Product DocsMenu

Coveo Platform 7.0 >
Administrator Help > Connectors > Microsoft SharePoint Connector > Creating a SharePoint Security Provider

Creating a SharePoint Security Provider

SharePoint and OneDrive for Business (CES 7.0.8047+ (December 2015)) sources need a SharePoint security provider to resolve permissions found on documents in the unified index. These permissions can either be SharePoint groups, users, or domain groups. Of these three types of permissions, only SharePoint groups are actually processed by the SharePoint security provider. Users and domain groups are simply forwarded to other security providers for processing.

The other types of security providers required to process users and domain groups vary according to the SharePoint environment being indexed, more precisely, according to the type of authentication provider (Classic Windows, Claims-Based) used by the Web Application, and the SharePoint server version (2013 or 2010 on-premises, or Online) (see Microsoft SharePoint Connector Deployment Overview or Microsoft OneDrive for Business Connector Deployment Overview) .

Notes:

  • CES 7.0.6830+ (July 2014) The SharePoint security provider type is for the second-generation SharePoint and the OneDrive for Business connectors. When you are still using the original SharePoint connector to create your SharePoint source, ensure to rather use the SharePoint Legacy security provider type (see Creating a Security Provider for the SharePoint Legacy Connector).

  • You can get familiar with how Coveo components deal with permissions on documents both at indexing and query time (see Security) .

To modify or configure a SharePoint security provider

  1. On the Coveo server, access the Administration Tool (see Opening the Administration Tool).

  2. Select Configuration > Security.

  3. In the Security page, in the navigation panel on the left, click Security Providers.

  4. In the Security Providers page, click Add.

  5. In the Modify Security Provider page:

    1. In the Name box, enter a name to identify this security provider.

      Example: You may want to include in the name the SharePoint version and authentication mode used by this security provider:

      SharePoint 2013 (Windows under Claims)

    2. In the Security Provider Type drop-down list, select SharePoint (x64).

      Note: CES 7.0.6767– (June 2014) The SharePoint (x64) type corresponds to what is now the Legacy SharePoint security provider (see Creating a Security Provider for the SharePoint Legacy Connector).

    3. In the User Identity section:

      1. In the drop-down list, select the user identity that you selected or created previously to connect to this SharePoint Web Application (see Microsoft SharePoint Connector Deployment Overview or Microsoft OneDrive for Business Connector Deployment Overview) .

      2. When needed, click Add, Edit, or Manage user identities respectively to create, modify, or manage user identities.

    4. In the Active Directory Security Provider drop-down list:

      1. For on-premises SharePoint environments without an Okta single sign-on configuration, select the default Active Directory security provider

      2. For SharePoint Online environments, select (none).

      3. For on-premises SharePoint environment using an Okta single sing-on configuration, select (none).

    5. In the Security Provider for SharePoint Users drop-down list, select the security provider that you created for your SharePoint environment (see Microsoft SharePoint Connector Deployment Overview or Microsoft OneDrive for Business Connector Deployment Overview) .

    6. In the Security Provider for Domain Groups drop-down list, select the security provider that you created for your SharePoint environment (see Microsoft SharePoint Connector Deployment Overview or Microsoft OneDrive for Business Connector Deployment Overview) .

    7. In the SharePoint Server Url box, enter the following value according to your SharePoint environment:

    8. In the Cache expiration delay (in minutes) box, you can set the time interval at which the security provider cache is refreshed. The default and recommended value is 60 minutes.

      Example: You may want to significantly reduce the Cache expiration delay (in minutes) value to 1 minute while you perform permission changing tests and want to ensure that this cache does not significantly delay the effect of your permission changes. You would set the value back to the default when your tests are completed to optimize performances.

    9. In the Authentication Type box, refer to the following table to enter the authentication type value corresponding to your SharePoint environment and the type of User Identity that you assigned to this security provider (see Microsoft SharePoint Connector Deployment Overview or Microsoft OneDrive for Business Connector Deployment Overview) .

