---
title: Configure Microsoft Entra ID for Coveo SSO
slug: '2005'
canonical_url: https://docs.coveo.com/en/2005/
collection: manage-an-organization
source_format: adoc
---
# Configure Microsoft Entra ID for Coveo SSO
[Azure](https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-azure/) is a set of cloud services provided by Microsoft.
You can use it to build single sign-on (SSO) applications, among other things.

As a Coveo administrator, you can [implement Security Assertion Markup Language (SAML) 2.0 SSO](https://docs.coveo.com/en/1979/) when your company uses Microsoft Entra ID.
Users can then log in to Coveo without having to provide their authentication credentials since their identity has previously been validated when logging in to their Microsoft Entra session.

To let users log in via SAML SSO, Coveo must be able to trust and rely on Microsoft Entra ID to authenticate users wanting to log in.
To establish this trust relationship, you must configure Microsoft Entra ID and Coveo so that both parties can exchange authentication information.
This page explains how to proceed.

To configure SSO in more than one Coveo organization, for example in a production organization and a [sandbox organization](https://docs.coveo.com/en/2959/), configure one of these organizations, and then follow [the instructions](#configure-sso-in-another-organization) at the end of this page.

## Configure your Microsoft Entra Portal

Both Microsoft Entra ID and Coveo must be configured to work together and provide a SAML SSO service to your Coveo users.
First configure Microsoft Entra ID so that it can provide Coveo with user authentication data.

. Log in to your [Microsoft Azure Portal](http://portal.azure.com/).

. At the upper-left corner, click the menu icon, and then click **Microsoft Entra ID** in the menu.

. In the navigation bar on the left, under **Manage**, click **Enterprise applications**.

. Click **New application**.

. On the **Browse Microsoft Entra ID Gallery** subpage, click **Create your own application**.

. In the **Create your own application** blade, enter `Coveo` as a display name for your application, select **Integrate any other application you don't find in the gallery (Non-gallery)**, and then click **Create**.

. In the navigation bar on the left, under **Manage**, click **Single sign-on**.

. Select the **SAML** method.

. Under **Set up Single Sign-On with SAML**, click **Edit** in the **Basic SAML Configuration** box.

. In the **Basic SAML Configuration** blade:

 .. Under **Identifier (Entity ID)**, click **Add identifier**, and then enter one of the following:

  *** For a regular (non-HIPAA) organization or an organization with [data residency outside the US](https://docs.coveo.com/en/2976/): `+https://platform.cloud.coveo.com/saml/metadata+`.

  *** For a HIPAA organization: `+https://platformhipaa.cloud.coveo.com/saml/metadata+`.

 .. Under **Reply URL (Assertion Consumer Service URL)**, click **Add reply URL**, and then enter one of the following:

  *** For a regular (non-HIPAA) organization: `+https://platform.cloud.coveo.com/saml/SSO+`.

  *** For a HIPAA organization: `+https://platformhipaa.cloud.coveo.com/saml/SSO+`.

  *** For an organization with data residency outside the US: `+https://platform-<REGION_ABBREVIATION>.cloud.coveo.com/saml/SSO+`.

 .. Under **Sign on URL**, enter one of the following:

  *** For a regular (non-HIPAA) organization: `+https://platform.cloud.coveo.com/login+`.

  *** For a HIPAA organization: `+https://platformhipaa.cloud.coveo.com/login+`.

  *** For an organization with data residency outside the US: `+https://platform-<REGION_ABBREVIATION>.cloud.coveo.com/login+`.

 .. Click **Save** and close the blade.

. Back under **Set up Single Sign-On with SAML**, click **Edit** in the **Attributes & Claims** box.

. On the **Attributes & Claims** page:

 .. Click **Add new claim**.

 .. On the **Manage claim** page, under **Name**, enter `user.email`.

 .. Under **Source**, select **Attribute**.

 .. Under **Source attribute**, select **user.mail**.

 .. Click **Save**.

. Back on the **Attributes & Claims** page:

 .. Click **Add a group claim**.

 .. In the **Group Claims** blade, select **Groups assigned to the application**.

 .. Under **Source attribute**, select **sAMAccountName**.

 .. Expand the **Advanced options** section, and then check the **Customize the name of the group claim** box.

