Back to Home | Admin Console Help | Log Out
 Admin Console Help
 
Admin Console Help

Home

Content Sources

Index

Search
  Search Features
  Secure Search
    Access Control
    Head Requestor Deny Rules
    Policy ACLs
    Universal Login
    Universal Login Auth Mechanisms
      Cookie
      HTTP
      Client Certificate
      Kerberos
      SAML
      Connectors
      LDAP
    Universal Login Form Customization
    Flexible Authorization
    Trusted Applications
  Diagnostics

Reports

GSA Unification

GSAn

Administration

More Information

Search > Secure Search > Flexible Authorization

Use the Search > Secure Search > Flexible Authorization page to perform the following tasks:

About Flexible Authorization

Flexible authorization gives you, as a search appliance administrator, more control over authorization by enabling you to:

  • Specify authorization mechanisms in your environment
  • Customize which authorization mechanisms handle which URLs

You can perform these tasks by configuring flexible authorization rules. A flexible authorization rule defines:

  • The protected content to which the rule applies
  • An identity that maps the rule to a credential group or instance of an authentication mechanism
  • Information that is specific to the authorization mechanism

Configuring Flexible Authorization Rules

You can configure rules for the authorization mechanisms described in the following table. For step-by-step procedures for configuring specific types of rules, see the sections listed in the table.

Authorization Mechanism Description See Section
CACHE For the specified URL pattern, the search appliance checks the cached results of previous authorization. Take note that the cache is cleared after each Google Search Appliance session. Adding a Cache Rule
CONNECTOR For the specified URL pattern, the search appliance passes the decision to the appropriate connector. Adding a Connector Rule
DENY For the specified URL pattern, the search appliance denies the user access to the URL. Adding a Deny Rule
HEADREQUEST For the specified URL pattern, the search appliance performs a HEAD request, using the credentials obtained for the user during serve authentication.
 Adding a Headrequest Rule
POLICY

For the specified URL pattern, the search appliance checks the URL patterns in policy ACL rules against the URLs that are returned in the search results.

Adding a Policy Rule
SAML For the specified URL pattern, the search appliance sends a SAML authorization request to the designated SAML authorization service. Adding a SAML Rule
Per URL ACL For the specified URL, the search appliance checks the per-URL ACL. Adding a Per-URL ACL Rule

Flexible authorization rules for most mechanisms contain the following information:

Additionally, rules for CONNECTOR and SAML authorization mechanisms contain additional, mechanism-specific information. For more information, see the sections on adding rules for specific mechanisms.

URL Pattern

In authorization rules for any type of mechanism, you must supply a URL Pattern that identifies the protected content. The URL patterns that you supply on this page are the same as those used in policy ACLs. For information about constructing valid URL patterns for flexible authorization, see "URL Pattern to Protect" on the help page for Search > Secure Search > Policy ACLs.

Authentication ID

Credential groups, as well as instances of authentication mechanisms, can provide session identities. By selecting the Authentication ID, you are instructing the authorization mechanism to use a session identity from a specific credential group or instance of an authentication mechanism.

In authorization rules for CONNECTOR, HEADREQUEST, or SAML you can select an Authentication ID from the pull-down menu. This menu is populated with credential group names and mechanism names that you, as the search appliance administrator, provide by using the Search > Secure Search > Universal Login page and the Search > Secure Search > Universal Login Auth Mechanisms tabs. A Mechanism Name is a unique name for a particular authentication mechanism. If you don't select an authentication ID, the Default credential group is used.

Timeout

In authorization rules for CONNECTOR, HEADREQUEST, or SAML you can optionally supply a Timeout value. This value indicates the time for making a network connection. If the search appliance does not make the network connection in the specified time, it abandons the attempt. Use this field to override the default timeout.

How the Search Appliance Applies Rules

After the search appliance authenticates a user by establishing the user's identity, the search appliance attempts to determine whether a user has access to the secure content that matches her search. The search appliance performs authorization checks by applying flexible authorization rules in the order in which they appear in the authorization routing table on the Search > Secure Search > Flexible Authorization page.

Although you can configure the authorization routing table, Google recommends using the default setting where the first rule in the table is for PER-URL ACLs. This setting provides the best authorization performance for a larger number of documents. Changing the order of the authorization rules in the table so that a rule for another mechanism is first might lead to slow authorization performance for a smaller number of documents. Google recommends always using the PER_URL_ACL mechanism with pattern "/" as the first rule, with or without late binding.

For information about configuring the routing table, see Changing the Order of Flexible Authorization Rules.

