Configuring OneLogin for Coveo Cloud SSO

OneLogin is a service providing single sign-on (SSO) for web applications.

As a Coveo Cloud administrator, you can implement Security Assertion Markup Language (SAML) 2.0 SSO when your company uses OneLogin (see Coveo Cloud V2 SAML SSO). Users can then log in to Coveo Cloud without having to provide their authentication credentials since their identity has previously been validated when logging in to their OneLogin session.

To allow users to log in via SAML SSO, Coveo Cloud must be able to trust and rely on OneLogin to authenticate users wishing to log in. To establish this trust relationship, you must configure OneLogin and Coveo Cloud so that both parties can exchange authentication information.

If you are not the OneLogin administrator at your company, contact them so they configure OneLogin using the following steps. If you want to encrypt OneLogin assertions, you will have to provide this person with the Coveo Cloud public certificate as well.

Configure Coveo Cloud

Once you have configured your identity provider to provide Coveo Cloud with user authentication data, you must configure Coveo Cloud to trust your identity provider and accept to rely on it for user authentication.

  1. With the data required to fill the Coveo Cloud configuration form in hand, access the Settings panel:

    1. Log in to the Coveo Cloud platform as a member of a group with the required privileges to manage settings in the target Coveo Cloud organization.

    2. In the administration console upper-right corner, click the Settings icon (Settings icon).

    3. In the Settings panel, click the Organization tab, and then, in the left-hand pane, click Single Sign-On.

  2. In the Single Sign-On tab, in the Identity provider name box, enter the identity provider name as you want it to appear on your Coveo Cloud organization login page (see Logging in to Coveo Cloud).

  3. In the Single sign-on URL box, enter the URL where Coveo Cloud must send an authentication request.

    The SSO URL is also called assertion consumer service (ACS).

  4. In the Identity provider issuer URL box, enter the identity provider issuer unique URL.

    The identity provider issuer URL is also called entity ID or federation service identifier, and must be unique across all platform organizations using SSO.

  5. Provide Coveo Cloud with the identity provider public certificate to validate the identity provider signature:

    • Paste the X.509 public certificate in the Public certificate box.


    • If you saved the public certificate on your computer, click Choose File to browse your files and upload the certificate.

    The certificate must be Base64-encoded and may contain the -----BEGIN CERTIFICATE----- and ----END CERTIFICATE----- tags.

  6. Click Add.

Encrypt OneLogin Assertions

Assertion encryption is optional. To encrypt OneLogin assertions, you must have set up a SAML Test Connector (IdP w/ encrypt) application (see Configure OneLogin). You must then retrieve the Coveo Cloud public certificate and import it into your OneLogin configuration.

  1. In the Settings panel, in the Single Sign-On tab, under Advanced Option, download the Coveo Cloud certificate.

  2. If not already done, access your application configuration console:

    1. Log into your OneLogin developer account.

    2. In the Apps drop-down menu, click Company Apps.

    3. Click the app you just created.

  3. Click the Configuration tab.

  4. Under SAML Encryption, in the Public key box, paste the Coveo Cloud public certificate.

  5. Click Save.

Test Your Configuration

  1. Add your email address as an organization member (see Adding and Managing Members). In the Add a Member dialog, under Provider, ensure to select Single sign-on.

  2. Log out of Coveo Cloud, and then log in using SSO and your identity provider account. By doing so, you make sure Coveo Cloud and your identity provider work together smoothly.

    It is strongly recommended not to delete the account with which you first logged in to Coveo Cloud and implemented SAML SSO. This original account is a “backdoor” that prevents you to be locked out if the SAML SSO does not work as expected: at any time, you can log in via the regular, non-SSO login page, and then edit the Coveo Cloud configuration. Alternatively, if you must delete your original account, you can also create another non-SSO administrator account with the required privileges beforehand.

Invite SSO Users

Once your have verified that your SSO configuration works, invite SSO users to your organization (see Adding and Managing Members).

Once you setup a SSO for your organization, users accessing a hosted search page of this organization are automatically redirected to the SSO login page. Therefore, after configuring your SSO, promptly invite your users as SSO users of this organization. Otherwise, users will enter their identity provider credentials, but access to the hosted search page will not be allowed since there will be no Coveo Cloud SSO user corresponding to the provided credentials.

Recommended Articles