Configuring a Sitecore Security Provider
To configure a Sitecore security provider
On the Coveo server, access the Administration Tool (see Opening the Administration Tool).
Select Configuration > Security.
In the navigation panel on the left, click Security Providers.
In the Security Providers page, click Add to create a new security provider.
In the Modify Security Provider page:
Configure the following required parameters:
- Choose a significant name to identify the security provider.
- Note: You can configure the security provider to work with the new (Sitecore2) or legacy (Sitecore) connectors. It may be a good idea to indicate which connector is used in the name to prevent confusion.
- Example: Sitecore2 Security Provider
- DLL Path
- Enter the following path:[CES_Installation_Path]\Bin\Coveo.CES.CustomCrawlersSecurityProvider.dll
- Example C:\Program Files\Coveo Enterprise Search 6\Bin\Coveo.CES.CustomCrawlersSecurityProvider.dll.
In the text box, enter the following string:
where [SitecoreWebSite] is the URL of your Sitecore installation.
Example: AssemblyPath="C:\Program Files\Coveo Enterprise Search 6\Bin\Coveo.CES.CustomCrawlers.Sitecore2.dll"; WebServiceUrl="http://MySitecoreWebSite"
Note: The security provider and the source must have matching parameters. When you specify non default values on normal or hidden source parameters, you must include the parameter with the same value for the security provider.
Example: You enter MyDatabase for the Database source parameter. In the security provider Parameters box, you must include Database="MyDatabase" in the string.
Note: When you use the Sitecore Active Directory (AD) module to authenticate users with Microsoft Active Directory, you can add the ADDomains parameter and specify your AD domain to allow the security provider to support both Sitecore and AD security models and map Sitecore users and groups to AD users and groups.Example:
AssemblyPath="C:\Program Files\Coveo Enterprise Search 6\Bin\Coveo.CES.CustomCrawlers.Sitecore.dll"; WebServiceUrl="http://SitecoreWebSite";ADDomains="myDomainName"
In the Option section, ensure to select the Support expand user check box.
Depending on your configuration, you might have to change the impersonation parameters of your website and CES when using the AD security model (see Granting Impersonator Privileges).
Note: Entering the wrong URL for the WebServiceUrl parameter, like the one of your Coveo server rather than the one of your Sitecore server, can cause repetitive unanswered calls to this URL and make this server unresponsive.
Consider using or revising the following optional parameters:
- User Identity
- When (none) is selected, by default the connector uses the extranet\Anonymous user that has access to the Roles and Users definitions. If you created a Sitecore user identity, select it.
- Authorization Cache Timeout
- The time interval in seconds for the authorization cache update. The default is 3600 seconds (1 hour). Reduce this value when you want to update security information more often. The cost is more frequent calls to the Sitecore server.
- Authentication Cookie Expiration
- The time interval in days for the expiration of the authentication cookie. The default is 1 day.
Ignore the Security Assertion Markup Language SAML parameters that are not used for this source type.
In the Option section, revise the following check boxes:
- Do not block exceptions
- Ensure that this check box is cleared unless instructed to select it by a Coveo Support agent. When selected, this option instructs the security provider to transmit errors to CES. In rare cases, this option can provide additional information that may help to diagnose security provider problems.
- Require authorization
- Select this check box only when you use late-binding security, to instruct CES to retrieve document-level permissions at query time from the repository.
- Support access list
- Ensure that this check box is selected to use early-binding security, instructing the connector to add an Access Control List (ACL) to each document when crawling the repository. Early-binding security allows significantly shorter query response time.
- Support expand group
Ensure that this check box is selected to instruct the connector to expand the Sitecore group into a list of Sitecore users.
- Support expand user
Select this check box only when you use the Sitecore Active Directory module and want to instruct the connector to convert the list of Sitecore users into a list of Microsoft Active Directory users.
Note: AD group expansion is limited to the LDAP root folder specified in the domain connectionString entry (part of the Sitecore AD module configuration).Example: Search root: LDAP://corp.domain.com/OU=Users,DC=CORP,DC=DOMAIN,DC=COM. Only the users under the organizational unit (OU) Users are considered by CES. If the group Everyone is allowed to see a document, only the users and groups under the OU Users have access to the document.
- Run in 64 bits
- On a 64-bit Coveo server, select this check box to instruct CES to run the security provider in 64-bit mode and therefore take advantage of the 64-bit performance. On a 32-bit server, this option is disabled.
Consider creating and using a mapping file (see Creating and Using a Sitecore Mapping File).