beautypg.com

Learn more about the feeds protocol, Authentication spi, Authorization spi – Google Search Appliance Getting the Most from Your Google Search Appliance User Manual

Page 67

background image

Google Search Appliance: Getting the Most from Your Google Search Appliance

Essentials

67

A scripting language, such as Python

Learn More about the Feeds Protocol

For complete documentation on feeds, refer to the Feeds Protocol Developer’s Guide.

Integrating with an Existing Access-Control Infrastructure

You can enable a Google Search appliance to communicate with an existing access control infrastructure
by using the following Service Provider Interfaces (SPIs):

SAML Authentication SPI (see “Authentication SPI” on page 67)

SAML Authorization SPI (see “Authorization SPI” on page 67)

These interfaces communicate by way of standard Security Assertion Markup Language (SAML)
messages.

Before using the Authentication and Authorization SPI, you must configure the appliance to crawl and
index some secure controlled-access content. The SPI is only used when a user queries for secure
results.

Authentication SPI

The Authentication SPI allows search users to authenticate to the Google Search Appliance. Instead of
authenticating search users itself, the search appliance redirects the user to an Identity Provider, a
customer-implemented server, where the actual authentication takes place. The Identity Provider then
redirects the user back to the appliance, while passing information that includes the identity of the
search user.

The Authentication SPI supports the following methods:

HTTP Basic

NTLM HTTP

Server Message Block (SMB)/Common Internet File System (CIFS) (public only)

If you use the Authentication SPI, you must use the Authorization SPI as well. However, if you decide to
authenticate your users with x509 certificates, or LDAP, you do not need to implement the
Authentication SPI.

Authorization SPI

Once the user’s identity has been authenticated, the Authorization SPI checks to see whether the user is
authorized to view each of the secure documents that match their search. Using the authenticated
cookie set during Authentication, the search appliance sends a message inside a SAML Authorization
request. The message contains the user identity and the URL to the customer’s server that provides
access control services, or Policy Decision Point. In response to authorization check requests, the Policy
Decision Point responds with a message that says either “Permit,” “Deny,” or “Indeterminate.”

The Authorization SPI can be used with any one of the following authentication methods:

The SAML Authentication SPI, which requires web services from an Identity Provider

LDAP directory service integration, including ActiveDirectory