Configuring PingOne for Coveo Cloud SSO

PingOne is a service providing single sign-on (SSO) for web and mobile applications.

As a Coveo Cloud administrator, you can implement Security Assertion Markup Language (SAML) 2.0 SSO when your company uses PingOne (see Coveo Cloud SAML SSO). Users can then log in to Coveo Cloud without having to provide their authentication credentials since their identity has previously been validated when logging in to their PingOne session.

To allow users to log in via SAML SSO, Coveo Cloud must be able to trust and rely on PingOne to authenticate users wanting to log in. To establish this trust relationship, you must configure PingOne and Coveo Cloud so that both parties can exchange authentication information.

If you’re not the PingOne administrator at your company, contact them so they configure PingOne using the following steps.

Configure PingOne

Both PingOne and Coveo Cloud must be configured to work together and provide a SAML SSO service to your Coveo Cloud users. First configure PingOne so that it can provide Coveo Cloud with user authentication data.

  1. Log in to your PingOne Administrator account.

  2. Select the Applications tab.

  3. Click the Add Application drop-down menu, and then New SAML Application.

  4. Under 1. Application Details:

    1. In the Application Name box, enter an application name to display in your Applications page.

      Coveo Cloud

    2. In the Application Description box, enter a short application description.

    3. In the Category drop-down menu, select a category to label the application.

    4. Click Continue to Next Step.

  5. Under 2. Application Configuration:

    You might need to scroll up on this page to see options above Assertion Consumer Service (ACS).

    1. Next to Upload Metadata, click Or use URL, and then enter:

      • For a regular (non-HIPAA) organization: https://platform.cloud.coveo.com/saml/metadata.

        OR

      • For a HIPAA organization: https://platformhipaa.cloud.coveo.com/saml/metadata.

        OR

      • For an organization with data residency outside the US: https://platform-<REGION_ABBREVIATION>.cloud.coveo.com/saml/metadata.

      Alternatively, you can download the XML file from the URL, and then click Select File to upload it.

      The Assertion Consumer Service (ACS) and Entity ID boxes are then automatically filled, and a Primary Verification Certificate is loaded.

    2. Click Continue to Next Step.

  6. Under 3. SSO Attribute Mapping:

    1. Click Add new attribute, and then fill the boxes using the following table values.

      Application Attribute Identity Bridge Attribute or Literal Value Required
      user.email Email
    2. If you want to import your PingOne groups in Coveo Cloud, click Add new attribute again, and then fill the boxes using the following table values.

      Importing your PingOne groups into Coveo Cloud allows you to create several Coveo organization members at once. If you don’t import your PingOne groups, you must add your PingOne users to your Coveo organization one by one (see Adding and Managing Members).

      Application Attribute Identity Bridge Attribute or Literal Value Required
      user.groups memberOf
    3. If you want to add additional attributes, click Add new attribute again, and then fill the boxes.

      You could choose to add the following attributes:

      Application Attribute Identity Bridge Attribute or Literal Value Required
      user.firstName First Name  
      user.lastName Last Name  
    4. Click Save & Publish.

  7. Under 4. Review Setup, review your configuration.

    You will use the information displayed on this page to configure Coveo CLoud.

  8. Click Finish.

Prepare to Configure Coveo Cloud

Once you have configured PingOne so that it passes the right information about user authentication to Coveo Cloud, you must configure Coveo Cloud to enable federation between Coveo Cloud and PingOne. To do so, you need to retrieve data to later import into Coveo Cloud.

  1. In the My Applications PingOne page, click the application you just created to display your application configuration.

  2. Next to Signing Certificate, click Download.

  3. Once you have downloaded the file, open it with a text editor such as Notepad++.

  4. This is the public certificate you must copy and paste in the Coveo Cloud configuration panel.

  5. Next to SAML Metadata, click Download.

  6. Once you have downloaded the file, open it with a text editor such as Notepad++.

    • The entityID displayed at the top of the document must be entered in the Coveo Cloud configuration panel.

    • The SingleSignOnService POST binding address displayed towards the bottom of the file must be entered in the Coveo Cloud configuration panel, in the Single sign-on URL box.

