Assign multiple organizations to a SAML authentication provider

This is for:

System Administrator

If you manage more than one Coveo organization and have implemented SAML authentication for one of them, you may want to associate another organization with your SAML authentication provider.

This is especially useful if you have users switching between multiple organizations, for example, a production and a sandbox organization. As a result, users can log in to both organizations with the same SSO credentials.

The procedure below explains how to associate another organization with your SAML authentication provider via the Coveo API. However, if you want to do it through the Coveo Administration Console, see Reusing an SSO configuration in multiple organizations.

To associate another organization with your SAML authentication provider, you must first retrieve the SAML authentication parameters to apply, and then update the desired organization with these parameters.

  1. Ensure that the identity you intend to use to perform the following Coveo API calls is a member of a group that has the following privileges in both the organization where you have already implemented SAML SSO (organization1) and the organization where you want to implement it (organization2):

  2. Ensure that your original SAML authentication implementation works as expected by testing the login process.

  3. Send a GET request to https://platform.cloud.coveo.com/rest/organizations/{organizationId}/saml/availables where you replace {organizationId} with the ID of the Coveo organization where you have already implemented SAML authentication (organization1).

    A successful request returns a Status 200 containing the SAML authentication parameters for the specified organization and, if any, other organizations using the same SAML authentication setup. Your GET request and its response body should look like the following example:

    Header

    GET https://platform.cloud.coveo.com/rest/organizations/organization1/saml/availables HTTP/1.1
    
    Content-Type: application/json
    Accept: application/json
    Authorization: Bearer **********-****-****-****-************

    Response body

    {
      "displayName": "MySAMLIdP",
      "entityId": "http://www.identityprovider.com/exkabcurm887FmOwOc0h7",
      "id": "xbjfnpsw4fw2yxvb2vmc5n2pty",
      "postBindingEndpoint": "https://mycompany.identityprovider.com/app/mycompany_identityproviderapp/exkabcurm887FmOwOc0h7/sso/saml",
      "x509Certificate": "MIIDpDCCAoygAwIBAgIGAVZbyf2L...",
      "organizationIds": [
        {
        "displayName": "organization1",
        "id": "organization1"
        }
      ],
    }
  4. Using the GET request response body, fill the body of a PUT request to https://platform.cloud.coveo.com/rest/organizations/{organizationId}/saml/identityprovider where you replace {organizationId} with the ID of the organization where you have already implemented SAML authentication (organization1).

    In the PUT request body, under organizationIds, enter the ID of both the organization where you have already implemented SAML SSO and the organization where you want to implement it (organization1 and organization2). The organization displayName isn’t required. Your PUT request should look like the following example:

    Header

    PUT https://platform.cloud.coveo.com/rest/organizations/organizationId1/saml/identityprovider HTTP/1.1
    
    Content-Type: application/json
    Accept: application/json
    Authorization: Bearer **********-****-****-****-************

    Request body

    {
      "displayName": "MySAMLIdP",
      "entityId": "http://www.identityprovider.com/exkabcurm887FmOwOc0h7",
      "id": "xbjfnpsw4fw2yxvb2vmc5n2pty",
      "organizationIds": [
        {
          "id": "organizationId1"
        },
        {
          "id": "organizationId2"
        }
      ],
      "postBindingEndpoint": "https://mycompany.identityprovider.com/app/mycompany_identityproviderapp/exkabcurm887FmOwOc0h7/sso/saml",
      "x509Certificate": "MIIDpDCCAoygAwIBAgIGAVZbyf2L..."
    }

    A successful request returns a Status 200 containing the parameters you entered in the request body. SAML authentication should now be implemented in the desired organization (organization2).

  5. Test the SAML authentication setup in this organization. The authentication process should be identical to that of the organization where you originally implemented SAML authentication (organization1).