Before Starting

● Make sure you have the SAML App Activated. You may need to reach out to a Docebo representative to add the APP to your instance.

● Confirm that you have a Superadmin account to access your Docebo LMS before proceeding.

● Confirm that you have Okta admin-level access

● If you plan on creating users in Docebo via OKTA, create any user additional fields that will be populated from OKTA before proceeding.

● If you are using, or plan on using a custom domain for your Docebo platform (any domain that does not contain “docebosaas.com”), this

domain should be configured in Docebo, https secured, and reachable via a browser before proceeding.

Configuration Walkthrough **Please note - This article uses screenshots from the OKTA “classic” UI. In order to follow along, you will want to view OKTA in the classic UI.

1. Log in to your OKTA portal and click on the “Admin” option. You will need OKTA administrator privileges.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2. Click “Applications”

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

3. Click “Add Application”

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

4. Click “Create New App”

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

5. Select “Web” for Platform Type and “SAML 2.0” for “Sign on method”. After making those selections, click the “Create” button.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

6. Give your app a Name (required) and Logo (recommended) and configure the tile visibility behavior.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

7. Open a new tab (keep the OKTA tab open) and Log in to Docebo. If you are using a custom domain for your Docebo platform, make sure you are logged in to the custom domain of your Docebo instance. So if your docebosaas.com url is “google.docebosaas.com”, but you have configured a custom domain of “training.google.com” for your Docebo platform, you should log in to “training.google.com” before proceeding.

8. Log into your Docebo platform with your Superadmin account and click the Gear Icon in the top right of the page and find the SAML app, then click “Settings”.

**Please note - If you are setting up SAML on a particular multidomain in Docebo, you must go to a different location to configure the SAML settings. Click the Gear Icon in the top right of the platform, locate the Multidomain app and click “Manage”, click the Gear Icon next to the Multidomain you are configuring, then click the “SAML 2.0 - Settings” tab on the next page.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

9. After navigating to the SAML settings in Docebo, scroll to the bottom of the page and click “Download” next to SAML 2.0 SP Metadata

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

10.Retrieve the ACS URL from the Downloaded Metadata In the previous step, you downloaded the Docebo Service Provider Metadata. Find that file and open it with a text editor (notepad, sublime text, etc) Look for the 1st XML tag labeled “md:AssertionConsumerService”. The Location for this tag should be a URL, copy this URL to your clipboard (do not include the quotations). Below is an screenshot example of the metadata in a text editor; the URL is highlighted. Please note that the URL in your metadata will be slightly different as the URL makes reference to your specific Docebo URL/instance.. If you are using a custom domain, make sure this link does not contain “docebosaas.com”. If it does, log out of the Docebo platform and log in to your custom domain URL before downloading the Metadata.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

11.Return to the OKTA tab. Paste the URL on your clipboard into the text box labeled “Single Sign On URL”. Check the box below the text file to “Use this for Recipient and Destination URL”.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

12. Return to your metadata file in your text editor. On the 2nd line of the file there should be a declaration labeled “entityID”. Copy the URL that entityID is equal to (do not include the quotations). An example entityID is highlighted below:

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

13. Return to OKTA. Paste the EntityID from the previous step in the text box labeled “Audience URI (SP Entity ID)”. For the Name ID Format, choose “Transient” from the Dropdown. For the Application Username, choose “Okta username” from the Dropdown.

**Please note: This username will be overridden and configured later due to how OKTA sends the username attribute in the SAML

response. If you want to use another attribute, you can do that in the next step.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

14. In the Attribute Statements Section, this is where you must define the username, and also define what other attributes you send to Docebo. To use the OKTA username, configure this section per below. This section is NOT optional for the Docebo configuration, despite being marked as optional on the OKTA interface.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

15. If you want to map additional attributes to Docebo from OKTA, or use a different field value for the Docebo username, you can add these attributes here as well. To locate these values in Okta, you can go to: Directory > People > Click on a user > Click the Profile Tab. The attributes will be in grey text below each attribute name. Below is an example of this page:

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

16.Here is how the First Name, Last Name, and Middle name, Department, and Email attributes would be mapped in Okta, note that for user attributes, the attribute name should be preceded by “user.” The same concept would apply to other user attributes you wish to map to Docebo:

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

17.Scroll down to the bottom of the screen and press “Next”. On the next screen, select the option “I am an Okta Customer adding an Internal App”. For App Type, select “This is an Internal App that we have created”. When complete, click “Finish”.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

18.On the next screen, click “View Setup Instructions”

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

19.Copy the value for “Identity Provider Issuer” to your clipboard

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

20.Return to Docebo and navigate to the SAML settings. At the top of the page, check the box to mark the SAML configuration “Active” and paste the link in your clipboard into the “Identity Provider ID” field.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

21.Return to OKTA and scroll down until you reach the section below. Copy all of this text to your clipboard (this is the identity provider metadata)

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

22.Return to Docebo and navigate to the SAML settings. Paste the Identity Provider Metadata into the “XML Metadata” field.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

23.Locate the “Username Attribute” section in the Docebo SAML settings. Input the OKTA field name you would like to use as the Docebo username. It is important that this value exactly matches what is in OKTA, including capitalization.