Most of the supported authorization mechanisms are capable of returning one of three possible decisions for each URL:

  • Allow--Allow the user access to the URL.
  • Deny--Deny the user access to the URL.
  • Indeterminate--A definitive answer could not be determined, so the search appliance applies the following rule in the ordered list of rules.

Any given URL might match more than one flexible authorization rule. In this instance, each associated mechanism in the list is applied in order until one of them returns a decision other than indeterminate. If all mechanisms return indeterminate, or no mechanisms match, then the user is denied access to the URL. If a mechanisms cannot handle a URL, it returns a decision of indeterminate.

Before Starting this Task

Before configuring flexible authorization, complete the tasks shown in the following table.

Task Description
Configure credential groups Set up credential groups by using the Search > Secure Search > Universal Login page.
Configure credential group rules for appropriate authentication mechanisms Configure credential groups for authentication mechanisms that are supported in your environment by using the tabs on the Search > Secure Search > Universal Login Auth Mechanism page.
(Optional) Configure Policy ACL rules If you want to use policy ACLs for authorization, configure rules by using the Search > Secure Search > Policy ACLs page.
(Optional) Configure a SAML Policy Decision Point (PDP) If you want to use SAML authorization, configure a SAML PDP. If you are a user of the search appliance's legacy SAML authorization, you must convert all SAML SPI instances to SAML flexible authorization rules.

Adding Flexible Authorization Rules

You can add rules, as described in the following sections:

You can also enable late binding for policy ACLs and per-URL ACLs.

Adding a Cache Rule

Add a cache rule for a URL pattern for which you want the search appliance to check the cached results of a previous authorization.

To add a cache rule:

  1. Choose CACHE from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, type the URL pattern identifying the protected content.
  4. Click Save.

Adding a Connector Rule

Add a connector rule for a URL pattern for which you want the search appliance to get a decision from the appropriate connector.

To add a connector rule:

  1. Choose CONNECTOR from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, enter ^googleconnector://.
    For this URL pattern, the search appliance automatically extracts the Connector Name. If you enter any other URL pattern in this field, you must also supply a Connector Name.
  4. Select an Authentication ID from the pull-down menu or accept the Default credential group.
  5. If you want to override the default value of approximately 20 minutes for making a network connection, enter the time in seconds in the Timeout field.
  6. If you entered ^googleconnector:// in the URL Pattern field, the connector name is chosen automatically during authorization.
  7. Click Save.

Adding a Deny Rule

Add a deny rule for a URL pattern for which you want to deny the user access.

To add a deny rule:

  1. Choose DENY from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, type the URL pattern identifying the protected content.
  4. Click Save.

Adding a Headrequest Rule

Add a headrequest rule for a URL pattern for which you want the search appliance to perform a HEAD request, using the credentials obtained for the user during serve authentication.

To add a headrequest rule:

  1. Choose HEADREQUEST from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, type the URL pattern identifying the protected content.
  4. Select an Authentication ID from the pull-down menu or accept the Default credential group.
  5. If you want to override the default value of 5 seconds for making a network connection, enter the time in seconds in the Timeout field.
  6. Click Save.

Adding a Policy Rule

Add a policy rule for a URL pattern for which you want the search appliance to check by using policy ACLs.

To add a policy rule:

  1. Choose POLICY from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, type the URL pattern identifying the protected content.
  4. Select an Authentication ID from the pull-down menu or accept the Default credential group. 
  5. Click Save.

Adding a SAML Rule

Add a SAML rule for a URL pattern for which you want the search appliance to send a SAML authorization request to the Policy Decision Point, using the identity obtained for the user during the serve authentication.

The Add Flexible Authorization Rule page for SAML contains a checkbox for using batched SAML authorization requests (Use batched SAML Authz requests). You can use batched SAML authorization requests only if your SAML provider supports the Google SAML batch authorization extension. If your your SAML provider does not support the extension, do not use batched SAML authorization requests.

To add a SAML rule:

  1. Choose SAML from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, type the URL pattern identifying the protected content. 
  4. Select an Authentication ID from the pull-down menu or accept the Default credential group.
  5. If you want to override the default value of 3 seconds for making a network connection, enter the time in seconds in the Timeout field.
  6. In the Authorization service ID field, enter the Entity ID of the SAML server.
  7. In the Authorization service URL field, enter the URL of the service where the search appliance will send the SAML authorization query.
  8. Optionally, click Use batched SAML AuthZ requests.
  9. Click Save.

Adding a Per-URL ACL Rule

To add a per-URL ACL rule:

  1. Choose PER_URL_ACL from the pull-down menu.
  2. Click Add another rule.
    The Add Flexible Authorization Rule page appears.
  3. In the URL Pattern field, type the URL pattern identifying the protected content. 
  4. Click Save.

