Configure Azure for Coveo SSO

Azure is a set of cloud services provided by Microsoft. You can use it to build single sign-on (SSO) applications, among other things.

An Azure AD Premium subscription is required to build an SSO application for Coveo. The application creation feature used in the procedure below isn’t a feature of the basic Azure AD subscription.

As a Coveo administrator, you can implement Security Assertion Markup Language (SAML) 2.0 SSO when your company uses Azure Active Directory (AD). Users can then log in to Coveo without having to provide their authentication credentials since their identity has previously been validated when logging in to their Azure session.

To allow users to log in via SAML SSO, Coveo must be able to trust and rely on Azure to authenticate users wanting to log in. To establish this trust relationship, you must configure Azure and Coveo so that both parties can exchange authentication information.

Configure Your Azure Portal

Both Azure and Coveo must be configured to work together and provide a SAML SSO service to your Coveo users. First configure Azure so that it can provide Coveo with user authentication data.

  1. Log in to your Microsoft Azure Portal.

  2. In the navigation panel on the left, click Azure Active Directory.

  3. In the blade that appears, in the navigation bar on the left, under Manage, click Enterprise applications.

  4. Click New application.

  5. In the Add an application blade, click Non-gallery application.

  6. In the Add your own application blade, in the Name box, enter a display name for your application, and then click Add.

  7. In the blade that appears, click Configure single sign-on.

  8. In the Single sign-on blade:

    1. In the Single Sign-on Mode drop-down menu, select SAML-based Sign-on.

    2. Under the application display name for the Domain and URLs, in the Identifier box, enter one of the following:

      • For a regular (non-HIPAA) organization or an organization with data residency outside the US:

      • For a HIPAA organization:

    3. In the Reply URL box, enter one of the following:

      • For a regular (non-HIPAA) organization:

      • For a HIPAA organization:

      • For an organization with data residency outside the US: https://platform-<REGION_ABBREVIATION>

    4. Select the Show advanced URL settings check box, and then, in the Sign on URL box, enter one of the following:

      • For a regular (non-HIPAA) organization:

      • For a HIPAA organization:

      • For an organization with data residency outside the US: https://platform-<REGION_ABBREVIATION>

    5. Under User Attributes, select the View and edit all other user attributes check box, and then click Add Attribute.

    6. In the Add Attribute blade, fill the boxes using the following values, and then click OK.

      Name Value Namespace


      (leave empty)

    7. Back under User Attributes, in the User Identifier drop-down menu, select user.mail.

    8. Under SAML Signing Certificate, select the Make new certificate active check box.

    9. At the top of the blade, click Save.

Prepare to Configure Coveo

Once you have configured your Azure Portal so that it passes the right information about user authentication to Coveo, you must configure Coveo to enable federation between Coveo and your Azure Portal. To do so, you need to assign your Azure Active Directory users to the application you created, and retrieve data to later import into Coveo.

Retrieve Data to Import

  1. On the Enterprise applications Azure Portal page, click the application you just created.

  2. In the blade that appears, under Manage, click Single sign-on.

  3. In the [Application display name] - Single sign-on blade, under [Application display name] Configuration, click Configure [Application display name].

    This opens a Configure sign-on blade, which displays the data required to configure Coveo.

Configure Coveo

Once you have configured your identity provider to provide Coveo with user authentication data, you must configure Coveo to trust your identity provider and accept to rely on it for user authentication.

  1. With the data required to fill the Coveo configuration form in hand, access the Settings panel:

    1. Log in to the Coveo Administration Console as a member of a group with the required privileges to manage settings in the target Coveo organization, if not already done.

    2. In the Settings page, select the Organization tab, and then, on the left side of the pane, click Single Sign-On.

  2. In the Single Sign-On tab, in the Identity provider name box, enter the identity provider name as you want it to appear on your Coveo organization login page.

  3. In the Single sign-on URL box, enter the URL where Coveo must send an authentication request. The SSO URL is also called assertion consumer service (ACS).

  4. In the Identity provider issuer URL box, enter the identity provider issuer unique URL. The identity provider issuer URL is also called entity ID or federation service identifier.

  5. Using one of the following methods, provide Coveo with the identity provider public certificate to validate the identity provider signature:

    • Paste the X.509 public certificate in the Public certificate box.

    • If you saved the public certificate on your computer, click Choose File to browse your files and upload the certificate.

    The certificate must be Base64-encoded and may contain the -----BEGIN CERTIFICATE----- and ----END CERTIFICATE----- tags.

  6. Click Add.

If you encounter a SAML Authentication Error while logging in to the hosted search page, it’s typically because the SSO configuration has not been updated prior to the scheduled rotation of the certificate. To resolve this issue, the Coveo administrator can update the certificate in the Settings panel of the Coveo Administration Console.

To avoid this error, a Coveo administrator can add a notification as a reminder to update the certificate prior to the rotation date.

Test Your Configuration

  1. Add your email address as an organization member. In the Add a Member dialog, under Provider, ensure to select Single sign-on.

  2. Log out of the Coveo Administration Console, and then log back in using the SSO option and your identity provider account. By doing so, you ensure Coveo and your identity provider work together smoothly.

    We strongly recommend that you don’t delete the account with which you first logged in to the Administration Console and implemented SAML SSO. This original account is a "backdoor" that prevents you from being locked out if the SAML SSO doesn’t work as expected. At any time, you can log in with your original, non-SSO identity provider, and then edit the Coveo configuration.

    Alternatively, if you must delete your original account, you can also create another non-SSO administrator account with the required privileges beforehand.

Invite SSO Users or User Groups

Once you have verified that your SSO configuration works, invite SSO users to join your Coveo organization.

Once you setup a SSO for your organization, users accessing a hosted search page of this organization are automatically redirected to the SSO login page. Therefore, after configuring your SSO, promptly invite your users as SSO users of this organization. Otherwise, users will enter their identity provider credentials, but access to the hosted search page won’t be allowed since there will be no Coveo SSO user corresponding to the provided credentials.

Recommended Articles