About the login process
About the login process
This is for:
System AdministratorTo access the Coveo Administration Console and other Coveo Platform resources such as Coveo Connect, users must log in. Some Coveo-powered search interfaces also require users to log in, especially if the search results they return are sensitive.
This page explains the login process that users will go through once invited to join an organization by their Coveo administrator.
Invitation email
When you add a member to a Coveo organization, they receive an invitation email. They must click the link in the email to log in and accept the invitation. This link expires after 31 days.
Login options
Coveo relies on third-party identity providers to authenticate members. There is no such thing as creating a Coveo account from scratch, as Coveo expects its members to log in using an account with one of the following identity providers:
-
Google
-
Microsoft
-
Salesforce
-
A single sign-on (SSO) identity provider
When clicking either Google, Microsoft, or Salesforce, members are prompted to enter their credentials. For example, here’s Google’s prompt:
Logging in with SSO
If you implemented a SAML SSO, you must instruct members to click Using Custom Single Sign-On on the login page, and then enter the ID of the organization they want to access. You should also provide this ID to new members when adding them to your Coveo organization, but if you haven’t, a link allows them to get a list of the organizations they can log in to.
After a member’s first login, Coveo stores the organization ID in a cookie and automatically fills the Organization ID box next time.
Logging in with email
The option to log in with email allows members to access the Coveo Administration Console without an account with one of the supported identity providers. It’s mostly used by new members of Coveo, especially those starting a free trial. However, it can also be used by any other user, including a Coveo administrator as a "backdoor" for their single sign-on implementation.
The login flow is the following:
-
On the login page, the member clicks Log in with email.
-
The member provides their email address.
-
Coveo sends them an email with a login link.
-
When the member clicks this link, the Coveo Administration Console opens in a new browser tab. They’re automatically logged in.
-
The next time the member needs to log in to Coveo, they repeat steps 1 to 4 with the same email address.
Advantages of other options
Once trial users are ready to commit to a full Coveo license, we recommend they switch to using SSO or one of the supported providers, along with any other member of their organization, for a better experience in the long term. For example, if your company uses an SSO for other applications, you should implement it in your Coveo organization and have all Coveo users log in with this option. The advantages of this change are the following:
-
Logging in becomes faster and smoother. If members are already logged in to the identity provider or SSO on another web application, they don’t have to enter their password and are automatically let in. They don’t have to switch to their inbox and wait for Coveo’s email.
-
Relying on a single system to manage user access reduces the risk for unauthorized access. For example, if an employee logs in to Coveo with his personal email, they can still access Coveo after quitting your company if you don’t manually delete their identity in the Coveo Administration Console. However, if they access Coveo with a company-managed Salesforce account, this account will most probably be deactivated as part of the employee offboarding process.
After login
After their first login as a member of the group they’ve been added to, the member must accept the invitation to join this group. They’re then redirected to the Coveo Administration Console or search page they wanted to access.
Moreover, if it’s the first time they’re logging in with these credentials, members receive an email asking to confirm their email address.
Switching to a different provider
Switching from an identity provider to a different identity provider is essentially adding a new organization member, and then removing the original one. This must be done even if the user receives Coveo login links to their Google, Microsoft, or Salesforce address.
-
Add the user as a new member of your Coveo organization, selecting the new identity provider. Make sure to add them to the same groups as their original account to preserve their privilege set.
Multiple accounts
You may add the same person to your organization twice, with different identity providers, such as Google and Microsoft. Coveo considers the two sets of credentials to be independent and can’t tell if they represent the same individual. As a result, these two accounts can be granted different privileges.
Login page address
The URL of the login page can differ depending on the region and whether your Coveo deployment is HIPAA-compliant.
Region | Login page URL |
---|---|
US |
|
US (HIPAA-compliant) |
|
Canada |
|
Ireland |
|
Australia |
Alternatively, if you know your organization ID, you can use the following addresses and replace <ORG_ID>
with the unique identifier of your Coveo organization:
-
<ORG_ID>.admin.org.coveo.com
-
<ORG_ID>.admin.orghipaa.coveo.com
for HIPAA organizations
Coveo will redirect you based on your primary deployment region, as listed above.
Troubleshooting
When trying to log in, members may encounter the following messages:
"You Currently Do Not Have Access to Any Organizations"
This message appears when the user’s credentials are valid, but don’t match any Coveo organization member.
Possible causes are:
-
The member isn’t using the right identity provider
The member’s profile is linked to a specific identity provider, such as Google or Microsoft, selected by their Coveo administrator. They should try logging in with the identity provider specified in the invitation email.
If they’re still unable to log in, make sure that they’ve have been granted the privileges required to access the desired pages of the Administration Console, including the privilege to view the organization (View access level on the Organization domain).
NoteMembers attempting to log in as part of a course on Coveo Level Up must create a Coveo test organization and log in using the same identity provider and email address they used to log in to Level Up. For more information, see the Create a Test Organization course on Coveo Level Up.
-
The member isn’t using the correct Coveo Administration Console URL
The URL of the member’s Coveo Administration Console depends on their Coveo organization’s deployment region. Ensure that they’re using the Administration Console login URL corresponding to their Coveo organization’s deployment region. For multi-region deployments, the login URL is based on their primary deployment region.
-
The user isn’t a member of a Coveo organization
To be a member of a Coveo organization and log in, one must first be invited by their Coveo administrator.
"Insufficient privileges"
The following message appears when a member tries to log in to an organization that they don’t have the privilege to view.
Insufficient Privileges - You currently have insufficient privileges to access the Coveo Administration Console of the [OrganizationName] organization.
Contact an administrator of the [OrganizationName] organization to change your privileges, or select an organization to which you have access through the Coveo Administration Console.
To fix this issue, grant the member the privilege to view the organization (View access level on the Organization domain).
"AADSTS90093: Does Not Have Access to Consent" or "Need Admin Approval"
The following messages indicate that a Microsoft Office 365 global administrator disabled the ability for users to consent to third-party applications such as Coveo:
-
AADSTS90093: Does not have access to consent.
-
Need admin approval: Coveo needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
To fix this issue, an Office 365 global administrator can either:
-
Give admin consent to the Coveo application on behalf of all users.
-
Enable user consent to third-party applications. This alternative is less likely to be chosen, as global administrators tend to disable user consent to keep track of the applications allowed to access their Office 365 organization resources.
The process of having an Office 365 global administrator give consent to Coveo is the following:
-
Add the Office 365 global administrator as a member of your organization and grant them the privileges required to edit groups. If you just created the organization with your Microsoft email address, you might need to ask the Coveo Support team to do it for you, as you won’t be able to log in.
-
When logging in to Coveo, the global administrator is prompted to authorize the Microsoft organization users to use Coveo.
-
Once they have logged in, the global administrator can add you as an individual member of the organization or create a group of Microsoft users.
Contact the Coveo Support team if the error persists.