 .. Under **Name**, enter `user.groups`.

 .. Click **Save**.

. Back on the **Attributes & Claims** page, click **Unique User Identifier (Name ID)** under **Required claim**:

 .. On the **Manage claim** page, under **Source attribute**, select **user.mail**.

 .. Click **Save**.

. In the page breadcrumb, click **SAML-based Sign-on** to return to the previous page.

. Back under **Set up Single Sign-On with SAML**, in the **SAML Signing Certificate** box, ensure that your certificate is active.

## Prepare to configure Coveo

In the previous section, you configured Microsoft Entra ID so that it passes the right information about user authentication to Coveo.

You must now configure Coveo to enable federation between Coveo and Microsoft Entra ID.
To do so, you'll assign your Microsoft Entra ID users to the application you created, and then retrieve data to later import into Coveo.

### Assign application to users

[Assign your application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal) to the users you want to allow to log in to Coveo using Microsoft Entra SSO, including yourself.

Ensure that, in their profile, all users have their email address under **Contact info**.
They'll use this address to log in to Coveo.

### Retrieve data to import

On your [enterprise application](#configure-your-microsoft-entra-portal) **Set up Single Sign-On with SAML** page, the **Set up Coveo** box shows the URLs required to configure Coveo.
The **Login URL** is your single sign-on URL, while the **Microsoft Entra Identifier** is your identity provider issuer URI.

Similarly, the **SAML Certificates** box lets you download the required Base64 certificate.

## Configure Coveo

Once you've configured your identity provider to provide Coveo with user authentication data, you must configure Coveo to trust your identity provider and accept to rely on it for user authentication.

. With the [data required to fill the Coveo configuration form](#prepare-to-configure-coveo) in hand, access the **Settings** page:

.. [Log in to Coveo](https://platform.cloud.coveo.com/login) ([platform-ca](https://platform-ca.cloud.coveo.com/login) | [platform-eu](https://platform-eu.cloud.coveo.com/login) | [platform-au](https://platform-au.cloud.coveo.com/login)) as a [member](https://docs.coveo.com/en/2869/) of a [group](https://docs.coveo.com/en/2867/) with the [required privileges](https://docs.coveo.com/en/1562#required-privileges) to manage settings in the target [Coveo organization](https://docs.coveo.com/en/185/).

.. On the **Settings** page, select the **Organization** tab, and then select the **Single Sign-On** subtab.

. In the **Single Sign-On** subtab, in the **Identity provider name** box, enter the identity provider name as you want it to appear on your Coveo organization [login page](https://docs.coveo.com/en/1697/).

. In the **Single sign-on URL** box, enter the URL where Coveo must send an authentication request.
In Microsoft Entra, you can [find it under **Login URL**](#retrieve-data-to-import).

. In the **Identity provider issuer URI** box, enter the identity provider issuer unique URI.
In Microsoft Entra, you can [find it under **Microsoft Entra Identifier**](#retrieve-data-to-import).

. Using one of the following methods, provide Coveo with the identity provider's Base64 public certificate to validate the identity provider signature:

* Paste the certificate in the **Enter your public certificate** box.

* If you saved the certificate on your computer, click **Choose File** to browse your files and upload the certificate.

. Click **Add**.

> **Note**
>
> If you encounter a **SAML Authentication Error** while logging in to the hosted search page, it's typically because the SSO configuration has not been updated prior to the scheduled rotation of the certificate. To resolve this issue, the Coveo administrator can update the certificate on the [**Settings**](https://docs.coveo.com/en/1562/) page of the [Coveo Administration Console](https://docs.coveo.com/en/183/).
> 
> To avoid this error, a Coveo administrator can add a [notification](https://docs.coveo.com/en/1583#add-or-edit-an-organization-notification) as a reminder to update the certificate prior to the rotation date.

## Encrypt Microsoft Entra ID assertions


> **Note**
>
> A Microsoft Entra Premium subscription is required to encrypt assertions.

[Assertion encryption](https://docs.coveo.com/en/1979#assertion-encryption) is optional.
To encrypt Microsoft Entra ID assertions, you must retrieve the Coveo public certificate and import it into your Microsoft Entra ID configuration.
You must also ensure that at least the response is signed.

