Workstation – Docebo Integration
Brief Overview
Docebo is a cloud-based learning management system designed to help organizations manage, deliver, and track employee training and development programs.
By connecting this integration to Workstation, users will have access to a convenient homepage widget that displays all the courses they are enrolled in and need to complete.
Use Cases
My Courses Widget
Users can view and access docebo courses that they're enrolled in from the My Courses widget on the Workstation homepage.
Search
Users can search and access courses from the Enterprise Search.
Security Overview
3rd-Party Access and Refresh Tokens
To activate the Enterprise Search (and the Personalized Workspace widgets), each employee is required to grant Workstation permission to access the 3rd-party. The granting process is using the OAuth2.0 protocol. Each time a new access token is granted to the Workstation, the application will encrypt the access and refresh tokens and store it in a remote database.
The encryption process includes a unique private key (“salt”) that is generated for each individual at the very first bootstrap and stored in the local machine Keychain. The salt is irreplaceable and not restorable – losing it causes the access tokens to be voided. This security measure is being taken to eliminate identity spoofing when accessing high-sensitive data.
See the diagram below to review the salt generation and storage flow.
Accessing 3rd-Party Content
Accessing 3rd-party content requires end-user consent, and in some cases, mostly on Microsoft products, an organization admin consent. End-users grant Workstation the necessary permission by approving an OAuth2.0 consent screen that is being triggered by them from the Workstation application (“Third-party apps”).
The third-party apps are being approved and verified by third-parties products. By the end of the granting process, the third-party apps provide access and refresh tokens that are used by the search engine to establish the requests.
See 3rd-Party Access and Refresh Tokens section above for more information about the storing mechanism.
While searching, the search engine forwards the request, before hitting the Adopter Service, through the Token Injector; a service that injects the relevant tokens to accomplish the request. The local private key is being handed off over the search HTTPS request for runtime decryption.
JWT Protection
When an end-user initiates a search query – the WalkMe enterprise search starts a search flow that is being protected by a JWT assigned by WalkMe IdP integration, as part of the end-user signing flow:
The JWT is proxying the user identity and keeping any HTTPS request secured and individual.
All Workstation requests are protected by a JWT validation.
Grant Administration Consent to WalkMe for Docebo
-
Navigate to your Docebo tenant with an admin user
-
Click on the Admin button in the upper-right corner of the page
-
Click the Manage button below API and SSO on the Apps & Features section
-
Click the Add OAuth2 app button
-
Populate the fields:
-
App name: workstation
-
App description: Used for the Workstation integration
-
Client ID: workstation-docebo-{{your organization name]]
-
Client Secret: no need to populate, just copy this value
-
Redirect UI:
-
-
Click on Confirm
-
Click the Edit button
-
Click Show advanced settings and make sure that Grant types is Authorization code + implicit grant
-
Navigate to the Workstation Integrations page in the WalkMe Console:
-
US Database: WalkMe Console
-
EU Database: WalkMe Console
-
-
Find the Docebo and click Setup
-
Populate the fields:
-
Client ID
-
Secret ID
-
Domain
-
- Customize the following (Optional):
- Display name
- Logo URL
- Homepage widget title
- Click Save and Enable
Connecting Docebo on Workstation
-
Open Workstation by clicking the widget (on Windows) / the WalkMe icon (on the Mac Menu bar), or by hitting ctrl/cmd+shift+E
-
Click the Settings icon on the bottom-left corner
-
On the Integrations tab, click Connect on the Docebo card