SAML 2 + Extended Enterprise Configuration

  • 23 June 2022
  • 6 replies

Hi guys, I’m stuck in some issues trying to configure SAML authentication for Extended Enterprises. Message error from google is a 403: app not configured for user. Otherwise, configuration works for the main Enterprise. May someone help me? Is it possible to have multiple configurations (one for each extended enterprises and one for the main Enterprise) at the same time?

6 replies

Userlevel 7
Badge +7

@leoguedesf15 - YES the extended enterprise supports multiple SSO configurations.

I dont have any further troubleshooting for you, but yes to the multiple SSO configurations.

The Google documentation I found is for SAML + the main enterprise. However, an extended enterprise has some different points from the main (eg. the path after the domain: “”). It directly affects the entity ID configuration in Google Admin Console . I tried both URLs (with and without the path). Unfortunately, both tests failed. 


 A specific documentation for Extended Enterprise is enough for me. I found one at help.docebo but didn’t work.


Hello @leoguedesf15 
I just recently got my SAML extended enterprise configuration set up for our Azure IDP. I’m not sure what type of EE you’re using but we configured a subdomain of our original site but I think it would be similar to how it’s done with a new domain. 

I did notice in the Docebo documentation (atleast for Azure) the Identifier and Reply URL wasn’t the same as the XML metadata that is downloadable. 

The end of the URL is -2 (number) not sure if this is related to the amount of Domains you have in the EE, could be -3 if you got more subdomains. 


Reply URL:



Not sure if this is helping but I put some time in troubleshooting it so I thought I share.

Userlevel 2

@leoguedesf15 curious if you were able to find a solution to this, I am having the same issue trying to set up a Google SAML app for one our our extended enterprise clients. We have our main instance, for which we use these values:

ACS URL: https://{your-domain}

Entity ID: https://{your-domain}


But for an EE client with a custom domain, I’m not sure what to put here. We tried the client’s custom domain and it didn’t work. Any ideas?

I did the same step-by-step with another google organization account and it worked. Really don’t know why.


About these URLs, you’re gonna download any information from docebo (the xml metadata file they make available at docebo admin)

Yes, I can confirm that taking the AssertionConsumerService URL (ACS URL) from the metadata.xml that you can download in the SAML config screen of your client domain in Docebo and including the -n (number) is required to get SSO working for client domains. 

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="0"/>