Skip to main content

Does anyone know whether Administrator impersonations of accounts in an SSO tenant actually goes out to the SSO application for validation?

I have a tenant in my EE environment that uses Okta for logins. We have a couple of accounts that are failing to get to the Docebo dashboards. We have the SAML configured correctly as other accounts are working.

When I try to impersonate the account of someone who fails, I can’t tell if the impersonation is supposed to call out to Okta. Does anyone know?

We have several sub domains using SSO and can impersonate the users without any issues...

@lrnlab Do you know if the authentication requests are actually hitting your SSO app? or is Docebo just authenticating you without using the SSO validation? My question is specifically about where the “traffic” goes. We’re seeing some odd behaviors in our logs and I’m trying to ascertain what the correct behavior is.

As far as I can tell there is no SSO call, either when impersonating and when stepping out of impersonation mode. Only when I log out (while impersonating) will it take me to their SSO login page (typically like Microsoft online). Or when I switch from the root domain to a sub domain that has SSO tuned ON, will it log me out to whatever the logout behaviour is for that domain…

Sounds like your issues may be related to the users themselves since you say it’w working for most…??

Thanks, @lrnlab . I did find the error.  Account was assigned to a branch that automatically loaded a “sorry you don’t have access” menu. So the error wasn’t SSO after all 😅

In digging further into both our Okta data and the Learn audit trail, I’m concluding that there isn’t an actual SAML/SSO call during impersonation.

Thanks for your help.

 

Reply


Terms & ConditionsCookie settings