Add User Identities to a Search Request

The getSearchUserIdentities pipeline allows for additional user identities to pass when performing a search query against the search index. This feature is especially useful when querying external content as it uses a different security model than Sitecore (Active Directory, SharePoint, Salesforce, etc).

The getSearchUserIdentities pipeline gets executed even when you disable the Coveo for Sitecore reverse proxy.

Adding a Static Identity

The following code sample shows how to add a static identity to a user using the Coveo.SearchProvider.Rest.Processors.GetSearchUserIdentities.AddIdentity processor. You must add this code snippet in the Coveo.SearchProvider.Custom.config file.

<getSearchUserIdentities>
    <processor type="Coveo.SearchProvider.Rest.Processors.GetSearchUserIdentities.AddIdentity">
        <identityName><!-- Put the identity name here --></identityName>
        <identityType><!-- Put the identity type here --></identityType>
        <securityProviderName><!-- Put the security provider name here --></securityProviderName>
    </processor>
</getSearchUserIdentities>

In identityName, you should set the identity name that you want to pass (e.g. sitecore\john.smith ; john.smith@local.net).

In identityType, you should set the type of the identity that you want to pass (e.g. user ; group).

In securityProviderName, you should set the name of the security provider you want to use to handle these identities (e.g. Email Security Provider).

Adding a Dynamic Identity

In this example, there’s a Sitecore instance that wants to present external content. This external content consists of files secured with Active Directory; they’re not stored in Sitecore but are already indexed by Coveo. Different methods exist to achieve this behavior. The approach presented here is to take an Active Directory account that can access the file and inject it to the Sitecore identities. In other words, when performing a search query, Sitecore uses two identities: the current Sitecore identity and the Active Directory identity allowed to read the files. To achieve this task, you have to implement a pipeline processor. Here is a code sample to do it.

AddSpecificUserIdentity.cs

using Coveo.Framework.Processor;
using Coveo.Framework.Security;
using Coveo.SearchProvider.Rest.Pipelines;
namespace Tutorials.Lib.GetSearchUserIdentities
{
    /// <summary>
    /// This processor injects an additional user identity at query time.
    /// </summary>
    public class AddSpecificUserIdentity : IProcessor<GetSearchUserIdentitiesArgs>
    {
        /// <summary>
        /// The process method is called when the <b>getSearchUserIdentities</b> pipeline is invoked.
        /// </summary>
        /// <param name="p_Args">The arguments contains the active user and the list of user identities used to perform the search query.</param>
        public void Process(GetSearchUserIdentitiesArgs p_Args)
        {
            // In this case, we have an Active Directory account (PublicContent) that can see
            // every public item. Adding this PublicContent identity at query time will allow
            // the website to present the public items to everybody, regardless of the
            // Sitecore user that's currently in use.
            p_Args.Identities.Add(new Identity {
                Name = "PublicContent",
                SecurityProviderName = "Active Directory",
                Type = IdentityType.User
            });
        }
    }
}
  1. Build the code. In this sample, it generates the Tutorials.Lib.dll file.

  2. Copy the Tutorials.Lib.dll file in the website bin folder.

  3. Edit the Coveo.SearchProvider.Rest.Custom.config file to register the processor. Sitecore will then be able to use it. To do so, add this code under the getSearchUserIdentities node.

     <processor type="Tutorials.Lib.GetSearchUserIdentities.AddSpecificUserIdentity, Tutorials.Lib" />
    

    You may have to copy the getSearchUserIdentities node from the Coveo.SearchProvider.Rest.config file. Please note that you’re discouraged from modifying this file, as it may cause upgrading issues.

  4. Sitecore can now retrieve the content that’s granted to the PublicContent user.

To validate which user identities are passed to the search index, you can use the debug=1 query string parameter when calling the /coveo/rest endpoint.

For example, http://<INSTANCE_HOSTNAME>/coveo/rest?debug=1 returns a JSON document containing the userIdentities attribute. The content of this attribute looks like this.

"userIdentities": [
  {
    "name": "extranet\Anonymous",
    "provider": "Sitecore Security Provider",
    "type": "User"
  },{
    "name": "PublicContent",
    "provider": "Active Directory",
    "type": "User"
  }
]
What's Next for Me?