beautypg.com

Authentication spi, Authorization spi, Useful knowledge for writing web services – Google Search Appliance Getting the Most from Your Google Search Appliance User Manual

Page 70

background image

Google Search Appliance: Getting the Most from Your Google Search Appliance

Essentials

70

Authentication SPI

The Authentication SPI allows search users to authenticate to the Google Search Appliance. Instead of
authenticating search users itself, the search appliance redirects the user to an Identity Provider, a
customer-implemented server, where the actual authentication takes place. The Identity Provider then
redirects the user back to the appliance, while passing information that includes the identity of the
search user.

The Authentication SPI supports the following methods:

HTTP Basic

NTLM HTTP

Server Message Block (SMB)/Common Internet File System (CIFS) (public only)

If you use the Authentication SPI, you must use the Authorization SPI as well. However, if you decide to
authenticate your users with x509 certificates, or LDAP, you do not need to implement the
Authentication SPI.

Authorization SPI

Once the user’s identity has been authenticated, the Authorization SPI checks to see whether the user is
authorized to view each of the secure documents that match their search. Using the authenticated
cookie set during Authentication, the search appliance sends a message inside a SAML Authorization
request. The message contains the user identity and the URL to the customer’s server that provides
access control services, or Policy Decision Point. In response to authorization check requests, the Policy
Decision Point responds with a message that says either “Permit,” “Deny,” or “Indeterminate.”

The Authorization SPI can be used with any one of the following authentication methods:

The SAML Authentication SPI, which requires web services from an Identity Provider

LDAP directory service integration, including ActiveDirectory

x.509 Certificates for user authentication

When using the SAML Authorization SPI to serve secure content results from SMB shares, you must use
Kerberos for user authentication.

Useful Knowledge for Writing Web Services

To write an Identity Provider or Policy Decision Point web service, you need a basic understanding of the
following technologies.

XML—Extensible Markup Language

SAML 2.0—An XML-based standard whose primary use case is inter-domain single sign-on

SOAP 1.1—The Simple Object Access Protocol, an XML-based protocol for exchanging information
over the Internet

Configuring the Search Appliance for Using the SPIs

Configure the search appliance to use the Authentication SPI by using the SAML tab of the Search >
Secure Search > Universal Login Auth Mechanisms page. Configure the search appliance to use the
Authorization SPI by using the Search > Secure Search > Flexible Authorization page.

See also other documents in the category Google Software: