Creating a Claims Security Provider for SharePoint Online

CES 7.0.5031+ (March 2013)

When indexing content from a SharePoint Online Web Application using Claims-based authentication, you must create a Claims security provider to allow authenticated users to search for documents secured using Claims permissions. Without such a security provider, no results would be returned.

The role of the Claims security provider is to authenticate users in SharePoint Online to retrieve the list of Claims associated to each user. Knowing the Claims of a user, the Coveo Search can display the search results this user is entitled to see according to the permissions that were indexed on SharePoint documents.

In order to be authenticated by the Claims security provider, a user must log in to the Coveo search interface using his SharePoint Online credentials. The Claims security provider can authenticate users in SharePoint Online using a native Office 365 identity or an identity provided by an ADFS server if Single Sign-On is enabled in SharePoint Online.

To create a Claims security provider for SharePoint Online

1. On the Coveo server, access the Administration Tool (see Opening the Administration Tool).

2. In the Administration Tool, select Configuration > Security.

3. In the navigation panel on the left, select Security Providers.

4. In the Security Providers page, click Add.

5. In the Modify Security Providers page:

   

   1. In the Name box, enter a descriptive name of your choice for this security provider instance.

   2. In the Security Provider Type drop down, select Claims for SharePoint Online.

   3. In the User Identity drop-down list:

      • When a claims-aware Coveo Search is used (see Configuring the Claims-Aware Coveo Search Application), select a user identity of any Windows account that can be used to authenticate to ADFS.

      • Otherwise, select the user identity that you created with an Office 365 account.

   4. In the SharePoint Web Application Url box, enter the URL of the SharePoint Online Web Application where the secured content to index is located.

   5. In the Temporary path for the cache of User Claims box, you must enter the path where the temporary cache of user Claims is saved.

   6. In the Office 365 Native Users Domain(s) box, enter the domain name that was created with your Office 365 account. The domain name to enter here must be the native domain created by Microsoft Online Services, which is different from a private domain owned by your company (see Finding Your Office 365 Native Domain Name).

      Note: You can enter more than one Office 365 domain, separating values by a comma.

   7. Select the Single Sign-On (AD FS) is enabled check box when Active Directory synchronization is activated in Office 365 and synchronized user accounts are used to log in to SharePoint Online.

      Important: When using ADFS Claims Authentication, you need to make sure your ADFS environment meets the requirement for the Claims security provider (see ADFS Server Requirements for a Claims Security Provider).

      CES 7.0.5556+ (June 2013) The following parameters are required only when the Single Sign-On (AD FS) is enabled check box is selected:

      1. In the Url of the SharePoint AD FS Server box, enter the URL of the ADFS server which is trusted by SharePoint.

         Example: https://adfs.mydomain.com

         Note: CES 7.0.6684+ (May 2014) The SharePoint connector supports indexing SharePoint online configured with Okta (see SharePoint Online (Okta SSO) [Claims] Source Quick Setup) .

         In this case, in the Url of the SharePoint AD FS Server box, enter the full path to your SharePoint Online ActiveClientSignInUrl that should be in the form: 

         https://acme.okta.com/app/office365/abcdefghGWUMNWLWYGXF/sso/wsfed/active

         You can find your SharePoint Online ActiveClientSignInUrl in Okta, in the sign on instructions of the Microsoft Office 365 application:

         1. With an administrator account, log in into Okta.

         2. In the top menu, click Admin.

         3. In the administration panel, select Applications > Applications.

         4. In the Applications page, click Microsoft Office 365.

         5. In the Microsoft Office 365 page, select the Sign On tab.

         6. In the Sign On tab, under Sign On Methods section, click View Setup Instructions.

         7. The ActiveClientSignInUrl is the value next to ActiveLogOnUri.

         Ensure that you also set this ActiveClientSignInUrl for the SharePoint Security provider and the SharePoint source (see Creating a SharePoint Security Provider and Modifying Hidden Microsoft SharePoint Source Parameters or Modifying Hidden Microsoft OneDrive for Business Source Parameters) .

      2. In the Trust Identifier for SharePoint box, enter the Relying Party Trust identifier for the SharePoint web application (see Finding the Relying Party Trust Identifier for a SharePoint Web Application).

   8. CES 7.0.5556+ (June 2013) The following parameters are required only when multiple ADFS servers are used to authenticate users in SharePoint:

      1. In the Url of the Identity Provider AD FS Server box, enter the URL of the ADFS server which is used as an Identity Provider for the ADFS server trusted by SharePoint.

      2. In the Trust Identifier for the SharePoint AD FS Server box, enter the Relying Party Trust identifier for the SharePoint ADFS server (see Finding the Relying Party Trust Identifier for a SharePoint ADFS server).

   9. When the Single Sign-On (AD FS) is enabled check box is selected and a claims-aware Coveo Search is used (see Configuring the Claims-Aware Coveo Search Application), in the Bootstrap Token Signing Certificate (.cer) box, enter the path on the Coveo Master server where you saved the certificate used by ADFS to sign requests from the claims-aware Coveo search. If the requests are not signed by ADFS, leave this parameter empty.

   10. In the Authentication Cookies Sliding Session Expiration Time (in days) box, enter the time interval, in days, during which the Claims of a user authenticated by the Claims security provider remains valid. Values smaller than one day are accepted (ex.: 0.5).

   11. Next to Parameters, when instructed to do so by Coveo Support, click Add Parameter to add an hidden parameter by entering the parameter Name and Value.

       Note: CES 7.0.6830+ (July 2014) The parameter ClaimsMaximumSize is used to set the maximum allowed size for a single Claims identity. The default value is 12288 (12 KB). A message similar to the following one appears in the CES Console and logs typically when a user with claims exceeding this limit logged in or performed a query: 

       The security provider "Claims" has encountered an exception: class CSP::SecurityException: The user 'user_name here' contains too much claims and will be rejected.

       When this condition occurs, the search results that are secured by Claims permissions are not returned for the query.

   12. Ensure that the Allow Complex Identities option is selected.

       A Claims security provider may need additional parameters when you create identities (see Using the Identity Picker Form). You can specify these additional parameters only when the Allow Complex Identities option is selected.

   13. Click Save.