Question

When setting up SAML SSO, do new accounts get created?

  • 17 June 2022
  • 5 replies
  • 114 views

Userlevel 4
Badge

We are starting Extended Enterprise for a client who wants SSO and plans on tying it to Azure. There are hundreds of existing users in their branch. My question: once we activate SSO for their instance of EE, will all of the users simply be updated? Or will a new set of users mirroring the existing set get created? Also, whichever way this works, why? 

As always, appreciate this community!


5 replies

Userlevel 7
Badge +4

@tommyVan  Hi!

You’ll need to define a field where the accounts are matched…like username. The contents of the field must be the same in both Docebo and AD.  Might need to do some data cleanup to make that happen.

2ndly you’ll need to define a field in Docebo and in AD that tells Docebo what branch the learner needs to go to.

3rdly, you’ll need to add new users to AD first, and then have them log in. Logging in is what will create their account in Docebo...hense the need for the field described above.

 

 

Regards

KM/Viasat

Userlevel 7
Badge +6

@tommyVan - good morning. What you and @KMallette are describing is something called just in time provisioning.

@KMallette is correct on all counts.

  1. clean up / choose your “trust” field
  2. choose what delineates what branch folks will be dropped in
  3. this is the only thing that where @KMallette is technically right? Get this - there can be another technology acting as an identity provider (IDP) for it. In your case? Azure will act as the IDP for Docebo. All good.
  4.  I would add an optional step 4 for your documentation….and if the organization is cool with it. It helps to map out these “topologies” (to know who is providing the identity) to understand where to troubleshoot because it is becoming a complex world today of “pass-through”. Your SSO config will be dependent on its IDP period…so you can also always just express - please go to your network admin for more detail…it’s just that you don’t want to handle customers to a dead end…
Userlevel 4
Badge

@dklinger @KMallette Thank you both! We will probably map to email. I’m guessing for telling docebo which branch to route users it’ll use a ‘contains’ formula like ‘email(contains:@example.org)’? 

Userlevel 4
Badge

@KMallette Two of the fields we want to come over from SAML are “Is a Manager” and “Direct Manager” as a lot of our Enrollment Rules and menu views (my teams) are driven by those fields. Up till now we have been using CSV to update this (and everything else), but with SSO we were hoping that we could have an Active Directory field manage this. It seems like Docebo doesn’t allow this specific type of field. Did you run into this?

Userlevel 7
Badge +4

@tommyVan Hi, Tommy … I don’t believe we tried, but it does kinda makes sense that those would not be included. Power users aren’t supported in just-in-time, either … kinda like these 3 are “advanced” account details.

Reply