Back to Home | Admin Console Help | Log Out
 Admin Console Help
 
Admin Console Help

Home

Content Sources

Index

Search
  Search Features
  Secure Search
    Access Control
    Head Requestor Deny Rules
    Policy ACLs
    Universal Login
    Universal Login Auth Mechanisms
      Cookie
      HTTP
      Client Certificate
      Kerberos
      SAML
      Connectors
      LDAP
    Universal Login Form Customization
    Flexible Authorization
    Trusted Applications
  Diagnostics

Reports

GSA Unification

GSAn

Administration

More Information

Search > Secure Search > Universal Login Auth Mechanisms > SAML

Use the Search > Secure Search > Universal Login Auth Mechanisms > SAML page to configure a credential group for SAML by adding a credential group rule.

Before Starting this Task

Before adding a rule for a credential group for SAML, set up credential groups by using the Search > Secure Search > Universal Login page.

Adding a Credential Group Rule for SAML

When the Google Search Appliance is configured with a credential group that includes a SAML authentication domain, a user performing a secure search is challenged by the SAML Identity Provider. The user provides her credentials on the Identity Provider login page.

Using this page, you can specify the binding in which the search appliance communicates with the SAML server:

  • HTTP Artifact binding--To specify HTTP Artifact binding, enter an Artifact Resolver URL
  • HTTP POST binding--To specify HTTP POST binding, enter the Public Key of IDP

You must specify either the Public Key of IDP or an Artifact Resolver URL in a credential group rule for SAML, but do not specify both. For more information about specifying a binding using this page, see the following table.

If there are additional credential groups besides the one with the SAML entry, the search appliance challenges the user with the Universal Login Form. After the user provides her credentials on the Universal Login Form, the search appliance combines the verified identities from SAML and the Universal Login Form. The user is granted access to the resources based on the combined credentials.

Add a credential group rule for SAML using the options described in the following table.

Option Description
Mechanism Name The Mechanism Name that you enter will appear in the Authentication ID pull-down menu on the Search > Secure Search > Flexible Authorization page. The Mechanism Name enables you to instruct the authorization mechanism to use a session identity from a specific credential group or instance of an authentication mechanism.
A mechanism name must not be the same as another mechanism name or credential group name. Mechanism names are case-insensitive and can be up to 200 characters long, and can contain only alphanumeric characters, underscores, and hyphens. A name cannot begin with a hyphen.
IDP Entity ID Entity ID of the Identity Provider. The Entity ID must match the <Issuer> string in messages sent from the external SAML server.
Login URL URL for the login service of the Identity Provider. The search appliance redirects unauthenticated search users to this login URL
Artifact Resolver URL

The URL for the server that converts a returned artifact into a response message. If you provide the Artiface Resolver URL, the SAML server returns its responses using HTTP Artifact binding. If you specify an Artifact Resolver URL, do not specify an Identity Provider public key.
Public Key of IDP

The Identity Provider public key that is used for signing an assertion. If you specify a public key, the search appliance tries to verify the digital signature of the assertion and the SAML server returns its responses using HTTP POST binding. If you specify an Identity Provider public key, do not specify an Artifact Resolver URL. The public key is specified by the Identity Provider's SSL Certificate in PEM format. When search appliance saves the configuration, it automatically removes the header and footer (the lines with "BEGIN CERTIFICATE" and "END CERTIFICATE).

Certificate example:

-----BEGIN CERTIFICATE-----
MIID3jCCAsagAwIBAgIBCjANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQGEwJVUzET
...<snip>...
jKpobF6TcxU6My/vIa9KcsVR4goMcJMJmlELHqs+9yCJgA==
-----END CERTIFICATE-----
Timeout (seconds)
(Default 3 seconds if none specified) 		This value indicates the time for making a network connection. The default value is 3 seconds. If the search appliance does not make the network connection in the specified time, it abandons the attempt. Use this field to override the default timeout of 3 seconds.

To add a credential group rule for SAML authentication to a credential group:

  1. Click Search > Secure Search > Universal Login Auth Mechanisms > SAML.
  2. Select a credential group from the pull-down menu.
  3. In the Mechanism Name box, type a unique name for the authentication mechanism.
  4. Provide values for options on the page as described in the preceding table.
  5. Click Save.

To delete a rule:

  1. Click Search > Secure Search > Universal Login Auth Mechanisms > SAML.
  2. Click Delete this rule.
  3. Click Save.

For More Information

For more information about Universal Login and credential groups, see "Managing Search for Controlled-Access Content," which is linked to the Google Search Appliance help center.
 
© Google Inc.