Creating a Coveo Hybrid Cloud V1 Organization

Coveo Hybrid Cloud Organizations are private and secure environments in the Coveo Platform that use the index of an on-premises Coveo Enterprise Search (CES) instance instead of hosting one. In this scenario, the Organization is used to send queries to the index as well as to monitor and measure the usage of your Coveo search solution thanks to Coveo Usage Analytics (Coveo UA). Since the Organization is index-less, Coveo administrators manage content and permissions in the Administration Tool of their CES instance (see Administration Tool).

After installing the Coveo for Salesforce application, you can configure your on-premises Cloud Organization to use your Coveo Enterprise Search (CES) on-premises index. As shown in the following schema, this configuration allows Salesforce to query (through the Hybrid Cloud Organization) an on-premises index, which resides in a corporate network protected by a firewall. By using the Search API running in the cloud, the Cloud Platform can talk to the on-premises index, as if it’s a complete cloud deployment.


To create a Coveo Hybrid Cloud Organization

  1. Contact Coveo Support to get an on-premises Organization.

  2. If not already done, log in to your Coveo Cloud organization with an Owner or Admin user role account.

    Once created, the Organization has a special badge on the Organization selection page.


    The License Plan page (License folder > Plan) also shows that the Organization is on-premises.


  3. Configure your Coveo Hybrid Cloud Organization to connect with your on-premises CES instance:

    1. In the navigation bar on the left, under Organization, select Settings.

    2. In the On-Premises Index Settings section:

      1. In the On-Premises Index URI box, enter the URI of through which the Coveo Platform should connect to your on-premises Coveo index. This URI must use either an IP address or a public DNS name and should be set up to allow incoming connection from Coveo Cloud (see Granting the Coveo Cloud V1 Access to Your On-Premises CES Index).

      2. Upload the server and client certificates to allow the Coveo Platform to authenticate itself and connect to both index server and client:

        1. Next to Server Certificate, click Choose, and then in the Open dialog box, select the cert-ca.pem file from your Coveo Master server, and then click Open.

        2. Next to Client Certificate, click Choose, and then in the Open dialog box, select the cert-iis.p12 file from your Coveo Master server, and then click Open.

  4. In the Administration Tool of your on-premises CES instance, to ensure end users can see items from one or more repositories in the search results, you may need to configure appropriate security providers to map the email identities that are passed along with the queries to other identities with which items are secured in the index.

    The Email Security Provider must be named Email Security Provider.

    When your search interface is integrated in Salesforce and your users use the same email to log in to your Coveo-powered search interface as they do when logging in Salesforce, create an Email Security Provider and configure the Salesforce security provider to use the Email Security Provider to map email identities to Salesforce identities, and allow your Salesforce users to see the Salesforce content in search results (see Configuring an Email Security Provider and Configuring a Salesforce Security Provider).

  5. On the Source: <SOURCE_NAME> - Permissions page of each indexed source, if you choose option Specifies the permissions to index when first configuring you source, under Allowed Users (see Modifying Source Security Permissions and Available Coveo Cloud V1 Source Types):

    1. Click Add to create a group of users allowed to access the source content.

    2. In the Add Identity dialog, in the Security Provider drop-down menu, select your Email Security Provider.

    3. In the Type drop-down menu, select the type of group you want to create.

    4. In the Name box, enter a partial email address and the * wildcard to allow all users with an email address matching the pattern to access the source content.

      • *@* allows any user logging in with an email address to access the source content. This is the equivalent of Everyone with an Active Directory security provider.

      • * allows users logging in with their MyCompany email address to access the source content.

      • jsmith@* allows John Smith to log in using any supported email address, such as and, to access the source content.

    5. Click Add to add this group only, or Add and Continue to add another group.

  6. Back in the Administration Console of your Coveo Cloud organization, test the index in the Content Browser (see Inspecting Items With the Content Browser).

    The first queries will most likely return no results if security providers aren’t yet configured to work with Cloud authentication, but the absence of an error means that the index was successfully contacted.

    For Salesforce sources, you can configure an Email Security Provider when your users use the same email to log in your Coveo-powered search interface as they do when logging in Salesforce (see Salesforce Connector Deployment Overview).

Recommended Articles