Configure SAML for Use with Okta

Adding an Application in Okta

To use Okta as an IdP to authenticate Search API calls through SAML 2.0, you must first add an Application in the Okta administration site. Follow these steps:

  1. Open the Okta administration site.

  2. Click the Add Application shortcut.

  3. Click Create New App.

  4. In the popup, select SAML 2.0, and then click Create.

  5. Enter a suitable name for the application (e.g., Coveo Search API).

  6. Check the Do not display application icon to users check box.

  7. Click Next.

  8. Enter the Single sign-on URL.

    This URL must point to the Search API SAML authentication provider you will create once your IdP has been configured (see Creating an Authentication Provider) and must include the unique identifier of your Coveo organization in the query string.

    Coveo Cloud V2

    https://platform.cloud.coveo.com/rest/search/v2/login/mySAMLAuthenticationProvider?organizationId=mycoveoorganizationg8tp8wu3
    

    Coveo Cloud V1

    https://cloudplatform.coveo.com/rest/search/login/mySAMLAuthenticationProvider?workgroup=mycoveoorganizationg8tp8wu3
    
    • If you have created a SAML authentication provider for your Coveo organization as a whole, be careful not to confuse this provider with your Search API SAML authentication provider (see Coveo Cloud V2 SAML SSO).

    • If you’re configuring SAML for a Coveo Cloud V1 organization, remember to use the workgroup rather than the organizationId query string parameter to specify the unique identifier of your Coveo organization.

  9. In Audience URI, enter a suitable relying party identifier.

    A good choice is to use the Coveo Platform host name as a relying party identifier:

    • https://platform.cloud.coveo.com on Coveo Cloud V2.

    • https://cloudplatform.coveo.com on Coveo Cloud V1.

  10. Click Next and complete the wizard.

Downloading the XML Metadata

When viewing your application in the Okta administration site, under the Sign On tab, click the Identity Provider metadata link to download the XML metadata file.

The XML metadata contains information such as the certificates that validate the responses (see SAML 2.0 Metadata). You must use the content of this file as the metadata argument when creating your SAML authentication (see Creating an Authentication Provider).

Creating an Authentication Provider

Follow the standard procedure to create a Search API SAML authentication provider for your Okta IdP (see Creating a Search API SAML Authentication Provider).

Keep in mind that you must set:

Specifying a relyingPartyIdentifier argument when creating a Search API SAML authentication provider is optional when using Okta as an IdP. However, if provided, the relyingPartyIdentifier parameter should be set to the same value as the Audience URI (see Adding an Application in Okta - Step 9).

Once your Search API SAML authentication provider has been successfully created, you can test your setup by following the standard procedure (see Testing the Setup).

Recommended Articles