Google Search Appliance Authentication/Authorization for Enterprise SPI Guide User Manual
Page 11
Google Search Appliance: Authentication/Authorization for Enterprise SPI Guide
11
The SAMLRequest is first DEFLATE-compressed, then Base 64 encoded, then URL encoded. It must be
decoded and parsed if using the security manager. The following lines of code in python and c#
demonstrate the conversion:
python:
def dec_b64_inflate(bstring):
d_data = base64.b64decode(bstring)
return zlib.decompress(d_data, -15)
C#:
public string Decompress(byte[] input)
{
using (MemoryStream inputStream = new MemoryStream(input))
{
using (DeflateStream gzip =
new DeflateStream(inputStream, CompressionMode.Decompress))
{
using (StreamReader reader =
new StreamReader(gzip, System.Text.Encoding.UTF8))
{
return reader.ReadToEnd();
}
}
}
}
After decompression, the &SAMLRequest= becomes:
AssertionConsumerServiceURL="https://gsa.yourdomain.com/ security-manager/samlassertionconsumer" http://google.com/enterprise/gsa/T2-I02BQQ2PYJSJT/security-manager
Destination="http://spi.yourdomain.com:28080/login"
ID="_33d9a01b3dd314c6bc394c420fc0857a"
IsPassive="false" IssueInstant="2010-07-16T02:05:02.147Z"
ProviderName="Google security manager"
Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
[4] [5] Authenticate User
The IdP challenges the user to provide credentials to authenticate. If an SSO token is already present on
the user’s browser, that cookie could be used by the IdP to automatically authenticate without
prompting. The IdP is free to use any authentication mechanism available (certificate, SSO, NTLM, Basic,
Kerberos).
Figure 3: IdP challenging user for credentials.