Configure Coveo Cloud

Once you have configured your identity provider to provide Coveo Cloud with user authentication data, you must configure Coveo Cloud to trust your identity provider and accept to rely on it for user authentication.

  1. With the data required to fill the Coveo Cloud configuration form in hand, access the Settings panel:

    1. Log in to the Coveo Platform as a member of a group with the required privileges to manage settings in the target Coveo organization, if not already done.

    2. In the Administration Console upper-right corner, click Settings.

    3. In the Settings panel, select the Organization tab, and then, in the left-hand pane, click Single Sign-On.

  2. In the Single Sign-On tab, in the Identity provider name box, enter the identity provider name as you want it to appear on your Coveo organization login page (see Logging in to Coveo Cloud).

  3. In the Single sign-on URL box, enter the URL where Coveo Cloud must send an authentication request.

    The SSO URL is also called assertion consumer service (ACS).

  4. In the Identity provider issuer URL box, enter the identity provider issuer unique URL.

    The identity provider issuer URL is also called entity ID or federation service identifier, and must be unique across all platform organizations using SSO.

  5. Provide Coveo Cloud with the identity provider public certificate to validate the identity provider signature:

    • Paste the X.509 public certificate in the Public certificate box.

      OR

    • If you saved the public certificate on your computer, click Choose File to browse your files and upload the certificate.

    The certificate must be Base64-encoded and may contain the -----BEGIN CERTIFICATE----- and ----END CERTIFICATE----- tags.

  6. Click Add.

  • If you encounter a SAML Authentication Error while logging in to the hosted search page, it’s typically because the SSO configuration has not been updated prior to the scheduled rotation of the certificate. To resolve this issue, the Coveo administrator can update the certificate in the Settings panel of the Coveo Cloud Administration Console.
  • To avoid this error, a Coveo administrator can add a notification as a reminder to update the certificate prior to the rotation date.

Encrypt PingOne Assertions

Assertion encryption is optional. To encrypt PingOne assertions, you must retrieve the Coveo Cloud public certificate and import it into your PingOne configuration.

  1. In the Settings panel, in the Single Sign-On tab, under Advanced Option, download the Coveo Cloud certificate.

  2. Access your PingOne application configuration:

    1. Log in to your PingOne Administrator account.

    2. Select the Applications tab.

    3. On the My Application page, click your Coveo application.

  3. Below the application configuration, click Edit.

  4. Under 1. Application Details, click Continue to Next Step.

  5. Under 2. Application Configuration:

    1. Check the Encrypt Assertion box.

    2. Next to Encryption Certificate, click Select file, and then select the Coveo Cloud public certificate you downloaded.

    3. Click Continue to Next Step.

  6. Under 3. SSO Attribute Mapping, click Save & Publish.

Test Your Configuration

  1. Add your email address as an organization member (see Adding and Managing Members). In the Add a Member dialog, under Provider, ensure to select Single sign-on.

  2. Log out of Coveo Cloud, and then log in using SSO and your identity provider account. By doing so, you make sure Coveo Cloud and your identity provider work together smoothly.

    We strongly recommend that you do not delete the account with which you first logged in to Coveo Cloud and implemented SAML SSO. This original account is a “backdoor” that prevents you to be locked out if the SAML SSO doesn’t work as expected: at any time, you can log in via the regular, non-SSO login page, and then edit the Coveo Cloud configuration. Alternatively, if you must delete your original account, you can also create another non-SSO administrator account with the required privileges beforehand.

Invite SSO Users or User Groups

Once your have verified that your SSO configuration works, invite SSO users or user groups to your organization (see Adding and Managing Members and Import Members).

Once you setup a SSO for your organization, users accessing a hosted search page of this organization are automatically redirected to the SSO login page. Therefore, after configuring your SSO, promptly invite your users as SSO users of this organization. Otherwise, users will enter their identity provider credentials, but access to the hosted search page won’t be allowed since there will be no Coveo Cloud SSO user corresponding to the provided credentials.

Recommended Articles