Configure ADFS for Coveo SSO

On Windows Server, open your Windows Control Panel, and then click System and Security.

Click Administrative Tools, and then click ADFS Management.

In the AD FS console, on the left side of the page, click Relying Party Trusts.

On the left side of the page, under Actions > Relying Party Trusts, click Add Relying Party Trust.

In the Add Relying Party Trust wizard, select Claims aware, since the service provider to which you want to connect, that is, Coveo, supports Claims, and then click Next.

Select Import data about the relying party published online or on a local network, and then under Federation metadata address:

Note Assertion encryption is automatically enabled if you import the Coveo metadata file. However, it’s possible to deactivate encryption if you prefer to have unencrypted assertions.

Click Next.

Under Display name, enter a service provider name to display in your list of relying party trusts, for example, Coveo.

Optionally add Notes, and then click Next.

Under Configure Multi-Factor Authentication Now?:

Under Choose Issuance Authorization Rules, select Permit all users to allow users to access this relying party to allow all users right now and later pick users to whom access should be forbidden. Alternatively, choose Deny all users access to this relying party to deny all users right now and create an access rule later. Click Next.

Under Ready to Add Trust, you don’t need to do anything, click Next.

Under Finished, leave the Configure claim rules for this application checkbox selected, and then click Close.

In the dialog that appears, in the Issuance Transform Rules tab, click Add Rule.

In the Add Transform Claim Rule wizard, in the Claim rule template dropdown menu, select Send LDAP Attributes as Claims, and then click Next.

Note You can also access the Add Transform Claim Rule wizard by clicking Edit Claim Rules in the AD FS console.

Under Configure Claim Rule, fill the boxes using the following table values, and then click Finish.

If you want to import your ADFS groups into Coveo, click Add new attribute again, and then fill the boxes using the following table values.

Note Importing your ADFS groups into Coveo allows you to create several Coveo organization members at once. If you don’t import your ADFS groups, you must add your users to your Coveo organization one by one (see Manage Members).

If needed, repeat steps 14 to 16 for optional rules, depending on the claims you’re already using to authenticate users, and then click Finish.

Make sure you have a Send LDAP Attributes as Claims rule for each optional Transform Claim rule you plan on adding, so that all attributes and claims are handled smoothly. For example, if you plan on adding a Group to user.groups Transform Claim rule, you need to set up a Token-groups - Unqualified Names to Group Send LDAP Attributes as Claims rule in the first place.

Back in the dialog, in the Issuance Transform Rules tab, click Add Rule.

In the Add Transform Claim Rule wizard, in the Claim rule template dropdown menu, select Transform an Incoming Claim, and then click Next.

Note You can also access the Add Transform Claim Rule wizard by clicking Edit Claim Rules in the AD FS console.

Under Configure Claim Rule, fill the boxes using the values provided in the following table, and then click Finish. See Assertion Settings for details.

Notes The NameID attribute must contain a unique representation of the user and shouldn’t change over time. This attribute is used to match the Coveo username. The NameID can be up to 229 characters long. Coveo forbids the Transient format for the NameID attribute, since NameID shouldn’t change over time.

If you chose to import your ADFS groups in Coveo in step 17, add the following rule (see user.groups for details):

For additional optional rules, repeat steps 19 to 21.

Note All optional attributes should be in Unspecified format.

Make sure you have a Send LDAP Attributes as Claims rule for each optional Transform Claim rule you added, so that all attributes and claims are handled smoothly. For example, if you add a Group to user.groups Transform Claim rule, you need to set up a Token-groups - Unqualified Names to Group Send LDAP Attributes as Claims rule in the first place.

In the Edit Claim Rules for the platform address dialog, click OK.

If you left assertion encryption enabled, you must ensure that ADFS signs its responses. To do so, in PowerShell, enter the following command, and then replace Coveo with the display name you chose earlier:

Set-AdfsRelyingPartyTrust -TargetName "Coveo" -SamlResponseSignature MessageAndAssertion

In the AD FS console, on the left side, right-click AD FS, and then select Edit Federation Service Properties. Alternatively, you may click AD FS, and then, in the Actions panel on the right, click Edit Federation Service Properties.

Copy the Federation Service Identifier (also called identity provider issuer URL, or identity provider entity ID) address and paste it somewhere so you can access it later when configuring Coveo. This address ends with /trust.

In the AD FS console, on the left side, under Service, click Certificates.

Under Token-signing, select the CN=ADFS Signing certificate and then, in the Actions panel on the right, click View Certificate

In the Certificate dialog, click the Details tab, and then click Copy to File

In the Certificate Export wizard, select the Base-64 encoded X.509 (.CER) format, and then click Next.

Browse to the location where you want to save the certificate, and then click Finish.

With the data required to fill the Coveo configuration form in hand, access the Settings page:

In the Single Sign-On subtab, in the Identity provider name box, enter the identity provider name as you want it to appear on your Coveo organization login page.

In the Single sign-on URL box, enter the URL where Coveo must send an authentication request. The SSO URL may also be called Assertion Consumer Service (ACS).

In the Identity provider issuer URI box, enter the identity provider issuer unique URI. The identity provider issuer URI may also be called entity ID or federation service identifier.

Using one of the following methods, provide Coveo with the identity provider’s Base64 public certificate to validate the identity provider signature:

Click Add.

Plan a certificate update following the SSO roll over or expiration schedule.

Add your email address as an organization member. In the Add a Member dialog, under Provider, ensure to select Single sign-on.

Log out of the Coveo Administration Console, and then log back in using the SSO option and your identity provider account. By doing so, you ensure Coveo and your identity provider work together properly.

We strongly recommend that you don’t delete the account with which you first logged in to the Administration Console and implemented SAML SSO. This original account is a "backdoor" that prevents you from being locked out if the SAML SSO doesn’t work as expected. At any time, you can log in with your original, non-SSO identity provider, and then edit the Coveo configuration. For details on how accounts belonging to the same individual are separated, see Multiple Accounts. Alternatively, if you must delete your original account, you can also create another non-SSO administrator account with the required privileges beforehand. Logging in via email is also an alternative.