Google Search Appliance Managing Search for Controlled-Access Content User Manual

Google Search Appliance: Managing Search for Controlled-Access Content

32

Configuring a Credential Group for SAML Authentication

When the Google Search Appliance is configured with a credential group that includes a SAML
authentication domain, a user performing a secure search is challenged by the SAML Identity Provider.
The user provides her credentials on the Identity Provider login page.

You can add a rule for SAML authentication to a credential group by specifying the Entity ID and login
URL of the Identity Provider on the Serving > Universal Login > Auth Mechanisms > SAML page in the
Admin Console. Using this page, you can also specify the binding in which the search appliance
communicates with the SAML server:

•

HTTP Artifact binding—To specify HTTP Artifact binding, enter an Artifact Resolver URL

•

HTTP POST binding—To specify HTTP POST binding, enter the Public Key of IDP

You must specify either the Public Key of IDP or an Artifact Resolver URL in a credential group rule for
SAML, but do not specify both.

When creating credential groups for the authentication mechanism, ensure that Requires a User-
Name is selected. For more information, see “Require a User-Name Option” on page 19.

Artifact Resolver URL

The artifact resolver URL is the URL for the server that converts a returned artifact into a response
message. If you provide the Artifact Resolver URL, the SAML server returns its responses using HTTP
Artifact binding. If you specify an Artifact Resolver URL, do not specify an Identity Provider public key.

Public Key of IDP

The Identity Provider public key is used for signing an assertion. If you specify a public key, the search
appliance tries to verify the digital signature of the assertion and the SAML server returns its responses
using HTTP POST binding. If you specify an Identity Provider public key, do not specify an Artifact
Resolver URL.

Adding a Credential Group Rule for SAML Authentication

If there are additional credential groups besides the one with the SAML entry, the search appliance
challenges the user with the Universal Login Form. After the user provides her credentials on the
Universal Login Form, the search appliance combines the verified identities from SAML and the
Universal Login Form. The user is granted access to the resources based on the combined credentials.

To add a credential group rule for SAML authentication to a credential group:

1.

Click Serving > Universal Login > Auth Mechanisms > SAML.

2.

Select a credential group from the pull-down menu.

3.

In the Mechanism Name box, type a unique name for the authentication mechanism. A
mechanism name must not be the same as another mechanism name or credential group name.
Mechanism names are case-sensitive and can be up to 200 characters long, and can contain only
alphanumeric characters, underscores, and hyphens. A name cannot begin with a hyphen.

4.

Provide the IDP Entity ID and Login URL

5.

Provide either an artifact resolver URL or a public key of IDP, but not both.

6.

Click Save.

For more information about how to add a rule for SAML authentication to a credential group, click Help
Center > Serving > Universal Login Auth Mechanisms > SAML.