Security in windows environments – Google Search Appliance Security User Manual
Page 21
21
Authorization
The “Authorization” in this section refers to late binding when using connector 4.0. In order to configure
this, you need to perform the following: In Admin Console, under Search > Secure Search > Flexible
Authorization, the Authorization service URL needs to be set to: https://connector-host-
name:port/saml-authz.
Security in Windows environments
The majority of deployments of the appliance, which incorporate secure content search, occur in a
Microsoft Windows environment. Google provides two accompanying products for the integration: the
SAML Bridge and the Active Directory Groups Connector.
SAML Bridge
The search appliance directly supports Kerberos authentication in Windows without the need for installing
any external components to the GSA. Since Kerberos is supported in all Windows environments, it is the
recommended mechanism for silent authentication. However, it might not be sufficient for the following
reasons:
1. Kerberos is quite sensitive to the environment. For example, a client device might not support
Kerberos; some network scenarios might not support Kerberos. In those cases, native Windows
clients fallback to NTLM authentication. However, the search appliance does not natively support
NTLM so there is nothing to fall back to.
2. Some organizations do not allow the use of key tab files for Kerberos. GSA uses a key tab file in
order to enable Kerberos.
3. When the GSA is Kerberos enabled and used for Head Request authorization, it can only perform
unconstrained delegation. This is not acceptable for some organizations.
If you want to enable silent authentication when Kerberos cannot be used (or the key tab file cannot be
used), you must set up an external authentication process. Google provides an open sourced tool called
t
that supports these scenarios. This is a SAML-based solution that runs on the Windows
infrastructure, so it must be installed on a separate host, able to authenticate users using either NTLM or
Kerberos. For detailed information about how to set up the SAML bridge, se
Active Directory Groups Connector
In a Windows environment, many content sources are integrated with Active Directory. Groups in Active
Directory are used to control access to certain resources. The Google Search Appliance Connector for
Active Directory Groups is a tool that can be used to support early binding. It is the preferred approach to
resolving groups needed for early binding, versus LDAP authentication, which can be configured directly
on the GSA. Although LDAP authentication can also be used for Active Directory groups resolution, it is
“late binding” when it resolves groups, in that during the authentication process, the appliance will try to
contact domain controllers directly to get associated groups for a user. Alternatively, the Active Directory
Groups connector performs the “early binding” of groups resolution: It traverses Active Directory and
stores all the user group membership information in its own database. During serve time, the connector
just reads from this database instead of contacting domain controllers directly. It offers much better
performance—especially in a large scale, multiple domain environment.