      SharePoint environment User identity type Value to enter
      Classic Windows account
      (SharePoint 2010 default)
      WindowsClassic
      Claims

      Windows account

      (SharePoint 2013 default)

      WindowsUnderClaims
      ADFS federated account AdfsUnderClaims
      Okta Okta
      Online Native Office 365 account SpOnlineNative
      Single Sign-On Office 365 account SpOnlineFederated
    10. Leave the AuthenticationRealmUrl box empty unless your SharePoint environment includes an online authentication service on a separate server, in which case you enter the authentication server URL.

    11. The following ADFS related parameters are only required when the Authentication Type is either AdfsUnderClaims or SpOnlineFederated.

      1. In the AdfsServerUrl box, enter the URL of the ADFS server for which a Trust is established with SharePoint.

        Example: https://adfs.mydomain.com

        Note: CES 7.0.6684+ (May 2014) The SharePoint connector supports indexing SharePoint online configured with Okta (see SharePoint Online (Okta SSO) [Claims] Source Quick Setup) .

        In this case, in the AdfsServerUrl box, enter the full path to your SharePoint Online ActiveClientSignInUrl that should be in the form: 

        https://acme.okta.com/app/office365/abcdefghGWUMNWLWYGXF/sso/wsfed/active

        You can find your SharePoint Online ActiveClientSignInUrl in Okta, in the sign on instructions of the Microsoft Office 365 application:

        1. With an administrator account, log in into Okta.

        2. In the top menu, click Admin.

        3. In the administration panel, select Applications > Applications.

        4. In the Applications page, click Microsoft Office 365.

        5. In the Microsoft Office 365 page, select the Sign On tab.

        6. In the Sign On tab, under Sign On Methods section, click View Setup Instructions.

        7. The ActiveClientSignInUrl is the value next to ActiveLogOnUri.

        Ensure that you also set this ActiveClientSignInUrl for the Claims Security provider and the SharePoint source (see Creating a Claims Security Provider for SharePoint Online and Modifying Hidden Microsoft SharePoint Source Parameters or Modifying Hidden Microsoft OneDrive for Business Source Parameters).

      2. In the SharePointTrustIdentifier box, enter the Relying Party Trust identifier for the SharePoint web application (see Finding the Relying Party Trust Identifier for a SharePoint Web Application).

    12. The following parameters are required only when multiple ADFS servers are used to authenticate users in SharePoint:

      1. In the IdentityProviderServerUrl box, enter the URL of the ADFS server which is used as an Identity Provider for the ADFS server trusted by SharePoint.

      2. In the AdfsServerTrustIdentifier box, enter the Relying Party Trust identifier for the SharePoint ADFS server (see Finding the Relying Party Trust Identifier for a SharePoint ADFS server).

      Note: At this point, the proper ADFS endpoint(s) should already have been enabled on the ADFS server(s) during the configuration of the Claims security provider for SharePoint (see ADFS Server Requirements for a Claims Security Provider).

    13. Select the AllowBasicAuthentication option only when basic authentication is enabled on the web application to index and specifically want to use this authentication mode.

      It is recommended to use this authentication method only with a secured connection (HTTPS) because the user name and password are passed in clear text in the URL.

    14. CES 7.0.9272+ (March 2018) If your SharePoint instance uses an Okta single sign-on setup, in the OktaRealm box, enter the $realm value obtained from Okta (see Retrieve your application parameters).

      Example: urn:okta:sharepoint:myid

    15. CES 7.0.9272+ (March 2018) If your SharePoint instance uses an Okta single sign-on setup, in the OktaSignInUrl box, enter the $signInURL value you obtained from Okta (see Retrieve your application parameters).

      Example: https://YOURINSTANCE.OKTA_OR_OKTAPREVIEW.com/app/sharepoint_onpremise/sso/wsfed/passive

    16. In the Parameters section, in rare cases the Coveo Support could instruct you to click Add Parameters to specify other security provider parameter names and values that could help to troubleshoot security provider issues.

    17. Leave the Allow Complex Identities option cleared as it does not apply to this type of security provider.

  6. Click Apply Changes.

What's Next?

People who viewed this topic also viewed