Google Search Appliance Security Manual de usuario

1 Google Search Appliance Security May 2014 © 2014 Google

10 Although not as commonly used as Per-URL ACLs, it is a very flexible tool that can come in handy in unique situation. For example, if there is

11 SAML authorizations can be managed in batches, so that the search appliance can send a list of URLs for authorization per request, which can spe

12 All authorization mechanisms require User ID except Head Requests. The following table lists authentication mechanisms that would result in a U

13 Authentication Mechanism when user ID is not required (Head Requests) Cookie This is the most common situation; the search appliance forwards

14 there are clear rules on what rules can or cannot be used together: ● Per-URL ACL ○ The ACLs are part of the index that can not be added or r

15 Chapter 2 Using Out of box features In this chapter, we will look at the details of some of the authentication and authorization mechanisms. We

16 Kerberos The Kerberos protocol is used by default in Windows networks. The search appliance can be configured to enable Kerberos so that the aut

17 ● Groups database(beta). Starting from release 7.2, the search appliance includes an internal database that stores ACLs. This is still a beta

18 John Smith's first identity, jsmith, is from the company-wide Active Directory. Of course, there are AD Groups that jsmith is a member of.

19 Connectors using Per-URL ACL Local Namespace The Connector Framework introduced the concept of "Local Namespace." Note that this is a

2 Security Security is a key consideration when designing and implementing solutions that integrate data from different sources for enterprise sea

20 Connector 4.0(beta) Working with Per-URL ACL The indexing of ACLs by Connector 4.0 differs from that of previous versions: ● ACLs are not sen

21 Authorization The “Authorization” in this section refers to late binding when using connector 4.0. In order to configure this, you need to perfo

22 Here are some unique behaviors and deployment best practices: ● The connector will run for a long time—it could be days if the Active Directo

23 Public document Secure document ● Public crawled document ● Feed document with no security ● Content from a secure content source that has been

24 Authorization When we try to come up with a solution, you need to start with authorization. It’s obvious that we should use Per-URL ACL for Sha

25 Flexible Authorization Rules In general, for most deployments, we can leave the first 3 entries of Flexible Authorization alone: PER_URL_ACL, CA

26 Chapter 3 Authentication for Developers Whenever possible in your deployments, you should try to use existing products, either supported by Goog

27 Key considerations If you want to achieve a silent authentication experience with your SSO system, consider the following items: ● A session co

28 SAML The search appliance supports SAML 2.0, an XML based protocol for an external identity provider. There might be cases where you will need t

29 binding from scratch, it could be more complex as it requires an extra service (Artifact Resolver URL). There are some open source frameworks li

3 Contents About this document Chapter 1 Designing Security in the GSA Overview Information Gathering Content Acquisition Single vs. Multiple iden

30 Cookie cracking vs. SAML If you need to customize your authentication process, it’s important to differentiate between cookie cracking and SAML

31 When the connector is intended to provide both authentication and group resolution, the implementation can ignore what the GSA passes to it thr

32 Trusted Application(beta) A very common use case is for the GSA to be deployed behind a portal to provide a search service. The search UI is pro

33 8. When the trusted user session expires (cookie expired based on Session timeout setting under Secure Search -> Access Control), the GSA wi

34 Chapter 4 Authorization for Developers Overview An enterprise search engine must return relevant results to the user, but only those that the us

35 The attribute “inheritance-type” makes it possible to model the different security mechanisms of various content systems. In an inheritance cha

36 “Free” ACL example <group> <acl url='http://dummyhost.corp.google.com/' inheritance-type="child-overrides"

37 Connector Framework for Authorization Another option for modeling security is implementing a custom connector. As it’s explained in this paper a

38 Web proxy The options described above are the most common platforms used to implement the security side of the interconnection with a content s

39 Summary In this paper, we have reviewed the process of designing security for your enterprise search project with the Google Search Appliance.

4 Chapter 1 Designing Security in the GSA Overview Enterprise search projects integrate data from different sources to enable users to find inform

40 Appendix A Sample Trusted Application client code in C# using System; using System.Collections.Generic; using System.Linq; using System.Net;

41 request.ContentType = "application/x-www-form-urlencoded"; ServicePointManager.ServerCertificateValidationCallback = n

42 iRetry++; goto Initiate; } else throw e; //if still fails, it might be s

5 accommodate different applications when acquiring contents. The process generally involves using a system or super user account with broad access

6 Use the following table to model each content source. Include information about security in the Security Mechanisms field. System Info Name of t

7 Content Acquisition The acquisition generally comes in the following forms. Note that the authentication protocol used would have to be what’s s

8 Selecting an authorization mechanism Serve time authentication and authorization are tightly connected. As mentioned previously, although serve t

9 With early binding, authorization is fully managed by the search appliance itself. Early binding requires authorization rules to be known to GSA.