Authentication, Universal login – Google Search Appliance Managing Search for Controlled-Access Content User Manual
Page 15
Google Search Appliance: Managing Search for Controlled-Access Content
15
Authentication
Serve-time authentication is the process of verifying the identity of a user who has issued a search
request for controlled-access content. The Google Search Appliance uses these methods to establish
the user’s identity:
•
Cookie-based authentication
•
HTTP Basic or NTLM HTTP
•
Kerberos authentication against a domain controller
•
The SAML Authentication Service Provider Interface (SPI)
•
LDAP
•
Digital certificates and certification authorities
This section describes how a search appliance performs authentication, and how to configure
authentication for the supported mechanisms. For information about how the search appliance
determines whether an authenticated user, system, or service has access to secure content, see
“Authorization” on page 38.
Universal Login
With Universal Login, a user who is searching for protected content is prompted for credentials once by
the Universal Login Form for set of authentication mechanisms that share a username and password.
The user is granted (or denied) access to the resources based on the credentials and the search
appliance returns the appropriate search results. The Google Search Appliance supports Universal Login
for the following authentication mechanisms:
•
“Cookie-Based Authentication” on page 20 (single sign-on, forms)
•
“HTTP-Based Authentication” on page 23 (HTTP Basic, NTLM)
•
“Client Certificate-Based Authentication” on page 24
•
“Kerberos-Based Authentication” on page 25
•
SAML Authentication SPI (see“The SAML Authentication Service Provider Interface (SPI)” on page 31)
•
•
The Google Search Appliance also supports authentication without Universal Login using LDAP (see
“Integrating the Search Appliance with an LDAP Server” on page 34).