Google Search Appliance Managing Search for Controlled-Access Content User Manual

Google Search Appliance: Managing Search for Controlled-Access Content

21

Configuring a Credential Group for Cookie-Based Authentication

Configure a credential group rule for cookie-based authentication by supplying a URL pattern and
sample URL on the Serving > Universal Login Auth Mechanisms > Cookie page in the Admin Console.
Optionally, you can also supply a redirect URL.

Sample URL

Supply a sample URL, which is any page in the protected site that all authenticated users can view. The
sample URL is used to detect whether a user has correct credentials for a particular authentication
method.

Each sample URL is checked before the Universal Login Form is presented, to determine if the user’s
initial set of cookies can “pre-satisfy” any or all credential groups. In additional, if any cookie-based
authentication methods are defined, the search appliance uses credentials gathered in the Universal
Login Form to gather cookies and then uses those cookies to retrieve the sample URL page. If the
retrieval is successful, the credentials are verified as correct. If a user has the correct cookies, content is
presented.

If a user does not have the correct cookies, the sample URLs page should redirect to the forms-based
login system. To enable the sample URL to send a redirect response that leads to a login form, check
When sample URL fails, expect the sample page to redirect to a form, and log in to that form on
the Serving > Universal Login Auth Mechanisms > Cookie page.

For the URL pattern http://www.abcreports.com/, an example of a sample URL is http://
www.abcreports.com/standard.html.

Redirect URL

If you supply a redirect URL, the authentication mechanism changes significantly. In non-redirect mode,
the search appliance transfers a username / password from the Universal Login Form to a login form
found when attempting to retrieve the sample URL. With a redirect URL, the search appliance will
automatically redirect to that URL. The service at that URL can then authenticate the user in whatever
way it wishes. Upon completion of that authentication, the service at the redirect URL should grant a
cookie to the user which provides access to secure content (and to the sample URL, if provided), and
redirect the user back to the search appliance.

If a sample URL is provided, it allows the search appliance to skip the redirect if the user already has
cookies that provide access to the sample URL. A sample URL also allows verification of the user cookies
upon return from the sample URL service.

Possible advantages of redirect URL authentication:

•

The user’s password is never sent to the search appliance.

•

The redirect URL server can interact directly with the user. This can facilitate login scenarios where
the user’s browser must perform operations (such as evaluating complex JavaScript) that the search
appliance form-filling emulator cannot perform.

Disadvantages of redirect URL authentication:

•

It is generally slower than standard cookie-based forms authentication.

•

It requires setting up the server for the redirect URL to respect the return URL parameter, which
gives the server for the redirect URL information about the quickest path back to the search
appliance.

•

It does not result in a verified user-name unless the sample URL is also a cookie cracker.

On balance, Google does not recommend using a redirect URL as a preferred method of authentication.

Adding a Credential Group Rule for Cookie-Based Authentication