Product DocsMenu

Coveo Platform 7.0 >
Administrator Help > Coveo .NET Front-End 12.0 > Microsoft SharePoint Integration > Configuring the Claims-Aware Coveo Search Application

Configuring the Claims-Aware Coveo Search Application

This topic describes how to set up a Coveo search application to allow a seamless experience for Coveo end-users searching for secured content indexed from Claims-Enabled SharePoint web applications. A Claims-aware Coveo search application allows Claims-authenticated users to not have to log in to the Coveo .NET search interface outside of SharePoint to see search results matching their Claims.

Note: A better SSO solution that works with or without ADFS is now available (see Manually Configuring a .NET Search Interface Claims SSO for an On-Premises SharePoint).

Requirements:

Limitation:

  • Claims-Based SharePoint web applications using Windows authentication (NTLM or Kerberos) will still require users to enter their Windows credentials in the Coveo Search prior to the initial search.

The procedure consists of the following steps:

Step 1: Enabling Claims Authentication on the Coveo Search Site

Enabling Claims authentication on a search site consists mainly in modifying the web.config file of the search website using the FedUtil.exe tool that comes with the Windows Identity Foundation (WIF) SDK.

  1. Using an administrator account, login to the Coveo Front-End server.

  2. In IIS, add an HTTPS binding to Coveo .NET Front-End web site.

  3. Download and install the WIF SDK for Microsoft .NET Framework 3.5 (see Windows Identity Foundation SDK).

    Note: WIF is included in Microsoft .NET Framework 4.5, but currently, Coveo assemblies rely on the Microsoft .NET Framework 3.5.

  4. Start FedUtil.exe that is typical in C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5\.

    Note: For the details on the FedUtil.exe tool refer to the Microsoft documentation (see Establishing Trust from an ASP.NET Relying Party Application to an STS using FedUtil).

    1. In the first screen, specify the path to the web.config file (by default: C:\Program Files\Coveo .NET Front-End 12\Web\) and the URL to the search page with a slash at the end (ex.: https://machinename/).

    2. In the second screen:

      1. Select the Use an existing STS option and then specify the URL of the federation metadata document (ex.: https://adfs01.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml).

      2. Click Test location to validate that the URL is valid.

    3. In the third screen, select the option that corresponds to whether certificate chain validation should be enabled or not.

    4. In the next screen, select the option that corresponds to whether security tokens should be encrypted or not.

    5. In the next screen (claim list), click Next.

    6. In the final screen, click Finish.

    Note: The important file to configure the trust relationship in ADFS is: [coveo_web_site_folder]\FederationMetadata\2007-06\FederationMedatada.xml

  5. In Internet Information Services (IIS) Manager:

    1. Ensure that the Windows Authentication is enabled on the search site by clicking the site in the tree view to the left, and then > IIS > Authentication.

      You may need to disable all the other authentication methods for Claims authentication to work.

    2. For Claims authentication to work, the application pool pipeline mode must be Integrated (not Classic). Ensure that the website is using an application pool that is configured correctly. Either modify the application pool (if only the Coveo search site is using it) or create a new application pool and make the website using it:

      1. Click the site in the tree view to the left > Basic Settings.

      2. Click Application Pools almost at the top of the tree view to the left > click on the application pool in the list > Basic Settings.

    3. Important: In IIS, the searchAdmin site under Coveo .NET Front-End 12 corresponds to the .NET search interface and by default shares the CESAppPool Front-End application pool with the Coveo .NET Front-End 12 site (the search page). The application pool pipeline mode must stay to Classic for the searchAdmin site (the .NET search interface) to work, otherwise a user will get the following message when trying to access the .NET search interface: 

      Server Error in Application "COVEO .NET FRONT-END 12/SEARCHADMIN"
      HTTP Error 500.24 - Internal Server Error
      An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.

      The solution is to create another application pool, assign it to the searchAdmin site, and ensure the application pool pipeline mode is set to Classic.

