Saml, Early binding with per-url acl – Google Search Appliance Security User Manual
Page 16
16
Kerberos
T
protocol is used by default in Windows networks. The search appliance can be configured
to enable Kerberos so that the authentication is transparent to users.
SAML
Many SSO systems support the SAML protocol, and provide a silent authentication process. Note that
SAML protocol is a way for an e
x
ternal service to securely assert the user’s identity to GSA. The actual
authentication between the user and this service is still going to be standard authentication protocols such
as Kerberos, NTLM, or Cookie-based. It is rare that you have to write a SAML identity provider (called a
SAML IdP) from scratch. It’s far more common to integrate GSA with a SAML IdP already deployed in the
customer’s network.
Client Certificates
This is not a common scenario. However, in those environments where users do have client certificates,
it’s also possible to configure the search appliance to authenticate users throug
which
can also provide silent authentication to users.
SAML
The search appliance supports the integration wit
that enables you to create
ad-hoc authentication processes off the search engine. If you build a SAML authentication provider, you
can code in the authentication logic you might need. If the user is authenticated properly by this external
process, the user identity is passed back to the search appliance.
Because SAML is a security standard, it is supported by some commercial and open source
authentication solutions and some SSO systems provide a SAML interface. Check whether your
organization’s authentication solutions already provide such an authentication interface to facilitate the
integration with the search appliance. If so, it might not be necessary to develop such a service.
Consider that it’s also possible to configure a SAML authorization process as described in
, but
this is independent from whether SAML authentication is configured or not.
You can refer to the GSA product documentation to learn how t
in the search appliance.
Early binding with Per-URL ACL
When utilizing ACLs for authorization, note that all components that make up an ACL must match the
resolved identity for the ACL check to pass: domain, user principal, group principals, namespaces for
group and user principals, case sensitivity specified, and ACL type (Permit/Deny).
Group Resolution
Unlike any other authorization mechanism, there is an additional step for ACL authorization: Group
Resolution for a verified user ID. The concept of group resolution is very important in the context of early
binding ACL support in the GSA. Because a user can be a member of different groups in an identity
management system, the same modeling of identity needs to be provided on the GSA. After
authentication, the GSA stores the user ID along with the groups the user is member of. There are five
options to resolve groups: