Overview, Enabling kerberos on the search appliance – Google Search Appliance Enabling Windows Integrated Authentication version 7.2 User Manual

Page 5

Advertising
background image

Google Search Appliance: Enabling Windows Integrated Authentication

5

The Authentication/Authorization for Enterprise SPI Guide. SAML Bridge is an application of the Google
Search Appliance Authentication/Authorization SPI, for which it has the roles of Identity Provider
and Policy Decision Point. These terms are explained in the SPI Guide.

A Google search on SAML (

http://www.google.com/search?q=saml

) can provide background

information on the SAML protocol.

Overview

There are two options for enabling silent authentication in Windows on the Google Search Appliance:

Enable Kerberos on the search appliance.

This is called “Kerberizing” the search appliance and is preferred because Kerberos is onboard and
easy to configure.

Use Google SAML Bridge for Windows.

SAML Bridge mediates between your users and your Windows domain. It is implemented as an
ASP.NET website that resides in Windows Internet Information Services (IIS). Scenarios for
deployment that require the use of SAML Bridge instead of onboard Kerberos are:

Mixed environments in which not all browsers support Kerberos and SAML Bridge is required
because it supports NT LAN Manager (NTLM).

Environments that do not allow key tab use for Kerberos, which is how the search appliance is
“Kerberized”.

In addition, you can use either a Kerberized search appliance or SAML Bridge to authorize web content.
You do this by using an HTTP head request. While the Kerberos implementation on the search appliance
supports IIS websites authorization, it does not support Kerberos constrained delegation. Google SAML
Bridge for Windows provides a workaround for this.

Choose one of the following based on how your environment will provide authentication:

“Enabling Kerberos on the Search Appliance”

“Using SAML Bridge with the Search Appliance”

Enabling Kerberos on the Search Appliance

On board Kerberos can be used for both crawling and for serving controlled-access content. You must
configure the search appliance to use Kerberos authentication at serve time. For information about
configuring Kerberos-based authentication for serve, refer to the topics “Configuring Crawl and Serve
for Kerberos” and “Kerberos-Based Authentication” in the document Managing Search for Controlled-
Access Content.

Advertising