Working with credential groups – Google Search Appliance Managing Search for Controlled-Access Content User Manual
Page 19
Google Search Appliance: Managing Search for Controlled-Access Content
19
6.
If any credential groups remain unsatisfied, the Universal Login Form is presented again (with only
the unsatisfied credential group’s enabled), up to three times.
Options that you, as the search appliance administrator, choose when configuring a credential group
determine whether the user must enter credentials on the Universal Login Form to view search
results. For more information about this topic, see “Creating Credential Groups” on page 19.
Working with Credential Groups
Set up credential groups by performing the following tasks in the Google Search Appliance Admin
Console:
1.
“Creating Credential Groups” on page 19
2.
“Configuring Credential Groups” on page 20
It is important to configure a credential group once you create it. If there is an unconfigured credential
group, the search appliance does not serve secure results. To avoid this issue, delete any unconfigured
credential groups.
About the Default Credential Group
The Google Search Appliance provides a built-in credential group named Default. You can configure the
Default credential group, as described in “Creating Credential Groups” on page 19 and “Configuring
Credential Groups” on page 20. If you plan on using credential groups and policy ACLs, configure the
Default credential group but do not rename it. For more information, see “Using Credential Groups
with Policy ACLs” on page 46.
Creating Credential Groups
Create a new credential group by using the Serving > Universal Login page in the search appliance
Admin Console. For information about creating and maintaining credential groups, click Help Center >
Serving > Universal Login.
For each credential group that you create, you can choose two options:
•
Require a User-name for this credential group? (See “Require a User-Name Option” on page 19.)
•
Group is Optional? (See “Group is Optional? Option” on page 19.)
The following sections describe these options.
Require a User-Name Option
The Require a user-name for this credential group? option ensures that the system has a username
for an authenticated user. This option is important when your configuration uses cookie-based
authentication in combination with an authorization mechanism that requires user-names, such as
policy ACLs, SAML, and connectors.
If a user presents pre-existing cookies that are sufficient for access to configured sample URLs, but no
cookie cracker is in use (see “Using Cookie Cracking” on page 37), the search appliance does not know
the user’s name. In this case, if the box is checked, the credential group is not pre-satisfied, even if the
sample URL check succeeds, and a Universal Login Form is presented to the user. If a user-name is
available, from a different authentication mechanism, a previous Universal Login Form, or a cookie
cracker, then the group can be pre-satisfied, and if all credential groups are pre-satisfied, then the
Universal Login Form is skipped altogether.
Group is Optional? Option
The Group is optional? option controls the behavior of the Universal Login Form.