Google Search Appliance Security User Manual
Page 10
10
Although not as commonly used as Per-URL ACLs, it is a very flexible tool that can come in handy in
unique situation. For example, if there is a globally defined group that should be denied access to an
easily identifiable content source, defining a single Policy ACL entry could be the option. Another case is
when the content system uses coarse grained permission rules. For example, CA SiteMinder allows the
definition of access control based on URL patterns. Those rules can be easily translated to Policy ACLs.
As of GSA version 7.0, Policy ACLs require the specification of: domain, namespace, and case
sensitivity.
Late binding authorization
With late binding, the search appliance doesn’t have authorization information for secure content (that is,
ACLs) itself. Before the GSA returns search results to the user, it has to check security by contacting a
third-party component to validate if the user is able to read each protected document that is part of the
results. In response, the third-party component returns the authorization decision to the search appliance.
The third-party component could either be the content source itself or an authorization server that
centralizes that decision.
The GSA supports the following late binding approaches:
Connectors
Google provides som
including
an
that can be used in your
projects to integrate the search appliance with third-party sources, being fully supported by Google. They
run on
created by Google that you can also use to create your own connectors.
The main advantage of using this platform to create your own connectors is that it provides a tight
integration from configuration and indexing, to security with the search appliance.
Connector framework provides the SPI interface for the authorization to be implemented by any
connector. The interface works in batch mode (multiple documents in one call) so that it provides answers
without too many round trips. There are also other Google partner-provided connectors that are based on
the framework and use this approach.
SAML Authorization
SAML
i
s an XML-based framework for communicating user authentication, entitlement, and attribute
information. It is a standard that can be used for authentication, but optionally, it can also be used for
authorization.
explains how SAML can be used for authorization. Using SAML for
authorization doesn’t require using it for authentication, and vice versa, as they both are totally
independent. In this case, the search appliance sends SAML authorization requests in XML format to the
external service you have configured, and that server responds with the authorization permissions for
each document.
Off-the-shelf SAML authentication products (IDPs) are quite common, but authorization service providers
are not so common.
provides such functionality for using Kerberos impersonation to
authorize using batched Head Requests. That is considered a legacy feature from a time when connector
and ACL authorization were not available. This means that this approach will most likely be a custom
project developed by you instead of using an existing product.