Chapter 3 authentication for developers, Forms authentication with cookie cracking – Google Search Appliance Security User Manual
Page 26
26
Chapter 3 Authentication for Developers
Whenever possible in your deployments, you should try to use existing products, either supported by
Google, provided by Google’s partners, or other 3rd party off-the-shelf products. In general, following this
guidance minimizes project risks and reduces overall ownership costs. However, there may still be some
requirements for which you have to develop external custom applications or processes in order to fully
implement security or content integration with the GSA.
The following options are available with the GSA for building custom external authentication processes:
●
Forms authentication with cookie cracking
●
SAML
●
Connector Framework
●
Trusted Application
New
Forms authentication with cookie cracking
If your systems are already using cookie-based authentication, an option for security integration with the
GSA is to reuse and customize the existing authentication process to create a silent authentication
experience on the GSA.
is one possible customization to the existing forms
authentication process, which permits you to extract the user identity behind the user’s authentication
cookie and forward that to the search appliance.
The cookie cracking process must be able to discover who the user is behind the cookie by contacting an
external URL, using SSO APIs or the like, and sending user credentials as HTTP Headers to the search
appliance in a secure manner. The user must already be authenticated by the SSO system that has
created the session cookie before reaching the search appliance. If not, the user will be redirected to a
login page to establish the identity with the SSO, after which the credentials would be sent to the GSA.
To implement cookie cracking with your Forms-Based/SSO system, you need to configure an external
URL that is protected behind the SSO system. During the authentication process, the GSA contacts that
URL, forwarding the session cookies already created by the SSO, so that the external service can verify
the user identity and send it back to the search appliance in an HTTP Header named X-Username and
optionally, X-Groups. You can fully customize this process in a way that lets you model security for your
enterprise search project.
To create the cookie-cracking process, you must perform the following actions:
1.
Create a web application that is able to validate a user’s identity based on the SSO session
cookie.
2.
Configure a forms-based authentication rule in the GSA’s Admin Console.