beautypg.com

Connector 4.0 authentication (beta) – Google Search Appliance Security User Manual

Page 33

background image


33

8. When the trusted user session expires (cookie expired based on Session timeout setting under

Secure Search -> Access Control), the GSA will return an error: "The remote server returned
an error: (502) Bad Gateway."

9. When the trusted user session is valid (didn't exceed session timeout value), but the authN

mechanism's trust duration expires, the appliance performs another authentication using the
trusted user credential. The call becomes as slow as the first call that returned current GSA
session cookie.

Best practices

1. If the integration is with a portal, the returned GSA session cookie should be stored in the portal

user’s active session. This means different portal users will have different GSA sessions and all
must be stored. It also means that these GSA session cookies will be reused for the same end
user to avoid trusted user authentication overhead.

2. The best scenario in terms of performance is for the GSA session to stay valid during the portal

user’s session. However, there is no such guarantee: the user might browse around the portal for
quite a while before performing another search. In the code, you need to handle the case when
the GSA session cookie has expired when another call is made.

3. Set the Trust duration of the authN mechanism to be the same as the session timeout. The

default session timeout value is 1800 seconds. By doing so, you will avoid the performance hit
from another implicit authentication using the Trusted User credential.

4. Domain name should be passed as a prefix to end users’ usernames. Otherwise the call will fail.

Please see Appendix A for a

sample client

in C#. The class needs to be instantiated for each portal user’s

session, and it retries once when the GSA session expires.

Connector 4.0 Authentication

(beta)

A connector only needs to provide implementation for the the following interface:

public interface AuthnAuthority

and register it with:

AdaptorContext.setAuthnAuthority()

For reference implementation, you can take take a look at the

Google Authentication Adaptor

. After

authentication, an object of class AuthnIdentity is returned. It contains the username, and optionally
groups or password.


See also other documents in the category Google Software: