Creating a SharePoint Security Provider

SharePoint and OneDrive for Business (CES 7.0.8047+ (December 2015)) sources need a SharePoint security provider to resolve permissions found on documents in the unified index. These permissions can either be SharePoint groups, users, or domain groups. Of these three types of permissions, only SharePoint groups are actually processed by the SharePoint security provider. Users and domain groups are simply forwarded to other security providers for processing.

The other types of security providers required to process users and domain groups vary according to the SharePoint environment being indexed, more precisely, according to the type of authentication provider (Classic Windows, Claims-Based) used by the Web Application, and the SharePoint server version (2013 or 2010 on-premises, or Online) (see Microsoft SharePoint Connector Deployment Overview or Microsoft OneDrive for Business Connector Deployment Overview) .

To modify or configure a SharePoint security provider

1. On the Coveo server, access the Administration Tool (see Opening the Administration Tool).

2. Select Configuration > Security.

3. In the Security page, in the navigation panel on the left, click Security Providers.

4. In the Security Providers page, click Add.

5. In the Modify Security Provider page:

   

   1. In the Name box, enter a name to identify this security provider.

      Example: You may want to include in the name the SharePoint version and authentication mode used by this security provider:

      SharePoint 2013 (Windows under Claims)

   2. In the Security Provider Type drop-down list, select SharePoint (x64).

      Note: CES 7.0.6767– (June 2014) The SharePoint (x64) type corresponds to what is now the Legacy SharePoint security provider (see Creating a Security Provider for the SharePoint Legacy Connector).

   3. In the User Identity section:

      1. In the drop-down list, select the user identity that you selected or created previously to connect to this SharePoint Web Application (see Microsoft SharePoint Connector Deployment Overview or Microsoft OneDrive for Business Connector Deployment Overview) .

      2. When needed, click Add, Edit, or Manage user identities respectively to create, modify, or manage user identities.

   4. In the Active Directory Security Provider drop-down list:

      1. For on-premises SharePoint environments without an Okta single sign-on configuration, select the default Active Directory security provider

      2. For SharePoint Online environments, select (none).

      3. For on-premises SharePoint environment using an Okta single sing-on configuration, select (none).

   5. In the Security Provider for SharePoint Users drop-down list, select the security provider that you created for your SharePoint environment (see Microsoft SharePoint Connector Deployment Overview or Microsoft OneDrive for Business Connector Deployment Overview) .

      • Classic: Select (none).

      • Claims or Okta: Select your Claims security provider for an on-premises SharePoint (see Creating a Claims Security Provider for an On-Premises SharePoint).

      • Online:

        • Select your Claims security provider for SharePoint Online (see Creating a Claims Security Provider for SharePoint Online).

          OR

        • CES 7.0.7433+ (February 2015) Select your Claims to Email security provider for SharePoint Online (see Creating a Claims to Email Security Provider for SharePoint Online).

   6. In the Security Provider for Domain Groups drop-down list, select the security provider that you created for your SharePoint environment (see Microsoft SharePoint Connector Deployment Overview or Microsoft OneDrive for Business Connector Deployment Overview) .

      • Classic: Select (none).

      • Claims (on-premises) or Okta: Select (none).

      • Online: Select your Office 365 security provider (see Creating an Office 365 Security Provider for SharePoint Online).

   7. In the SharePoint Server Url box, enter the following value according to your SharePoint environment:

      • Classic: URL of the SharePoint Web Application where the secured content to index is located.

      • Claims (on-premises) or Okta:

        URL of the SharePoint Web Application to index where the Coveo SharePoint Web Service is installed in the form http://SharePoint_server[:WebApp_port] (see Installing the Coveo Web Service, Search Box, and Search Interface into SharePoint) .

        Note: You can find the port of the Coveo Web Service on your SharePoint server (see How to: Identify the Port Number of a SharePoint Application).

      • Online: URL of the SharePoint online site in the form https://domain.sharepoint.com/[path].

   8. In the Cache expiration delay (in minutes) box, you can set the time interval at which the security provider cache is refreshed. The default and recommended value is 60 minutes.

      Example: You may want to significantly reduce the Cache expiration delay (in minutes) value to 1 minute while you perform permission changing tests and want to ensure that this cache does not significantly delay the effect of your permission changes. You would set the value back to the default when your tests are completed to optimize performances.

