Product DocsMenu

Configuring a .NET Search Interface Claims SSO

Coveo .NET Front-End 12.0.1548+ (June 2016)

A Coveo .NET Front-End search page that resides outside SharePoint must authenticate the SharePoint end-user performing the query to return SharePoint search results for which the end-user has read access in SharePoint. No SharePoint results are returned for unauthenticated users.

The SharePoint integration of the Coveo .NET Front-End now includes the Coveo Front-End SSO Configuration page allowing you to easily configure a Claims single sign-on (SSO) between one or more SharePoint WFEs and one or more Coveo .NET Front-End search pages hosted outside SharePoint.

The Coveo Front-End SSO Configuration page basically generates a Claims configuration string for a given SharePoint WFE that you can simply copy and paste when configuring other SharePoint WFEs as well as your externally hosted Coveo .NET Front-End search pages.

Two methods are supported to retrieve claims from SharePoint:

  • Via browser redirections

    Note: Limited to one SharePoint server.

  • Via web requests Coveo .NET Front-End 12.0.1633+ (September 2016)

    Note: The web request has mainly three advantages over the method with browser redirections:

    • No more blinking during the browser authentication redirection loop.

    • Works well even if the search page is opened with the "localhost" hostname;

    • Since the claims are stored in the ASP.NET session (on the web server) instead of in browser cookies (sent in every browser web requests), less network bandwidth is used, which improves the global performance.

To configure a .NET Search Interface Claims SSO

  1. Ensure that Coveo .NET Front-End 12.0.1548+ (June 2016) is installed on your SharePoint server (see Installing the Coveo Web Service, Search Box, and Search Interface into SharePoint and Identifying the Coveo .NET Front-End Version).

    Note: For previous Coveo .NET Front-End releases, you can use the manual method (see Manually Configuring a .NET Search Interface Claims SSO for an On-Premises SharePoint).

    1. Coveo .NET Front-End 12.0.1633+ (September 2016) When claims will be retrieved via web requests from the Coveo .NET Front-End server, enable ASP.NET sessions on the Coveo .NET Front-End server both in IIS Manager and in the web configuration file:

      Note: If ASP.NET sessions are not enabled, an error message will be shown to administrators in the search page.

      1. With an administrator account, log into the Coveo .NET Front-End server.

      2. Open IIS Manager (see How to: Open IIS Manager).

      3. In IIS Manager:

        1. In the left section, under Connections, select the search site.

        2. In the middle section, double-click the Session State icon.

        3. In the Session State window:

          1. If the search page is accessed via an NLB address, select the State Server or SQL Server radio button, and then configure the IIS session state accordingly (see Session State).


            • The goal is to have all the load-balanced Coveo Front-End servers to share all session states.

            • It is also valid to select the State Server and SQL Server radio buttons even without an NLB.

            • If you have multiple Coveo Front-End servers in NLB, the session states must be enabled on each of the servers.

          2. Under Cookie Settings, change the Time-out (in minutes) parameter value to at least 540 (minutes).

            Note: It is recommended to set the ASP.NET session timeout value to at least 9 hours, so that each user avoids experiencing the claims SSO authentication delay (typically a few seconds) more than once per work day.

        4. In the right section, click Apply.

      4. In a text editor, open the Coveo .NET Front-End web configuration file (by default, C:\Program Files\Coveo .NET Front-End 12\Web\web.config).

      5. Set the enableSessionState attribute on the pages line to true.

        Example: <pages enableSessionState="true" enableViewState="true" . . .>

  2. Using a browser, go to the following URL on your SharePoint WFE server (or the first SharePoint WFE server in your farm) for which you want to configure Claims SSO:


    where you replace SharePointFrontEndServer by the hostname of your SharePoint server.

  3. If an authentication dialog box appears, enter the credentials of a valid Windows identity to gain access to the page.

  4. In the Coveo Front-end SSO Configuration page: 

    1. Under Server Administration Settings, in the Username and Password boxes, enter the credentials of a local administrator account on your SharePoint WFE server, and then click Login.

      Note: The local administrator account used only needs to have write permissions on the local drive to allow saving the configuration performed in this page. The account does not have to be a SharePoint Farm Administrator or have other SharePoint permissions.

