beautypg.com

Google Search Appliance Authentication/Authorization for Enterprise SPI Guide User Manual

Page 9

background image

Google Search Appliance: Authentication/Authorization for Enterprise SPI Guide

9

GET /security-manager/samlauthn?
SAMLRequest=fZJNT8MwDEDvSPyHKPeuHxIMRWvRYJrYBKhAQYJb1rltRuKUOB3w7+k6EHCAq2P7PduZ
nL4ZzbbgSFlMeTyKOAMs7
VphnfL7Yh6c8NPs8GBC0uhWTDvf4C28dECe9ZVIYnhIeedQWEmKBEoDJHwp7qZXlyIZRaJ11tvSas4Ws
5SvVlJvTLOpn7G2gPhsjT
IV6o2tNK4aJSsjy3bTcPbwpZXstBZEHSyQvETfh6I4CqJxEB8XUSKiIxHFT5zln6QzhfsJ/
tNa7ZNIXBRFHkydV5Us/dBkq9bgrvu
KlNfW1hpGpTU7hVwSqW0frqQm4NmwFzGouR8L+R/
c94CeZpFnjfetCMNvSAjowbVOEYQ1ybBIgutxcnZzk+SPy7tlMQl/ELPPs
+xMF7PcalW+s6nW9vXcgfS9pncdcDa3zkj/t1Q8ioeIWgfVkCo6pBZKVSlYcxZme+rv+/e/
4gM=&RelayState=/search?
q=secure&btnG=Google
+Search&access=a&client=default_frontend&output=xml_no_dtd&proxystylesheet=defau
lt_frontend&sort=date
%3AD%3AL%3Ad1&entqr=3&oe=UTF-8&ie=UTF-8&ud=1&site=default_collection HTTP/1.1
Host: gsa.yourdomain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.19) Gecko/
2010031422
Firefox/3.0.19 (.NET CLR 4.0.20506)
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://gsa.yourdomain.com/search?
site=default_collection&client=default_frontend&output=xml_no_dtd&proxystyleshee
t=default_frontend&pr
oxycustom=%3CHOME/%3E
Cookie: COOKIETEST=1; GSA_SESSION_ID=f233e6451746aceec55a60e1a8f9708e

As you can see, the redirect request itself does not contain the hostname of Google Search Appliance.
The security manager knows the host/port of the search appliance because it is configured to know it.
This step should be immaterial to an external SPI provider (its part of the search appliance --> security
manager interaction) and as stated, with the 6.4 release, the search appliance and the security manager
are the same host.

[3] Security manager redirects to the IdP.

The security manager l stores some session information (e.g., the &RelayState=) and redirects the user
to the Identity Provider for authentication challenge (in this case, http://
idp.yourdomain.com:28080/login). The security manager also adds on a new &SAMLRequest=
parameter because the original one was in context only between the search appliance and security
manager; this one is in context between the security manager and IdP). This request also contains an
optional Signature for the SAMLRequest.