Google Search Appliance Managing Search for Controlled-Access Content User Manual

Google Search Appliance: Managing Search for Controlled-Access Content

48

The SAML Authorization SPI is exposed to allow a customer’s web service to communicate between the
Authorization SPI and the customer’s server that provides access control services, the Policy Decision
Point. The Authorization SPI is required to support X.509 certificate authentication during serve. This
section describes the Authorization SPI.

Before using the Authorization SPI, you must configure the appliance to crawl and index some secure
controlled-access content. For information about setting up crawl and about the Authentication SPI, see
“The SAML Authentication Service Provider Interface (SPI)” on page 31. When configuring the search
appliance to verify authorization with the Authorization SPI, you do not have to use the Authentication
SPI. You can use any authentication mechanism that results in a user name.

Once a user’s identity has been authenticated, the Authorization SPI checks to see whether the user is
authorized to view each of the secure documents that match their search. Using the authenticated
cookie set during authentication, the search appliance passes the user’s session cookie to the Policy
Decision Point’s Authorization Service URL inside a SAML Authorization request.

When you use the Authentication SPI, the user’s session cookie contains the user’s identity in the SAML
Authentication format. However, for other authentication methods, the user’s identity is stored in the
authentication method’s format. For example, if x.509 certificates are used, then the identity in the
Authorization SPI request is the “common name” field from the certificate, which is an X.500 format. This
is an unusual format for this field in a SAML authorization request. If you do not use the Authentication
SPI for authentication, your Policy Decision Point must be prepared to accept the user’s identity in the
format defined by your authentication method.

Once the SAML Authorization request is sent, what happens next depends on the type of content:

•

HTTP BASIC and NTLM HTTP

•

If the response from the Policy Decision Point is ‘Indeterminate’, the search appliance will also
attempt to verify authorization with a HEAD request (for content crawled using HTTP Basic or
NTLM HTTP) or GET request (for content crawled using Forms Authentication) before removing
the content from the search results list.

•

SMB/CIFS

•

If the response from the Policy Decision Point is ‘Indeterminate’, the search appliance removes
the content from the search results list. To support secure serve of content from SMB/CIFS file
shares with the SAML Authorization SPI, you must ensure that your Policy Decision Point only
returns ‘Permit’ or ‘Deny’ to a search appliance request. The search appliance does not fail over
to another form of authorization for content on SMB/CIFS shares.

Enabling the Authorization SPI on the Google Search Appliance

Before enabling the Authorization SPI, you must define a method for authenticating the user during
serve. You can enable user authentication with LDAP, x.509 certificates, or through the Authentication
SPI.

To configure the search appliance to use the Authorization SPI:

1.

Click Serving > Access Control.