beautypg.com

Cookie cracking vs. saml, Connector framework for group resolution – Google Search Appliance Security User Manual

Page 30

background image


30

Cookie cracking vs. SAML

If you need to customize your authentication process, it’s important to differentiate between cookie
cracking and SAML so that you can plan the best approach before starting the project.

SAML

Cookie Cracking

Integration

Some Single Sign-On systems provide

a SAML authentication interface that
might be integrated out of the box with
the appliance

Some Single Sign-On systems can be
integrated easily through cookie
cracking

Complexity

It could be more complex if you have

to develop a SAML provider from
scratch

Development costs to develop a cookie
cracking solution for the appliance could
be lower

Authenticatio
n

There is an interaction between the

browser (user) and the Service
Provider, so it can be used with any
point-to-point authentication protocol
like Kerberos or NTLM

In the authentication process, the
appliance contacts the Sample URL
with no interaction from the user so it’s
only valid for a cookie-based
authentication approach

To get the exact technical details about how to implement both approaches, see

Cookie Cracking

and

Authentication and Authorization SPI

. It’s important to understand the interaction flows behind them both

to implement those processes properly.

Connector Framework for Group Resolution

The Connector Framework also provides an interface for user authentication. However, since it’s not a
silent authentication mechanism, connector authentication is not recommended. On the other hand, the
connector can be implemented to provide group resolution for early binding which proves to be much
more useful. It’s common for a silent authentication mechanism such as Kerberos, SAML or Cookie
cracker to be combined with connector-based group resolution.

Interface support

The Connector Framework defines the following interface to be implemented by a connector developer:

public AuthenticationResponse authenticate(final AuthenticationIdentity

identity)

throws RepositoryLoginException, RepositoryException

When a connector is configured in Universal Login Authentication Mechanisms, there is an option to
“Perform group resolution only”.



See also other documents in the category Google Software: