Return url parameter, Silent authentication, Cookie cracking – Google Search Appliance Managing Search for Controlled-Access Content User Manual
Page 70

Google Search Appliance: Managing Search for Controlled-Access Content
70
If a sample URL is provided, it allows the search appliance to skip the redirect if the user already has
cookies that provide access to the sample URL. A sample URL also allows verification of the user cookies
upon return from the sample URL service.
Possible advantages of redirect URL authentication:
•
The user’s password is never sent to the search appliance.
•
The redirect URL server can interact directly with the user. This can facilitate login scenarios where
the user’s browser must perform operations (such as evaluating complex JavaScript) that the search
appliance form-filling emulator cannot perform.
Disadvantages of redirect URL authentication:
•
It is generally slower than standard cookie-based forms authentication.
•
It requires setting up the server for the redirect URL to respect the return URL parameter, which
gives the server for the redirect URL information about the quickest path back to the search
appliance.
•
It does not result in a verified user-name unless the sample URL is also a cookie cracker.
On balance, Google does not recommend using a redirect URL as a preferred method of authentication.
To specify a redirect URL, enter it in the Redirect URL box on the Serving > Universal Login Auth
Mechanisms > Cookie page.
Return URL Parameter
A redirect response from the search appliance to a redirect URL includes a return URL parameter. A
return URL parameter gives the server for the redirect URL information about the quickest path back to
the search appliance. The server for the redirect URL follows this path when it sends a redirect response
that leads back to the search appliance after it has authenticated the user.
To use a return URL parameter, the administrator of the server for the redirect URL must modify the
server so that it respects a return URL parameter.
Silent Authentication
With silent authentication, users are authenticated without being directed to a login page. Inbound
cookie forwarding from the content server to the search appliance can provide silent authentication
without a verified identity, if the sample URL check passes.
If you require a verified identity, then silent authentication can only be achieved with cookie cracking
(see “Cookie Cracking” on page 70).
Cookie Cracking
Your system might require a verified username and/or group, for example to use with authorization by
means of policy ACLs, SAML, or connectors. One way of getting a verified username and/or group in
addition to silent authentication is to configure the sample URL’s content server for cookie cracking (see
“Sample URL” on page 69).