Google Search Appliance Authentication/Authorization for Enterprise SPI Guide User Manual

Google Search Appliance: Authentication/Authorization for Enterprise SPI Guide

24

Since the URL found in the cache link (the cache URL pointed to by the cache link, not the URL that
points to the original document) is not secret, we must again check the “GET” authorization for a
document when the user tries to access the corresponding cache link URL.

If the value for the Decision attribute in AuthzDecisionStatement is “Indeterminate”, rather than
“Permit” or “Deny”, the search appliance then tries to check authorization using Basic Authentication,
NTLM, or Forms Authentication, if they are configured. If they aren’t configured, an answer of
“Indeterminate” is treated as if authorization was denied.

The following is an example of a message the search appliance sends to the Policy Decision Point:

POST /authz HTTP/1.1
Host: pdp.yourdomain.com
Content-Type: text/xml
SOAPAction: http://www.oasis-open.org/committees/security
Content-length: nnn

xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

IssueInstant="2010-07-16T02:05:07Z"
Resource="

http://content2.yourdomain.com/doc.html"

Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

http://google.com/enterprise/gsa/T2-IO2BQQ2PYJSJT

user1

GET