beautypg.com

Security manager – Google Search Appliance Authentication/Authorization for Enterprise SPI Guide User Manual

Page 5

background image

Google Search Appliance: Authentication/Authorization for Enterprise SPI Guide

5

SAML 2.0: An XML-based standard whose primary use case is inter-domain single sign-on. [

http://

www.oasis-open.org/specs/#samlv2.0

]

SOAP 1.1: The Simple Object Access Protocol is an XML-based protocol for exchanging information
over the Internet. [

http://www.w3.org/TR/2003/REC-soap12-part1- 20030624/

]

GSA Universal Login with SPI: The GSA’s security-manager providing universal login forms/SPI.
[“The SAML Authentication Service Provider Interface (SPI)” in Managing Search for Controlled-Access
Content]

XML Digital Signatures: Used for integrity protection of SAML Assertions. [

http://www.w3.org/TR/

xmldsig-core/

]

Tip: One way to implement an Identity Provider and Policy Decision Point is to access a SOAP server
using Apache Axis (see

http://ws.apache.org/axis/

) or by extending the authn.py (see

https://

code.google.com/p/gsa-admin-toolkit/source/browse/trunk/authn.py

) GSA admin toolkit sample.

Security Manager

The Google Search Appliance’s security manager handles user authentication processing on behalf of
the search appliance. Its job is to provide the search appliance with a verified ID of the user performing
the secure search and essentially broker credential management across various authentication
mechanisms. With the 6.4 release, the security manager is integrated into the search appliance software
itself and runs inside the search appliance itself. Although the interaction between the search appliance
and the security manager is opaque to any SPI provider integrating with a 6.4 or earlier Google Search
Appliance, the entire flow is shown in this document for full clarity.

Note: When writing an SPI, you only need to integrate with the protocol messages between the security-
manager and your IdP/PDP server. The internal protocol between the search appliance and the security-
manager, although visible to the user, is not something an administrator should account for. That is, an
SPI provider would have to integrate with only a portion of the communication shown in this document
and can essentially ignore the search appliance to security-manager communication (in Figure 1 below,
an SPI provider integrates with steps [2],[3],[4], and [5]).

See also other documents in the category Google Software: