beautypg.com

Connector 4.0(beta) – Google Search Appliance Security User Manual

Page 20

background image


20

Connector 4.0

(beta)

Working with Per-URL ACL

The indexing of ACLs by Connector 4.0 differs from that of previous versions:

● ACLs are not sent in via feeds. Instead, they are indexed as HTTP headers.

● If ACLs are hierarchical, they won’t be flattened. Inheritance will always be used.

● Namespace needs to be handled by each connector. The File system connector and SharePoint

connector use the name “

adaptor.namespace” as the configuration entry.

● There is no more Local Namespace concept—you are free to specify any namespace. The ACLs

from this connector will all use the same namespace. Except in the following scenario:

principal-type is no longer used by connector 4.0.

The scope of SharePoint groups will

be appended to namespace, and the principals will be sent without the prefix. For
example, “My SP Group” group within http://sharepointhost/sitecollection/ will be
processed by the SharePoint connector as follows (assuming the Credential Group is
“Default”):

Namespace: Default_http://sharepointhost/sitecollection/
Principal name: My SP Group

If the principal has a domain such as mydomain\mygroup, it will be processed as follows:


Namespace: Default
Principal name: mygroup

Domain: mydomain


Authentication

As discussed in Chapter 1, connector authentication uses the SAML protocol. The connector framework
4.0 provides SAML as the foundation for security. Connectors based on the new framework must provide
its own implementation of the authentication process for the targeted content source. Here is how you
configure it in the Admin Console: Under Search > Secure Search > Universal Login Auth
Mechanisms > SAML, you need to enter the following values:

IDP Entity ID: The server.samlEntityId configuration entry from the connector configuration file.

Login URL: https://connector-host-name:port/samlip

Public Key:

Here are some notes about the SAML implementation by the connector:

● You can have multiple connectors providing authentication. The Entity IDs will be different.

● Only Post Binding is supported.

● The Endpoint of the SAML IdP “samlip” is hardcoded

● Groups can be returned as part of the SAML assertion in the “member-of” attribute.

See also other documents in the category Google Software: