo Multi Domain app and install the OneLogin SSO integration for a multi-domain instance of Docebo. 

Next, navigate to the Admin section and select Manage under Multi-Domain. Locate the admin gear icon in the appropriate row for the multi-domain you are setting up Single Sign On for.

Then, navigate to the SAML 2.0 Settings section. Select Enable custom settings for this client to activate it, and then scroll down to and click the SAML 2.0 SP Metadata download button to download the metadata file for this multi-domain instance.  

This will be an incomplete metadata file at this time, but will have the information you will need to complete the configuration within OneLogin.  Here is an example of the metadata file:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
entityID="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php|
https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php]">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1protocol 
urn:oasis:names:tc:SAML:2.0protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
Location="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=
SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-logout.php/default-sp-2|https:
//YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp/
SimpleSamlApp/modules/saml/sp/saml2-logout.php/default-sp-2]"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
Location="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=
SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-logout.php/default-sp-2
|https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp
/SimpleSamlApp/modules/saml/sp/saml2-logout.php/default-sp-2]"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
Location="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=
SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp-2
|https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp
/SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp-2]" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0profiles:
browser-post" Location="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/
index.php?r=SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml1-acs.php/
default-sp-2|https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=
SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml1-acs.php/default-sp-2]" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
HTTP-Artifact" Location="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/
index.php?r=SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-acs.php/
default-sp-2|https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=
SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp-2]" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0profiles:
artifact-01" Location="[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/
index.php?r=SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml1-acs.php/default-sp-2
/artifact|https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=
SimpleSamlApp/SimpleSamlApp/modules/saml/sp/saml1-acs.php/default-sp-2/artifact]" 
index="3"/>
</md:SPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>Administrator</md:GivenName>
<md:EmailAddress>tech24@docebo.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>

Docebo Multi Domain 

Select whether you would like the app to be visible in the OneLogin Portal. Choose the icon that is appropriate. Write a description. 

You can select a self-service option here and write a brief description for your app catalog in One Login as well. Save. Once saved, you have access to the configuration, parameters, rules, SSO, access, users and privileges menus. 

Under Configuration - you will need to fill in the following fields:

Application Details 

This information data is retrieved from your SP Metadata file. 

Docebo Consumer URL 

Enter the complete Consumer URL from your SAML metadata file. 

Example URL:

[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp 
/SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp-2)|https://YOURLMSNAME.
docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp/SimpleSamlApp/modules/ 
saml/sp/saml2-acs.php/default-sp-2)]

Audience 

Enter the Audience URL from your SAML metadata file. 

Example URL:

[https://YOURLMSNAME.docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp/
SimpleSamlApp/modules/saml/sp/saml2-acs.php/default-sp-2)|https://YOURLMSNAME.
docebosaas.com/DOMAINNAME/lms/index.php?r=SimpleSamlApp/SimpleSamlApp/modules/ 
saml/sp/saml2-acs.php/default-sp-2)]

Parameters 

This section allows you to choose which user fields you will use for assertions in the integration. When configuring the parameters, pay particular attention to the spelling of any fields you enter or use and make sure you match them exactly in the SAML configuration in Docebo. These parameters are case sensitive.

Please note: “email” does not equal “Email” when noting an attribute.

Rules 

Enter any rules that need to be applied to this app. 

SSO 

In this section you can gather the necessary information to complete the Identity Provider ID information in the Docebo SAML settings. Copy the URL from the Issuer URL field and place that into the Identity Provider ID field in Docebo SAML settings.

Example URL:

[https://app.onelogin.com/saml/metadata/1ea1b785-efef-4d5c-b6ed-080856490828
|https://app.onelogin.com/saml/metadata/1ea1b785-efef-4d5c-b6ed-080856490828]

One Login will provide the necessary certificate for securing this integration. Here you will need to click on the more details section of the certificate, and on the subsequent page, select the SHA256 setting from the fingerprint dropdown menu. Then download the x.509 PEM file. This will be uploaded to Docebo in the SAML settings. 

Access 

Set any access policies you need in this section.

Users 

In this section you can assign your users who need access to your Docebo platform. 

Privileges 

Set any appropriate privileges in this section.

Once complete, navigate to the More Actions drop down button in the upper right and select XML MetaData. Download and open the file. Select all and copy the file data, then paste it into the XML Metadata section of the SAML settings within Docebo. 

Now you should have three (3) items ready to use to complete your SAML setup in Docebo: 

• Issuer URL copied somewhere 
• The x.509 certificate file 
• XML metadata 

Refer to this article to complete the SAML setup within Docebo. 

You should now be able to test this SAML integration. A good practice is to use a tool such as SAML-tracer to see the SAML statements that are being passed for troubleshooting.