Using perimeter security, Authorization – Google Search Appliance Managing Search for Controlled-Access Content User Manual

Google Search Appliance: Managing Search for Controlled-Access Content

38

The effect of the response header is that it has “cracked” open the cookie and revealed the user and/or
group name. The cookie can be used to “pre-satisfy” the credential group and the user has access to
protected content without having to re-enter his credentials.

Other than setting up a sample URL, there is no configuration required for using cookie cracking on a
search appliance. However, to use cookie cracking, the content server administrator must modify the
content server so that it returns the appropriate response header.

Note that the content server must only emit the X-Username and X-Groups headers when it is
presented with a valid cookie. If the content server produces something like “X-Username: invalid
cookie,” then all users with invalid cookies obtain “invalid cookie” as a verified identity, which could
cause authorization caching to provide the incorrect results to some users.

There is a 3 second timeout limit for checking the sample URL. If the response time of the host is
beyond this limit, the check for user credentials is not successful.

Using Perimeter Security

Perimeter security ensures that the search appliance doesn’t serve any results without user
authentication.

When perimeter security is enabled, the search appliance prompts the user for credentials when he first
submits a search request. The search appliance authenticates the user by using the mechanisms that
are configured for Universal Login.

If the user is successfully authenticated, the search appliance serves results. If the user is searching for
public content only, no authorization is required to view results. If the user is searching for both public
and secure content, the search appliance uses the credentials it has gathered to perform authorization
on secure documents. The user is not prompted again for credentials.

If the user cannot be authenticated, the search appliance doesn’t serve any results.

To configure perimeter security, use the Serving > Universal Login page. For instructions for
configuring perimeter security, click Help Center > Serving > Universal Login.

Authorization

Authorization is the process that determines whether an authenticated user, system, or service has
permission to perform a task. After the search appliance authenticates a user by establishing the user’s
identity, the search appliance attempts to determine whether a user has access to the secure content
that matches their search.

The search appliance supports two models for performing authorization checks:

•

“Flexible Authorization” on page 39

•

“Legacy Authorization” on page 40

If flexible authorization is enabled, the search appliance legacy authorization is disabled and
authorization uses the security manager’s authorization checker. If flexible authorization is disabled,
the search appliance uses its legacy authorization. However, there is one exception: SMB URLs, which
are only handled by the search appliance’s legacy authorization.

By default, flexible authorization is disabled. To enable flexible authorization, click Enable on the
Serving > Flexible Authorization page. To disable flexible authorization, click Disable.