Google Search Appliance Security User Manual
Page 11
11
SAML authorizations can be managed in batches, so that the search appliance can send a list of URLs
for authorization per request, which can speed up the process. You can activate this option in the GSA
Admin Console, but your SAML authorization provider has to support it.
Head requests
Finally, it’s also possible to send a
to the content source to validate authorizations.
The GSA can send an HTTP request using the document URL and read the HTTP response from the
source to determine authorization based on the HTTP error codes:
●
200: This code basically means that the user is able to access the document, so the search
appliance would consider it as permission. It’s also possible to define some exclusion rules in the
search appliance, as there are some content sources that include 200 HTTP error codes,
including a no access permitted message, as in the case of some web portal solutions.
●
Any other error code means the user is not able to access that particular document.
To verify the permission for all the results, one Head Request is sent per document sequentially until
enough permitted documents are found to fill up at least one search results page. That’s why a Head
request is the worst performing authorization mechanism. It is generally used when there is no way to
extract the ACL, or to verify permissions using an API.
Connector 4.0
(beta)
is a new connector framework based on a completely different architecture
from previous releases. Note that it is still in a beta release. The security features it provides also work
differently from previous releases. Here are some key differences for security:
● A connector can be built to provide authentication and authorization. The communication protocol
between the appliance and the connector is no longer proprietary XML. Instead, SAML is used as
the underlying message exchange mechanism. An example of this connector is t
which provides Authentication to Google ID. The way to configure it is the
same as configuring a SAML provider.
● A connector built on the 4.0 framework supports Per-URL-ACL.
● Connectors can be built to provide group resolution through SAML authentication. However, the
preferred group resolution to use as of GSA 7.2 is
(beta)
. Group
resolution through SAML is part of SAML authentication, unlike the previous connector framework
where connectors can solely perform group resolution while authentication is performed by
another mechanism.
Selecting an authentication mechanism
There are usually several authentication mechanisms at your disposal for a deployment. As stated in
chapter one, the main goal is to use as few authentication mechanisms as possible. Quite often there is
also an additional requirement: silent authentication. Not all authentication mechanisms can work with all
authorization mechanisms. We can categorize all authorization mechanisms into two types:
● User ID is required
● User ID is not required