Configure SAML for Use with AD FS

Configuring a Relying Party Trust in AD FS

To use Active Directory Federation Services (AD FS) as an identity provider (IdP) to authenticate Search API calls through SAML 2.0, you must first configure a Relying Party Trust in the AD FS Microsoft Management Console (MMC) snap-in:

  1. Open the AD FS 2.0 Management console.

  2. Expand the Trust Relationships node.

  3. Select Relying Party Trusts.

  4. In the panel on the right, click Add Relying Party Trust.

  5. In the wizard that opens, click Start.

  6. Select Enter data about the relying party manually, and then click Next.

  7. Enter an appropriate display name (e.g., Coveo Search API), and then click Next.

  8. Select AD FS 2.0 profile, and then click Next.

  9. Click Next to skip specifying a token encryption certificate.

  10. Check Enable support for the SAML 2.0 WebSSO protocol.

  11. Enter the Relying party SAML 2.0 SSO service URL.

    This URL must point to the Search API SAML authentication provider you will create once your IdP has been configured, and it must include the unique identifier of your Coveo organization in the query string (see Creating an Authentication Provider).

    Coveo Cloud V2 Relying party SAML 2.0 SSO service URL

    https://platform.cloud.coveo.com/rest/search/v2/login/mySAMLAuthenticationProvider?organizationId=mycoveoorganizationg8tp8wu3
    

    Coveo Cloud V1 Relying party SAML 2.0 SSO service URL

    https://cloudplatform.coveo.com/rest/search/login/mySAMLAuthenticationProvider?workgroup=mycoveoorganizationg8tp8wu3
    
    • If you have created a SAML authentication provider for your Coveo organization as a whole, be careful not to confuse this provider with your Search API SAML authentication provider (see Configure Coveo Cloud SAML SSO).

    • If you’re configuring SAML for a Coveo Cloud V1 organization, remember to use the workgroup query string parameter rather than organizationId to specify the unique identifier of your organization.

  12. Click Next.

  13. Enter the Relying party trust identifier. This can be any string, as long as it matches the relyingPartyIdentifier argument you use when creating your Search API SAML authentication provider.

    Use the Coveo Platform host name when specifying the Relying party trust identifier:

    • https://platform.cloud.coveo.com on Coveo Cloud V2

    • https://cloudplatform.coveo.com on Coveo Cloud V1

  14. Click Add, and then click Next.

  15. Select Permit all users to access this relying party, and then click Next.

  16. Click Next, check the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes, and then click Close.

  17. In the new dialog box that opens, in the Issuance Transform Rules tab, click Add Rule.

  18. In the new wizard that opens, in the Claim rule template dropdown menu, select Send LDAP Attributes as Claims, and then click Next.

  19. In Claim rule name, enter Send Name ID.

  20. In the Attribute store dropdown menu, select Active Directory.

  21. In the table below the dropdown menu, select SAM-Account-Name in the left column and Name ID in the right column.

  22. Click Finish.

  23. Close the dialog by clicking OK.

Downloading the XML Metadata

On a typical AD FS setup, you can download the XML metadata file from the following address:

https://{myserver}/FederationMetadata/2007-06/FederationMetadata.xml

where you replace {myserver} with the host name of your AD FS server.

The XML metadata contains information such as the certificates that validate the responses (see SAML 2.0 Metadata). You must use the content of this file as the metadata argument when creating your SAML authentication (see Creating an Authentication Provider).

Creating an Authentication Provider

Follow the standard procedure for creating a Search API SAML authentication provider for your AD FS IdP (see Creating a Search API SAML Authentication Provider).

You must set:

Once your Search API SAML authentication provider has been successfully created, you can test your setup.

Recommended Articles