   9. In the Authentication Type box, refer to the following table to enter the authentication type value corresponding to your SharePoint environment and the type of User Identity that you assigned to this security provider (see Microsoft SharePoint Connector Deployment Overview or Microsoft OneDrive for Business Connector Deployment Overview) .

      SharePoint environment	User identity type	Value to enter
      Classic	Windows account (SharePoint 2010 default)	WindowsClassic
      Claims	Windows account (SharePoint 2013 default)	WindowsUnderClaims
      	ADFS federated account	AdfsUnderClaims
      	Okta	Okta
      Online	Native Office 365 account	SpOnlineNative
      	Single Sign-On Office 365 account	SpOnlineFederated

   10. Leave the AuthenticationRealmUrl box empty unless your SharePoint environment includes an online authentication service on a separate server, in which case you enter the authentication server URL.

   11. The following ADFS related parameters are only required when the Authentication Type is either AdfsUnderClaims or SpOnlineFederated.

       1. In the AdfsServerUrl box, enter the URL of the ADFS server for which a Trust is established with SharePoint.

          Example: https://adfs.mydomain.com

          Note: CES 7.0.6684+ (May 2014) The SharePoint connector supports indexing SharePoint online configured with Okta (see SharePoint Online (Okta SSO) [Claims] Source Quick Setup) .

          In this case, in the AdfsServerUrl box, enter the full path to your SharePoint Online ActiveClientSignInUrl that should be in the form: 

          https://acme.okta.com/app/office365/abcdefghGWUMNWLWYGXF/sso/wsfed/active

          You can find your SharePoint Online ActiveClientSignInUrl in Okta, in the sign on instructions of the Microsoft Office 365 application:

          1. With an administrator account, log in into Okta.

          2. In the top menu, click Admin.

          3. In the administration panel, select Applications > Applications.

          4. In the Applications page, click Microsoft Office 365.

          5. In the Microsoft Office 365 page, select the Sign On tab.

          6. In the Sign On tab, under Sign On Methods section, click View Setup Instructions.

          7. The ActiveClientSignInUrl is the value next to ActiveLogOnUri.

          Ensure that you also set this ActiveClientSignInUrl for the Claims Security provider and the SharePoint source (see Creating a Claims Security Provider for SharePoint Online and Modifying Hidden Microsoft SharePoint Source Parameters or Modifying Hidden Microsoft OneDrive for Business Source Parameters).

       2. In the SharePointTrustIdentifier box, enter the Relying Party Trust identifier for the SharePoint web application (see Finding the Relying Party Trust Identifier for a SharePoint Web Application).

   12. The following parameters are required only when multiple ADFS servers are used to authenticate users in SharePoint:

       1. In the IdentityProviderServerUrl box, enter the URL of the ADFS server which is used as an Identity Provider for the ADFS server trusted by SharePoint.

       2. In the AdfsServerTrustIdentifier box, enter the Relying Party Trust identifier for the SharePoint ADFS server (see Finding the Relying Party Trust Identifier for a SharePoint ADFS server).

       Note: At this point, the proper ADFS endpoint(s) should already have been enabled on the ADFS server(s) during the configuration of the Claims security provider for SharePoint (see ADFS Server Requirements for a Claims Security Provider).

   13. Select the AllowBasicAuthentication option only when basic authentication is enabled on the web application to index and specifically want to use this authentication mode.

       It is recommended to use this authentication method only with a secured connection (HTTPS) because the user name and password are passed in clear text in the URL.

   14. CES 7.0.9272+ (March 2018) If your SharePoint instance uses an Okta single sign-on setup, in the OktaRealm box, enter the $realm value obtained from Okta (see Retrieve your application parameters).

       Example: urn:okta:sharepoint:myid

   15. CES 7.0.9272+ (March 2018) If your SharePoint instance uses an Okta single sign-on setup, in the OktaSignInUrl box, enter the $signInURL value you obtained from Okta (see Retrieve your application parameters).

       Example: https://YOURINSTANCE.OKTA_OR_OKTAPREVIEW.com/app/sharepoint_onpremise/sso/wsfed/passive

   16. In the Parameters section, in rare cases the Coveo Support could instruct you to click Add Parameters to specify other security provider parameter names and values that could help to troubleshoot security provider issues.

   17. Leave the Allow Complex Identities option cleared as it does not apply to this type of security provider.

6. Click Apply Changes.