Creating a Claims Security Provider for an On-Premises SharePoint

CES 7.0.5031+ (March 2013)

When indexing content from a SharePoint Web Application using Claims-based authentication, the default in SharePoint 2013, you must create a Claims security provider to allow authenticated users to search for documents secured using Claims permissions. Without such a security provider, no results would be returned.

The role of the Claims security provider is to authenticate users in SharePoint and to retrieve the list of Claims associated to each user. Knowing the Claims of a user, the Coveo index can return the search results this user is entitled to see according to the permissions that were indexed on SharePoint documents.

In order to be authenticated by the Claims security provider, a user must log in to the Coveo search interface using his SharePoint credentials. The Claims security provider can authenticate users in SharePoint using a Windows identity or an identity provided by an Active Directory Federation Services (ADFS) server.

To create a Claims security provider for an on-premises SharePoint

1. On the Coveo server, access the Administration Tool (see Opening the Administration Tool).

2. In the Administration Tool, select Configuration > Security.

3. In the navigation panel on the left, select Security Providers.

4. In the Security Providers page, click Add.

5. In the Modify Security Provider …:

   

   1. In the Name box, enter a descriptive name of your choice for this security provider instance.

   2. In the Security Provider Type drop down, select Claims for SharePoint On-premises.

   3. In the User Identity drop-down list:

      • In the case of an ADFS environment, when you select the Web Application supports AD FS Claims Authentication check box (see below) and a claims-aware Coveo Search is used (see Configuring the Claims-Aware Coveo Search Application), select a user identity of any Windows account that can be used to authenticate to ADFS.

      • Otherwise, select the user identity that you created for the Microsoft SharePoint farm.

   4. In the SharePoint Web Application Url box, enter the URL of the SharePoint Web Application using Claims-based authentication where the secured content to index is located.

   5. In the Temporary path for the cache of User Claims box, you must enter the path where the temporary cache of user Claims is saved.

   6. Select the Web Application supports NTLM Claims Authentication and/or Web Application supports AD FS Claims Authentication check boxes, according to the Claims authentication type that is enabled for the SharePoint web application (see Finding the Enabled Claims Authentication Type for a SharePoint Web Application).

      Important: When using ADFS Claims Authentication, you need to make sure your ADFS environment meets the requirement for the Claims security provider (see ADFS Server Requirements for a Claims Security Provider).

      Notes:

      • The Claims security provider can simultaneously support more than one Claims authentication type enabled for a Web Application.

      • Select Web Application supports NTLM Claims Authentication for Windows authentication with NTLM or Kerberos.

   7. CES 7.0.5556+ (June 2013) The following parameters are required only when the Web Application supports AD FS Claims Authentication check box is selected:

      1. In the Url of the SharePoint AD FS Server box, enter the URL of the ADFS server which is trusted by SharePoint.

         Note: If your SharePoint instance uses Okta as a single sign-on provider, leave this box empty (see Okta Single Sign-On Provider for SharePoint On-Premises).

      2. In the Trust Identifier for SharePoint box, enter the Relying Party Trust identifier for the SharePoint web application (see Finding the Relying Party Trust Identifier for a SharePoint Web Application).

         Note: If your SharePoint instance uses Okta as a single sign-on provider, leave this box empty (see Okta Single Sign-On Provider for SharePoint On-Premises).

   8. CES 7.0.5556+ (June 2013) The following parameters are required only when the Web Application supports AD FS Claims Authentication check box is selected and multiple ADFS servers are used to authenticate users in SharePoint:

      1. In the Url of the Identity Provider AD FS Server box, enter the URL of the ADFS server which is used as an Identity Provider for the ADFS server trusted by SharePoint.

      2. In the Trust Identifier for the SharePoint AD FS Server box, enter the Relying Party Trust identifier for the SharePoint ADFS server (see Finding the Relying Party Trust Identifier for a SharePoint ADFS server).

   9. CES 7.0.5785+ (August 2013) When the Web Application supports AD FS Claims Authentication check box is selected and a claims-aware Coveo Search is used (see Configuring the Claims-Aware Coveo Search Application), in the Bootstrap Token Signing Certificate (.cer) box, enter the path on the Coveo Master server where you saved the certificate used by ADFS to sign requests from the claims-aware Coveo search. If the requests are not signed by ADFS, leave this parameter empty. If the requests are not signed by ADFS, leave this parameter empty.

   10. In the Claim Type for User Names box, enter the type of Claim that should be used to uniquely identify users. Leave the default value (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) unless Coveo Support recommends to change the value.

   11. In the Claim Type(s) to Ignore box, enter the type(s) of Claims that should be ignored by the security provider to prevent polluting the security cache with unnecessary claims.

       Some of the Claims that are retrieved by the security provider when authenticating users in SharePoint can safely be ignored. These are usually Claims that are reserved for internal use by SharePoint and that cannot be used to set permissions on documents.

       Example: SharePoint assigns to every user a Claim that identifies the last time the user was authenticated. The value of this Claim is a timestamp, which has no value regarding document permissions and cannot be selected in the SharePoint people picker.

   12. CES 7.0.9167+ (December 2017) Select the Expand user's Granted Identities before first query check box to evaluate users' granted identities before they perform their first query.

       Note: When selected, results are returned following a user's first query. When cleared, results appears only after the user performs a second query or after the user's granted identities are expanded.

   13. In the Authentication Cookies Sliding Session Expiration Time (in days) box, enter the time interval, in days, during which the Claims of a user authenticated by the Claims security provider remains valid. Values smaller than one day are accepted (ex.: 0.5). The default is 1 day.

   14. Next to Parameters, when instructed to do so by Coveo Support, click Add Parameter to add an hidden parameter by entering the parameter Name and Value.

       Note: CES 7.0.6830+ (July 2014) The parameter ClaimsMaximumSize is used to set the maximum allowed size for a single Claims identity. The default value is 12288 (12 KB). A message similar to the following one appears in the CES Console and logs typically when a user with claims exceeding this limit logged in or performed a query: 

       The security provider "Claims" has encountered an exception: class CSP::SecurityException: The user 'user_name here' contains too much claims and will be rejected.

       When this condition occurs, the search results that are secured by Claims permissions are not returned for the query.

   15. Ensure that the Allow Complex Identities option is selected.

       A Claims security provider may need additional parameters when you create identities (see Using the Identity Picker Form). You can specify these additional parameters only when the Allow Complex Identities option is selected.

   16. Click Save or Apply Changes.