Google Search Appliance Security User Manual
Page 24
24
Authorization
When we try to come up with a solution, you need to start with authorization. It’s obvious that we should
use Per-URL ACL for SharePoint and Salesforce content. Because GSA’s connector for Database
supports authorization using a query, we can use connector authorization for this content. We will have to
use Head Request for the custom IIS web site. Since it uses Kerberos, we can use Head Request with
Kerberos. SharePoint, Salesforce and legacy applications need a verified user identity, while the custom
IIS web site doesn’t.
Authentication
Now that we have decided which authorization mechanisms to use, it’s time to select authentication for
each Credential Group. For the “Default” Credential Group, we cannot use Kerberos on the GSA because
there are client devices that don’t support Kerberos. It leaves us with the SAML Bridge as an alternative.
Upon closer investigation, we might be able to use the already available SAML IdP used by the
Salesforce integration. It will return the same verified identity, and it doesn’t require an additional server to
host the SAML Bridge.
Next, we have to validate whether this authentication strategy is sufficient for authorization requirements
tied to the “Default” Credential Group. SharePoint and Salesforce content should be covered since we are
getting a verified identity that will be used for the ACL checks. The custom IIS web site poses a challenge
if we use the Salesforce SAML IdP with cookie authentication since no Kerberos ticket would be available
for the Head Request Authorization. To fulfill this requirement, we can use the SAML Bridge for
authorization only because it supports Kerberos delegation. It can perform batched Head Requests using
Kerberos given a username. But this means we still need to deploy the SAML Bridge. If we need to
deploy the SAML Bridge anyway, we can use it for Authentication as well.
For the “Legacy” Credential Group, we need to perform authentication against user credentials stored in
the database. However, the GSA connector for Databases does not provide an authentication
mechanism. In this case, customization is needed to implement the AuthenticationManager interface of
the Connector Manager in the database connector.
As we now know what Authentication mechanisms we’ll be using, in Universal Login Auth Mechanism, we
configure the following two rules:
1. SAML. Using the “Default” Credential Group, SAML Bridge should be configured in POST
Binding mode. See t
for detailed instructions.
2. Connector. Using the “Legacy” Credential Group, the customized Database connector should be
configured.