Chapter 2 using out of box features, Silent authentication – Google Search Appliance Security User Manual
Page 15
15
Chapter 2 Using Out of box features
In this chapter, we will look at the details of some of the authentication and authorization mechanisms.
We will also discuss common scenarios that are supported by Google Search Appliance and related
products offered by Google. We will focus on scenarios that don’t require writing code.
Silent authentication
IT security aims to protect applications and data, providing accurate information to users, but in a secure
manner. But It’s also important for access control mechanisms to have a minimal impact on users. For
example, if a user has already been authenticated by a trusted component, applications should rely on
that process to avoid prompting the user multiple times for their credentials or to verify their identity. This
is the concept behind silent authentication—verifying a user’s identity on the GSA without prompting or
requiring them to go through an additional login process.
Silent authentication can be implemented for a search service as for any other application in an
organization. There are different authentication mechanisms that enable you to provide a silent
authentication experience, including protocols, such as Kerberos or NTLM, or corporate applications such
as an SSO system.
Before you implement silent authentication for your search environment, answer the following questions:
●
What are the silent authentication options within your organization? Is there a preferred option?
●
In the case where there is more than one silent authentication option (for instance, forms based
and Kerberos), are they managing the different user identities and credentials needed for the
authorization? You have to understand if just using one of them would be sufficient or you need to
use both. Also consider if one can assert the identity of the other.
●
Are there any multiple authentication domains? For instance, different Windows domains for
Kerberos. This information is also important for modeling the authorization process.
●
Which applications or content sources that you have to integrate with the search engine are also
using the silent authentication mechanism? You might be able to leverage it.
The search appliance can be integrated out-of-the-box with the following silent authentication
protocols/systems:
Forms or cookie-based authentication
is the process driven by a session cookie, typically from a Single
Sign-On system. This could potentially be silent if the user has already been authenticated before
reaching the search application. If not, the user would be prompted for credentials to create the proper
session cookies that provide the SSO experience. T
section in GSA
documentation provides technical details about how to integrate with a SSO system. If it’s also required to
pass a user ID to the search appliance, you have to implement a cookie-cracking process.