beautypg.com

Google Search Appliance Configuring GSA Unification User Manual

Page 14

background image

Google Search Appliance: Configuring GSA Unification

14

Configuring Kerberos Authentication with Delegated Authorization

Use these instructions to configure Kerberos authentication in a unified environment that uses
delegated authentication.

1.

Configure a pair of search appliances in a unified environment.

2.

On the GSA Unification > Host Configuration page, in the Unification Settings section, check the
delegated authentication checkbox.

3.

Enable Kerberos, using the instructions in “Kerberos-Based Authentication” in Managing Search for
Controlled-Access Content.

4.

Configure the different crawl patterns on the two search appliances on the Crawl and Index >
Crawl URLs page. Ensure that you configure both Start Crawling from the Following URLs and
Follow and Crawl Only URLs with the Following Patterns.

Single
connector
using
metadata and
URL feeds

Authorization is
performed by sending
a HEAD request. Any
authentication method
can be used for
authenticating users.
Authentication is
performed on the
primary GSA. Because
delegated
authorization is
configured,
authorization takes
place on secondary
search appliances
using a HEAD request.

Configure the specific
authentication method on the
Universal Login Auth
Mechanisms. If connector
manager authentication is
being used, configure a
connector manager on the
primary search appliance with
the same name that is used for
crawl on the secondary search
appliances.

Configure the
connector for crawling
on the Connector
Administration page.
Because the connector
sends content feeds,
authorization is
automatically
performed by the
connector and no
special configuration i
is needed.

Multiple
connectors

To enable all
connectors to use a
single identity obtained
from standard
authentication method
(for example, SAML
Idp, cookie-based,
HTTP Basic), configure
the right tab
corresponding to the
authentication method
in Universal Login
Form).

To enable all
connectors to use
different
authentication
methods, the
connector type must
support the connector
authentication SPI.

To enable all connectors to use
a single identity obtained from
standard authentication
method (for example, SAML Idp,
cookie-based, HTTP Basic),
configure the tab
corresponding to the
authentication method in
Universal Login Form.

To enable all connectors to use
different authentication
methods, configure connector
information on the Connector
tab on Serving > Universal
Login Form > Credential
Group > Edit. The connector
must support authentication.
Configure the credential group
for the connectors configured
on the primary as well as
secondary search appliances.

For both use cases,
configure the
connectors for crawl.
Configure the
credential group for
connector on the
secondary search
appliance, if this
appliance will be used
to perform search.

Type of User
Authentication

How the User is
Authenticated and Results
are Authorized

What to do on the Primary Search
Appliance

What to do on the
Secondary Search
Appliances

See also other documents in the category Google Software: