beautypg.com

Google Search Appliance Authentication/Authorization for Enterprise SPI Guide User Manual

Page 11

background image

Google Search Appliance: Authentication/Authorization for Enterprise SPI Guide

11

The SAMLRequest is first DEFLATE-compressed, then Base 64 encoded, then URL encoded. It must be
decoded and parsed if using the security manager. The following lines of code in python and c#
demonstrate the conversion:

python:

def dec_b64_inflate(bstring):

d_data = base64.b64decode(bstring)
return zlib.decompress(d_data, -15)

C#:

public string Decompress(byte[] input)

{

using (MemoryStream inputStream = new MemoryStream(input))
{

using (DeflateStream gzip =

new DeflateStream(inputStream, CompressionMode.Decompress))

{

using (StreamReader reader =

new StreamReader(gzip, System.Text.Encoding.UTF8))

{

return reader.ReadToEnd();

}

}

}

}

After decompression, the &SAMLRequest= becomes:


AssertionConsumerServiceURL="https://gsa.yourdomain.com/

security-manager/samlassertionconsumer"
Destination="http://spi.yourdomain.com:28080/login"
ID="_33d9a01b3dd314c6bc394c420fc0857a"
IsPassive="false" IssueInstant="2010-07-16T02:05:02.147Z"
ProviderName="Google security manager"
Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

http://google.com/enterprise/gsa/T2-I02BQQ2PYJSJT/security-manager

[4] [5] Authenticate User

The IdP challenges the user to provide credentials to authenticate. If an SSO token is already present on
the user’s browser, that cookie could be used by the IdP to automatically authenticate without
prompting. The IdP is free to use any authentication mechanism available (certificate, SSO, NTLM, Basic,
Kerberos).

Figure 3: IdP challenging user for credentials.