Defining user-specific results and access control – Google Search Appliance OneBox for Enterprise Developers Guide User Manual
Page 17
Google Search Appliance: Google OneBox for Enterprise Developer’s Guide
17
When sensitive information passes between a search appliance and an external provider, it’s best to use
an SSL connection for secure data transfer. You do this by specifying the external provider URL as https
in the OneBox module definition. The secure URL causes the search appliance to establish a protected
session for transferring data, and request a valid certificate from the provider. The certificate is
validated using the Certificate Authority and Certificate Revocation List information that is configured
on the search appliance. If the provider requests a mutually authenticated certificate, the search
appliance transmits its certificate as configured in the Admin Console.
Another form of authentication between a search appliance and the provider is HTTP Basic
authentication. With this method, the search appliance sends a username and password in the HTTP
header to the provider. To enable HTTP Basic authentication, set the
associated with the search appliance. The search appliance makes HTTP Basic authentication requests
with each request to the provider. When using HTTP Basic authentication in production, always use SSL
to avoid passing credentials over the network in clear text.
It’s a good idea to disable security before testing a provider so that debugging is easier. After the
provider is functioning properly, enable the secure connection.
Defining User-Specific Results and Access Control
The search appliance provides document-level security, so that users can view search results only for
content to which they have access. Google Search Appliance supports HTTP Basic authentication, NTLM
HTTP authentication, and LDAP authentication plus forms-based single sign-on (SSO) systems. OneBox
also supports user-based information retrieval, and can interoperate with these access control
schemes.
If you use user level access control, you must specify the userAuth attribute in the
(see the element “security” on page 23) of the module definition. When a secure search is executed
against a search appliance (access=a), OneBox modules with user access level control configured are
called.
The userAuth attribute can have one of the following values:
•
none—No user authentication performed.
•
basic—HTTP Basic authentication. The search appliance passes a username and password to the
provider.
•
ldap—LDAP authentication. Authenticates a user against the configured LDAP directory server, and
the user’s distinguished name (DN) is passed to the provider.
•
sso—Forms-based single sign-on authentication. The user’s SSO cookie is passed to the provider.
Used by the Google Search Appliance only. Forms-based authentication is limited to Google Search
Appliance.
You can use a mixture of these access control mechanisms on OneBox modules within the same user
query, but the search appliance may need to prompt the user for credentials or forward their session to
a single sign on login page. The Google Search Appliance supports prompting the user for only one set
of credentials (username and password for HTTP Basic authentication, NTLM HTTP, and LDAP) and one
forms-based login per query.
For information on each authentication method and how to configure authentication on the Admin
Console, see Managing Search for Controlled-Access Content.