**Hint - These attributes were configured in Step #15 above.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

24. Locate the “Unique Field” section in the Docebo SAML settings. Select, “Username”. This will be the Docebo field value the OKTA attribute is compared to when a user logs in.

**Please note - There a edge cases where a different lookup value (Unique Field) may be advantageous. If your configuration necessitates a different lookup value than the Docebo username, you can change the lookup value here.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

25.Scroll down the the “User Provisioning” section in the Docebo SAML settings. If you wish to allow OKTA to create users in Docebo when a user attempts to log into Docebo or clicks a tile from OKTA, select “Enable”. If you are creating users via some other method, and only wish to allow OKTA to sign users into Docebo, do not select “Enable”, and skip to Step #25.

If you wish to prevent the user from changing their field values that were populated through OKTA, select the option to “Lock provisioned user fields”, meaning that users cannot edit details in their user profiles that have been populated via SAML. If this setting is selected, the fields will be greyed out. As an alternative, you can mark additional user fields “Invisible to the User” when creating the additional field. If you wish to map additional attributes from OKTA to the Docebo user profile, and you want these attributes to be updated with the current information from OKTA each time a user logs into Docebo, select “If user exists, update user information”. If you do not wish to update information on each user login, do not select “If user exists, update user information”. **Hint - here are the values for the Stock Docebo fields that can be mapped to through SAML:

● Username ● E-mail ● First Name ● Last Name ● Branch Name ● Branch Code

Click your Mouse inside the input box under the “Add fields” text. Start typing the name of the field and the system will populate the field name. Click the field to select it, then click “ADD”, the field will now show up in the list. In the “Attribute Statement” input box for each field, input the corresponding OKTA attribute name (Attribute names were configured in Step #15 above). You can also map an OKTA attribute to the Branch Name or Branch Code in Docebo, in order to automatically assign a user to a Branch at the moment they log in to Docebo. **Please Note

● If you plan on mapping the user to a Branch, you should use Branch Name OR Branch code, do not use both.

● The system will not create a Branch using this function, you must create the Branches ahead of time.

● The Branch Name or Branch code must match exactly to the value being sent by OKTA for the user signing in (As an example, If I had a Branch Name called “Sales”, and I mapped the “user.department” attribute in OKTA to the Docebo Branch Name, if a user signed in and OKTA sent a value of “Inside Sales” for that user’s department field, the user would not be assigned to the “Sales” Branch because the OKTA SAML assertion value does not match the Branch Name exactly. In this scenario, the user would still be created but they would be created in the Root Branch, or the Root Multidomain branch if you are setting up SAML on a particular Multidomain.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

26.Service Provider Certificates are used to Sign SAML requests, this is an optional configuration. If you enable this option, the system requires both a public certificate and private key to be uploaded. Generating these certificates is a technical activity. If you do not want to upload Service Provider Certificates, skip to Step #27.

There are several ways to obtain public and private certs, including generating the certs through command line using OpenSSL. If you have OpenSSL installed on your machine, the command below should generate self signed certs that are valid for 3 years. There are also many resources available online for generating public and private certs. openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 1095 -out certificate.pem

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

27.Locate the “Signature Algorithm” section In the Docebo SAML settings. Select “SHA-256”

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

28.Locate the “SSO Behavior” section In the Docebo SAML settings. If you wish to present a Docebo login screen with a button to initiate the authentication process with OKTA, select “Show standard login page” and “Show SSO button on login page”. If you do not wish to show the Docebo Login page, and wish to redirect the user to Okta when they browse to your Docebo URL, select “Automatic redirect to identity provider” **Please note

● If some of your users do not exist in Okta, and are expected to be able to access the Docebo domain with Docebo credentials, it is advised that you do not select “Automatic redirect to identity provider”, since this will effectively prevent these users from using the system. In this scenario, you would want to show the SSO button on the login page, so Okta users can press the SSO button to sign in via OKTA (or click the tile in OKTA), and non-OKTA users can sign in with their Docebo credentials using our native login form on the sign in page. The multidomain application can also be used to configure a unique Sign in mechanism and behavior for different user types/audiences.

● It is recommended that you do not select the “Automatic redirect to identity provider” until you have verified that single sign on is functioning, since it is possible to lock yourself out of the system if you are not able to sign on via single sign on and a redirect is in place.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

29. If you have selected the “Automatic redirect to identity provider” setting, you are able to specify a URL that the user will be directed to when they press “Sign Out” from the Docebo system. This is an optional setting, if nothing is inserted here, a generic logout screen will be shown to the user. This option is not available if you have selected “Show SSO button on the login page”.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

30. Locate the “SSO Behavior” section In the Docebo SAML settings. If you wish for a user to be logged out of OKTA when the users clicks “Sign Out” from Docebo, select this option. If you do not wish to enable the Logout Behavior, skip to Step # 41.

**Please note

● In order for the Logout function to work, OKTA requires that the logout request be signed by Docebo. In order for Docebo to sign requests, you must upload Service Provider Certificates (per Step #25 above)

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

31. If you enabled the Logout Behavior in the previous step, and you have generated and uploaded your Private and Public certs per Step #25 above, go to the SAML settings of your App in Okta and click “Show Advanced Settings”

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

32. Locate the “Enable Single Logout” setting and enable it.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

33.Open the metadata file that you downloaded from Docebo in Step # 8 and look for the 1st XML tag labeled “md:SingleLogoutService”. The Location for this tag should be a url, copy this URL to your clipboard (do not include the quotations). Below the URL to be copied is highlighted, your url will be slightly different as the URL makes reference to your specific Docebo instance.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

34.Return to Okta. Locate the “Single Logout URL” input field. Paste the link on your clipboard into the field.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

35.Open the metadata file that you downloaded from Docebo in Step # 8 . On the 2nd line of the file there should be a tag labeled “entityID”. Copy the URL that entityID is equal to (do not include the quotations). An example entityID is highlighted below:

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

36.Return to Okta. Locate the “SP Issuer” input field. Paste the link on your clipboard into the field.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

37.Locate the “Signature Certificate” section. Browse to your public certificate that your generated in Step # 25 and select it, then press “Upload Certificate”. After the certificate is uploaded, scroll to the bottom of the Page and click “Next”. On the next page, press “Finish”.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

38.On the next page, click “View Setup Instructions“

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

39.Scroll down to the bottom of the page and copy the IDP metadata to your clipboard **Please note - You already did this in Step # 21, however the logout settings affect the metadata, so it must be reimported to Docebo to reflect the changes.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

40.Return to Docebo and navigate to the SAML settings. Paste the Identity Provider Metadata into the “XML Metadata” field.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

41.Locate the “SAVE CHANGES” button in the Docebo SAML settings at the bottom of the Page. Press “SAVE CHANGES”.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

42.Return to your App in OKTA and click the “Assignments” tab. Assign yourself or a test user to the Application by clicking the “Assign” button. After you have assigned a user to the App, you are ready to test Single Sign On.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Testing

1. If you did not enable user provisioning (the ability for OKTA to create users in Docebo) in Step # 24, you will need to create a user in Docebo with a username that matches what OKTA will send for the attribute you have designated as the “username attribute” in Step #22. If you want to double check what this value will be, go to OKTA, click “Directory”, Click “People”, Search for your test user and click that User, then Click the “Profile” Tab. This will show you the attribute values for the user. For instructions on creating a user in Docebo, refer to this knowledge base Article.

If you enabled user provisioning in Step #24, there is no need to create the user in Docebo prior to testing Single Sign On, so you can skip this step.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2. Return to Docebo. Click the Learner menu in the top left of the platform and press “Sign Out”

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

3. Return to OKTA and click “Sign Out” in the top right of the Page

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

4. Open a new browser tab and navigate to the URL of your Docebo instance. If you are using a custom domain, navigate to your custom domain URL.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

5. If you have enabled the “Automatic redirect to identity provider” setting in Step #28, you should be redirected to OKTA and presented with a login screen. Enter the user credentials of the user you assigned to the OKTA app in Step #41. After signing into OKTA, you should be redirected to Docebo and signed in to the Docebo platform.

If you have not enabled the “Show SSO button on the login page” setting in Step #27, on Docebo login page, click the “Sign in with SAML SSO” button, which should redirect you to OKTA. After signing into OKTA, your should be redirected to Docebo and signed in to the Docebo platform.

If you are not mapping any additional attributes or Branch Mapping in Step # 24, and your sign on attempt above was successful, you can skip the rest of the this Testing section and proceed to the Deployment Section below.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

6. If you mapped additional attributes in Step # 24, you should verify that the attributes populated on the Docebo User record when you signed into the platform through Single Sign on with OKTA. To verify, sign in to Docebo as a Superadmin. Click the Gear Icon in the top right of the page, then click “Users” near the top left of the page. Search for the Test User, hover your mouse over the user and click the Ellipses menu over on the far right hand side. In the pop up menu, click “Edit”.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

7. In the slide out Menu, confirm that any stock Docebo fields you are mapping to have populated correctly (Mappable Stock fields are “Username, E-mail, First Name, Last Name)

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

8. Click the “Additional fields” tab at the top of the menu and verify that the Additional Fields you are mapping have populated correctly.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

9. If you have mapped an attribute to the Docebo “Branch Name” or “Branch Code” in Step # 24, click the “Branches” Tab at the top of the menu and verify that the User has been assigned to the expected Branch.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Deployment

1. When you are ready to deploy your app to OKTA users, Log into OKTA, click “Admin”

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2. Click “Applications”

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

3. Search for your Application and select it from the list

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

4. Click the “Assignments” tab

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

5. Click “Assign” and assign the app to the required users or groups.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Data Considerations If you have enabled user provisioning, It is recommended that you do a data audit of the user field values in Okta that you will be mapping to Docebo to verify consistency. This is particularly relevant if you are using field values to construct groups in Docebo, or assigning users to a particular branch through the SAML app. In some cases, user data in OKTA must be cleaned up or normalized in order to ensure that Docebo can expect specific values for group and branch population.