  6. Using a text editor:

    1. Open the web.config file.

    2. Under <microsoft.identityModel>, locate the <service> tag.

    3. Add the "saveBootstrapTokens" attribute as follows:

      <microsoft.identityModel>
      	<service saveBootstrapTokens="true">

Step 2: Creating the Coveo Relying Party Trust

  1. Login to the ADFS server which is used as an Identity Provider by SharePoint, hereafter called the Identity Provider ADFS server.

  2. Launch AD FS 2.0 Management Console.

  3. Select AD FS 2.0 > Trust Relationships.

  4. Right-click Relying Party Trusts and then select Add Relying Party Trust.

  5. In the new window, select the Import data about the relying party from a file option.

  6. Select the FederationMetadata.xml file that was previously obtained in Step 1, and then click Next.

  7. Enter a Display Name such as Coveo Claims-Aware Search Site, and then click Next.

  8. Select Permit all users to access this relying party, and then click Next.

  9. Validate settings on the final page and then click Next to create the new Relying Party Trust.

Step 3: Editing Claims Rules for the Coveo Relying Party Trust

  1. Select AD FS 2.0 > Trust Relationships.

  2. Right-click the Coveo Relying Party Trust and then select Edit Claim Rules.

  3. Under Issuance Transform Rules:

    1. Create a new Pass Through or Filter Incoming Claims rule.

      1. Name = Pass through Windows Account

      2. Incoming Claim Type = Windows Account Name

      3. Pass through all claims values = true

    2. Click Finish.

  4. Under Issuance Authorization Rules, ensure a Permit Access to All Users rule exists, if not create one.

Step 4: Editing Claims Rules for the SharePoint Relying Party Trust

  1. Select AD FS 2.0 > Trust Relationships.

  2. Right-click the SharePoint Relying Party Trust, and then select Edit Claim Rules.

  3. Under Issuance Authorization Rules, ensure a Permit Access to All Users rule exists, if not create one.

  4. Under Delegation Authorization Rules, add a new Permit Access to All Users rule or choose to permit a specific user.

  5. Under Issuance Transform Rules, for each existing rules of the Relying Party Trust and the Claims Provider Trust:

    1. Click Edit Rule > View Rule Language.

    2. If the rule language does not contain a check for Issuer == "AD AUTHORITY", skip to the next existing rule, otherwise keep going.

    3. Copy the rule language.

    4. Close the Edit window for the current Rule.

    5. Create the new Relying Party Trust rule using the copied rule language:

      1. Click Add Rule > Send Claims Using a Custom Rule.

      2. Paste the rule language and replace AD AUTHORITY by SELF AUTHORITY.

Step 5: Configuring the Coveo Service Account for ADFS Identity Delegation

  1. Log on to Coveo Back-End server.

  2. Open the Coveo Administration Tool (see Opening the Administration Tool).

  3. Select Configuration > Security > Security Providers, and then click the Claims for SharePoint On-premises security provider that is used to authenticate to ADFS.

  4. In the User Identity box, add the identity of any Windows account that can be used to authenticate to ADFS.

    Note: This account does not require any special permissions on the ADFS server, it is only used to connect to ADFS when performing delegated authentication.

Step 6: Performing the First-Time Setup on the Coveo Search Site

Point your browser to the Coveo search site. If the site has been properly configured for Claims, the browser should now be redirected automatically to the ADFS authentication site, then back to the search site, and then to the first-time setup page.

In the first-time setup page (see Coveo .NET Front-End First Time Setup), ensure to fill the options in the Claims section correctly by selecting the claim type that contains the Windows identity (ex.: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname). Upon completion, the Claims options are saved in the web.config file.

Back to the search page, execute a query. In an interface showing results from a Claims-authenticated source such as SharePoint, results should now show up. In the same manner, queries in the All Content interface should now include results from the Claims-authenticated source.

People who viewed this topic also viewed