Secure search example – Google Search Appliance Security User Manual
Page 23
23
Public document
Secure document
●
Public crawled document
●
Feed document with no security
●
Content from a secure content source that has
been marked as public by using the GSA Admin
Console
●
Securely crawled document
●
Feed document declared as secure
Users can search and get to public documents without authentication. However, there is an exception.
GSA 6.14 introduced the perimeter security feature to the GSA, which ensures that the search appliance
doesn't serve any results without user authentication. When perimeter security is enabled, the search
appliance must authenticate a user with one of the configured authentication mechanisms before serving
any results. If authentication fails, the GSA will not serve any results, even if they are public. Take note
that only authentication is performed for documents marked as public, without the need to do any
authorization.
To configure perimeter security, set up an authentication mechanism, which can be any mechanism
described in
. After that is done, navigate to Serving -> Universal Login and enable perimeter
security. Take note that once perimeter security is enabled, it applies to the GSA globally and cannot be
configured per collection or front end.
Secure Search Example
Here are requirements for four content sources to be included in search (all secure):
1. SharePoint 2010, with Kerberos authentication. Google supported connector for SharePoint is
used to index the content.
2. Salesforce content integrated with a SAML IdP which uses Forms authentication, but the user
directory is still Active Directory. A Salesforce connector is deployed to index the content with
ACLs. The connector is built based on Google’s connector framework and sends in documents
starting with “googleconnector://”.
3. A custom IIS web site with Kerberos Authentication. No API is available for checking permissions
or getting ACLs. GSA will crawl the content directly.
4. A legacy business application. Users and permissions are stored in the database. It’s not
integrated with Active Directory. There is no direct mapping of user names between Active
Directory and this application. Google’s database connector is used to index the content. A SQL
Query statement can be used to determine whether a user has access to the database records in
the search results.
It is also noted that there are various devices in the organization. Some don’t support Kerberos.
User Identities
SharePoint, Salesforce and the custom IIS web site are backed by the same Active Directory, while the
legacy application has its own. That means we need two Credential Groups: We can use the “Default”
Credential Group for Active Directory, and add a “Legacy” Credential Group for the business application.