Google Search Appliance Managing Search for Controlled-Access Content User Manual

Google Search Appliance: Managing Search for Controlled-Access Content

65

The search appliance performs the following steps before sending Salim’s browser to the search results
page:

1.

The search appliance queries the index and obtains a list of the most relevant results for Salim’s
query. The list of potential results includes announcements about the new AlphaLyon Product
release (public content), as well as sales presentations and other sales collateral materials about
AlphaLyon Product (secure content).

2.

The search appliance filters the list of results as specified by the front end that applies to Salim’s
search. It applies Filters defined in Serving > Front Ends > Filters and excludes all URLs listed in
URLs from Serving > Front Ends > Remove URLs.

3.

The sales collateral materials come from content sources that are labeled “secure”. Before it can
serve results for Salim’s query, the search appliance needs more information.

4.

The search appliance checks to see whether Salim has provided credentials that it can use. Salim’s
web browser obtains or validates his Kerberos ticket from the network domain controller, which is
acting as a Kerberos Key Distribution Center (KDC).

5.

The search appliance sends an authorization request to Salim’s web browser. Because the search
appliance is configured to force the use of SSL for secure search, the request is sent over HTTPS.
(This configuration is recommended, but optional.)

6.

Because Salim’s Kerberos ticket is valid for use by the search appliance, Salim’s web browser does
not display the Universal Login form. His query is silently authenticated through Kerberos.

7.

Salim’s Kerberos ticket is used to generate a session cookie on his computer. The browser sends
Salim’s cookie back to the search appliance as an authentication header sent over HTTPS.

8.

Using Salim’s cookie, the search appliance performs an HTTP HEAD request for each of the secure
documents in the list of results. If the server returns “HTTP status 401” (not authorized) for a
document, or the authorization attempt is inconclusive, the document is removed from the list of
potential results. Because Salim is a member of the policy group sales, the search appliance
should be authorized to request all of the secure sales collateral materials when passing his
credentials.

9.

The search appliance creates a list of search result snippets and URLs that meet all of the following
criteria:

•

URLs match Salim’s search query.

•

URLs are not excluded by a filter in Salim’s front end.

•

URLs are not excluded by a Remove URL in Salim’s front end.

•

The URL is public or Salim has authorization to view the URL.

10. The search appliance directs Salim’s browser to the search results page that contains all public and

secure documents that match the query “AlphaLyon product fall sales report”. Salim should see
results from products.alphalyon.int, news.alphalyon.int, emp.alphalyon.int,
sales.alphalyon.int, and customers.alphalyon.int.

When Salim clicks on one of the links in his search results page, the browser provides his Kerberos ticket
in the authentication header. The next time that Salim performs a search, the search appliance
recognizes his session cookie and skips directly to the HTTP HEAD request in step 8. The session cookie
set by the search appliance remains valid as long as he keeps the browser open.

The search results page doesn’t tell Salim how many search results match his query or display
“Goooooogle” links, since that reveals how many secure documents exist in the index.