Assign Multiple Organizations to a SAML Authentication Provider

In this article

If you manage more than one Coveo organization and have implemented SAML authentication for one of them, you may want to associate another organization with your SAML authentication provider.

You have a production and a sandbox organization, and you want both of them to have an identical SAML authentication setup.

To associate another organization with your SAML authentication provider, you must first retrieve the SAML authentication parameters to apply, and then update the desired organization with these parameters.

  1. Ensure that the identity you intend to use to perform the following Coveo API calls is a member of a group that has the following privileges in both the organization where you have already implemented SAML SSO (organization1) and the organization where you want to implement it (organization2):

  2. Ensure that your original SAML authentication implementation works as expected by testing the login process.

  3. Send a GET request to https://platform.cloud.coveo.com/rest/organizations/{organizationId}/saml/availables where you replace {organizationId} with the ID of the Coveo organization where you have already implemented SAML authentication (organization1).

    A successful request returns a Status 200 containing the SAML authentication parameters for the specified organization and, if any, other organizations using the same SAML authentication setup. The response body of your GET request should look like the following example.

    Typical Header of a SAML Authentication Provider GET Request

     GET https://platform.cloud.coveo.com/rest/organizations/organization1/saml/availables HTTP/1.1
    
     Content-Type: application/json
     Accept: application/json
     Authorization: Bearer **********-****-****-****-************
    

    Typical Response Body of a SAML Authentication Provider GET Request

     {
         "displayName": "MySAMLIdP",
         "entityId": "http://www.identityprovider.com/exkabcurm887FmOwOc0h7",
         "id": "xbjfnpsw4fw2yxvb2vmc5n2pty",
         "postBindingEndpoint": "https://mycompany.identityprovider.com/app/mycompany_identityproviderapp/exkabcurm887FmOwOc0h7/sso/saml",
         "x509Certificate": "MIIDpDCCAoygAwIBAgIGAVZbyf2L...",
         "organizationIds": [
             {
             "displayName": "organization1",
             "id": "organization1"
             }
         ],
     }
    
  4. Using the GET request response body, fill the body of a PUT request to https://platform.cloud.coveo.com/rest/organizations/{organizationId}/saml/identityprovider where you replace {organizationId} with the ID of the organization where you have already implemented SAML authentication (organization1).

    In the PUT request body, under organizationIds, enter the ID of both the organization where you have already implemented SAML SSO and the organization where you want to implement it (organization1 and organization2). The organization displayName isn’t required. The body of your PUT request should look like the following example.

    Typical Header of a SAML Authentication Provider PUT Request

     PUT https://platform.cloud.coveo.com/rest/organizations/organizationId1/saml/identityprovider HTTP/1.1
        
     Content-Type: application/json
     Accept: application/json
     Authorization: Bearer **********-****-****-****-************
    

    Typical Body of a SAML Authentication Provider PUT Request

     {
       "displayName": "MySAMLIdP",
       "entityId": "http://www.identityprovider.com/exkabcurm887FmOwOc0h7",
       "id": "xbjfnpsw4fw2yxvb2vmc5n2pty",
       "organizationIds": [
         {
             "id": "organizationId1"
         },
         {
             "id": "organizationId2"
         }
       ],
       "postBindingEndpoint": "https://mycompany.identityprovider.com/app/mycompany_identityproviderapp/exkabcurm887FmOwOc0h7/sso/saml",
       "x509Certificate": "MIIDpDCCAoygAwIBAgIGAVZbyf2L..."
     }
    

    A successful request returns a Status 200 containing the parameters you entered in the request body. SAML authentication should now be implemented in the desired organization (organization2).

  5. Test the SAML authentication setup in this organization. The authentication process should be identical to that of the organization where you originally implemented SAML authentication (organization1).