      The Claims SSO Configuration section appears when your credentials are valid.

    2. The next steps depend on whether you are configuring only one SharePoint WFE (or the first SharePoint WFE server) or any other WFE in your farm:

      • When you configure your unique or first SharePoint WFE server:

        1. Next to Input Method, select Specify the Coveo .NET Front-End search page address and generate a claims SSO configuration.

        2. In the Identity Provider URL(s) box, validate and adjust as needed the hostname of your SharePoint web application(s).


          • When your SharePoint farm contains a few SharePoint WFEs, which are accessed via an NLB address, the NLB address must be specified.

          • Coveo .NET Front-End 12.0.1633+ (September 2016) You can specify more than one identity provider URLs when the Claims retrieval method is via web request from the Coveo .NET Front-End server (see Claims Retrieval Method).

          • Coveo .NET Front-End 12.0.1548– (June 2016) Only one Identity Provider URL can be specified.

          When multiple SharePoint WFEs in the farm are load-balanced, enter the network load-balancer (NLB) address, in the following form:


          where you replace SharePointFrontEndServer with the server or NLB hostname.


          • When the search page is in a web application different from the default one, you may need to add a path section such as in the following example: 

          • Coveo .NET Front-End 12.0.1633+ (September 2016) When configuring the Claims SSO of a search page for more than one SharePoint webapp/farm (with more than one identity provider), the Coveo Front-end SSO Configuration page must be opened and the settings applied on each SharePoint server to receive the SSO configuration.

        3. In the Search Page URL(s) box, enter the URL of one or more Coveo .NET Front-End search pages in which you want authenticated users to be able to see their SharePoint results. Enter each URL on a separate line.

          When multiple Coveo .NET Front-Ends are load balanced, enter the network load-balancer (NLB) address instead. When a unique search page can be reached through more than one URL, enter all its URLs starting with the preferred one.

        4. Coveo .NET Front-End 12.0.1633+ (September 2016) In the Claims Retrieval Method, select:

          • Browser redirection: to make the Coveo .NET Front-End search page redirecting the browser to the identity provider page in SharePoint which will then redirect the browser back to the search page with the user's claims. Select this option if your SharePoint instance uses an Okta single sign-on, so that search page users can authenticate using their Okta credentials (see Okta Single Sign-On Provider for SharePoint On-Premises).

          • Web request from Coveo .Net Front-End server: to make the Coveo .NET Front-End web server calling directly the identity provider page in SharePoint to retrieve the user's claims.

        5. Click Apply Settings.

        6. In the Claims SSO Configuration to Export box that fills with a long Claims configuration string, copy the string (to the clipboard) that you will paste in the configuration page of other SharePoint WFE and Coveo .NET Front-End servers.


      • When you configure another SharePoint WFE server:

        1. Next to Input Method, select the Import the claims SSO configuration from another SharePoint WFE server radio button.

          Note: CES 7.0.8388– (June 2016) The option name is Import the claims SSO configuration from another SharePoint WFE server in the same farm.

          In the Claims SSO Configuration to Import box, paste the Claims configuration that you generated for the first SharePoint WFE server.

        2. Click Apply Settings.

  5. In your farm, repeat the previous steps for any other SharePoint WFE for which you want to configure the Claims SSO.

  6. For each Coveo .NET Front-End that you listed in the Search Page URL(s) box:

    1. Go to its Front-End Server Configuration page and use the Claims SSO for SharePoint Settings section to paste and import the Claims configuration (see Coveo .NET Front-End First Time Setup).

    2. After applying the settings, validate that the authenticated users can see their SharePoint items in the search results.

  7. Coveo .NET Front-End 12.0.1633+ (September 2016) When you select Web request from Coveo .Net Front-End server as the Claims retrieval method, open the search page and if you get the following error, you may have to enable the Windows authentication delegation from the Coveo .NET Front-End server to the SharePoint WFE server(s) (see Troubleshooting the Calling the Claims Identity Provider Page Error ) :

    Error calling the claims identity provider page: System.Net.WebException: The remote server returned an error: (401) Unauthorized.

People who viewed this topic also viewed