Primary verified identity – Google Search Appliance Managing Search for Controlled-Access Content User Manual

Google Search Appliance: Managing Search for Controlled-Access Content

17

The domain www.abcreports.com uses one, unique set of credentials (user name and password). All
the other domains share a different single set of credentials.

Because ABC company’s domains are protected by two sets of credentials, their search appliance
administrator can group the domains into two credential groups, “reports” and “Default,” as illustrated
in the following diagram.

The search appliance prompts only for a single username/password for each credential group, and then
attempts to verify it against the systems in the credential group.

A credential group can have any number of authentication mechanisms (also known as “credential
group elements”). The search appliance supports any number of credential groups.

Currently, you can only add one domain protected by HTTP Basic authentication to the credential
groups that you configure on a Google Search Appliance.

For information about setting up credential groups, see “Working with Credential Groups” on page 19.

Primary Verified Identity

Although the search appliance can track multiple verified user identities at once, it only currently
supports one verified identity (primary verified identity) from any source, for example, when working
with policy Access Control Lists (ACLs). The following list contains a list of mechanisms that can provide
the primary verified identity, in order of precedence:

1.

x.509 client certificate authentication

2.

Universal Login Form—default credential group

3.

Forms authentication

4.

Kerberos

5.

Basic authentication (only returns a verified identity when used with LDAP)

6.

Connectors

In other words, a verified identity from x.509 client certificates overrides all other mechanisms,
including a verified identity from the SAML, and so on.