. In the enterprise application where you [configured SSO](#configure-your-microsoft-entra-portal), click **Token encryption** in the navigation menu.

. On the **Token encryption** page, click **Import Certificate**.

. Click [dots] next to your certificate, and then click **Activate token encryption**.

. Click **Yes** to confirm.

. In the navigation menu, click **Single sign-on**.

. On the **Set up Single Sign-On with SAML** page, click **Edit** in the **SAML Signing Certificate** box.

. Under **Signing Option**, select either **Sign SAML response** or **Sign SAML response and assertion**.

. Click **Save** and close the blade.

## Test your configuration

. [Add your email address as an organization member](https://docs.coveo.com/en/1821/).
In the **Add a Member** dialog, under **Provider**, ensure to select **Single sign-on**.

. [Log out of the Coveo Administration Console](https://docs.coveo.com/en/1841#user-menu), and then [log back in using the SSO option and your identity provider account](https://docs.coveo.com/en/1697#logging-in-with-sso).
By doing so, you ensure Coveo and your identity provider work together properly.


> **Important**
>
> We strongly recommend that you don't delete the account with which you first logged in to the Administration Console and implemented SAML SSO.
> This original account is a "backdoor" that prevents you from being locked out if the SAML SSO doesn't work as expected.
> At any time, you can log in with your original, non-SSO identity provider, and then edit the Coveo configuration.
> For details on how accounts belonging to the same individual are separated, see [Multiple Accounts](https://docs.coveo.com/en/1697#multiple-accounts).
> 
> Alternatively, if you must delete your original account, you can also create another non-SSO administrator account with the [required privileges](https://docs.coveo.com/en/1562#required-privileges) beforehand.
> [Logging in via email](https://docs.coveo.com/en/1697#logging-in-with-email) is also an alternative.

## Invite SSO users or user groups

Once you've verified that your SSO configuration works, [invite SSO users to join your Coveo organization](https://docs.coveo.com/en/1821/).

> **Important**
>
> Once you set up an SSO for your organization, users accessing a hosted search page of this organization are automatically redirected to the [SSO login page](https://docs.coveo.com/en/1697/). Therefore, after configuring your SSO, promptly invite your users as SSO users of this organization. Otherwise, users will enter their identity provider credentials, but access to the hosted search page won't be allowed since there will be no Coveo SSO user corresponding to the provided credentials.

## Configure SSO in another organization

If you have multiple Coveo organizations, such as a production organization and a [sandbox organization](https://docs.coveo.com/en/2959/), you must use the same SSO settings for all organizations.
Users will then use the same SSO credentials to log in, regardless of the organization they are accessing.

Follow these steps to configure SSO in additional organizations:

. Ensure that the user identity you'll use to configure SSO:

--
** Is a [member](https://docs.coveo.com/en/2869/) of all [organizations](https://docs.coveo.com/en/185/) where the SSO configuration will be used, including the original organization where SSO is already configured.
If it's not already a member, this user identity must be [invited](https://docs.coveo.com/en/1821#add-members) to the organizations and [accept the invitations](https://docs.coveo.com/en/1697#after-login).
** Has the [privilege](https://docs.coveo.com/en/228/) to edit SSO settings (**Edit** on the [**Single sign-on identity provider** domain](https://docs.coveo.com/en/1707#single-sign-on-identity-provider-domain)) in each of these organizations.
--

. Using this identity, log in to the organization where you want to configure SSO.

. In the [**Single Sign-On**](https://platform.cloud.coveo.com/admin/#/orgid/settings/organization/sso) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/settings/organization/sso) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/settings/organization/sso) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/settings/organization/sso)) tab of the **Settings** page, delete any existing SSO configuration.
Save your change.
This will also permanently delete the associated SSO members from your Coveo organization.

. Copy the SSO settings from the first organization to the other.
The SSO settings provided to Coveo must be identical across all organizations, including the identity provider name.

> **Tip**
>
> Open the organization where SSO was originally configured in a private browser window.
> This will let you copy and paste from one organization to the other without logging in and out to switch between them.

. Follow the remainder of the deployment process above, starting at the assertion encryption step, for each organization where you copied the SSO settings.