Editing Flexible Authorization Rules

To edit a rule:

  1. Click the Edit link next to the rule you want to edit.
  2. Make changes to the rule using the Edit Flexible Authorization Rule page.
  3. Click Save.

Changing the Order of Flexible Authorization Rules

To change the order of rules in the authorization routing table:

  1. Click the Move Up or Move Down link next to the rule that you want to move.
  2. Click Save Rules Order.

Deleting Flexible Authorization Rules

To delete a rule:

  1. Click the Delete link next to the rule you want to delete.
    A confirmation box appears.
  2. Click OK.

Enabling Late Binding for Policy ACLs and Per-URL ACLs

In some instances, you might not want to to use early binding for allow decisions, for example, if the policy ACLs or per-URL ACLs in the index don't reflect the latest changes. For situations like this, you can enable late binding for policy ACLs and per-URL ACLs.

If you enable late binding for policy ACLs and per-URL ACLs, the search appliance accepts deny decisions only for these mechanisms. For allow and indeterminite decisions, the search appliance applies each subsequent associated mechanism in the list in order until one of them returns a decision other than indeterminate.

To enable late binding for policy ACLs and per-URL ACLs:

  1. Click the Enable late binding for Policy and Per-Url-Acls checkbox.
  2. Click Save.

Setting Authorization Parameters

The following tables explain the parameters that control the time allowed for authorization requests and the cache that controls the returned information. The default values are suitable for most environments. It is strongly recommended that you avoid tuning these parameters. If you need to improve search response time for the end user, it is a good idea to first consider improvements to web servers.

The following table lists the parameters that are standard to the search appliance.

Parameter Description Default Value
Query Processing Time

The search appliance processes authorization requests in batches. This parameter specifies, in seconds, how long the search appliances waits to fully process multiple batches of authorization requests. For example, if you have slow content servers, it might take the search appliance 5 seconds to process a single batch of requests. A 20-second Query Processing Time
setting would enable the search appliance to process at least four batches of authorization requests.

The parameter represents the maximum amount of time in seconds that the search appliance waits for multiple batches of authorization requests to complete. The value must be a positive number and the value should be larger than the value for the timeout for a batch of authorization requests, to ensure that the authorization requests can be completed.

Setting the parameter to a larger value enables the search appliance to process more batch requests for authorization. However, if a content server is unresponsive, performance will be negatively affected.

 20
Timeout for a batch of authorization requests The search appliance processes authorization requests in batches. This parameter specifies, in seconds, how long the search appliance waits to fully process authorization for a single batch of requests. When a batch of requests time out, the search appliance uses the results that it received and processes another batch of URLs, if it has sufficient time before it displays results to the user. You can use this value to limit the time that the search appliance waits for responses from a slow or unresponsive server.

Because a batch can contain URLs on different servers, the search appliance separately sends the requests from the same batch to the servers. Those individual requests are governed by a different timeout value, which follows.

This value must be a positive number. The value for this batch timeout should be larger than the value for individual requests, to ensure that individual requests in the batch have sufficient round-trip time.

5
Timeout for individual authorization request This parameter specifies, in seconds, how long the search appliance waits for the response to a single authorization request to a web server.

If you tune this parameter, consider that if you shorten the timeout value, slow servers may unable to respond to authorization requests in time. User results could be incomplete and skewed toward content on the fast servers. In contrast, if you lengthen the timeout value, slow web servers can provide additional results but users will experience longer response times.

This value must be a positive number. It should be smaller than the value for batch timeouts. If you increase this value, you might need to also increase the batch timeout value.

 2.5

The following table explains the parameters that control how the search appliance handles unresponsive servers. A server can be unreachable because it is down or because it is overloaded and refusing new connections.

Parameter Description Default Value
Enable cache of unreachable hosts Select this option to enable the search appliance to maintain information about servers that do not respond to authorization requests. This information ensures that the search appliance avoids making repeated failed requests to the same server. Not enabled
Timeouts permitted before host is considered unreachable

This parameter specifies the number of times the search appliance attempts to contact an unresponsive server before adding it to the cache of unreachable hosts. Fluctuations in server traffic might cause a certain normal number of timeouts without indicating system failure. The value should allow for multiple failed attempts to contact a server.

The value can be any positive integer.

100
Timeout measurement period

This parameter specifies, in seconds, the timeframe during which the Timeouts permitted parameter is applied. For example, the default values permit 100 timeouts during a 300 second (five minute) measurement period. The value should be large enough to accommodate short-lived server unavailability.

The value can be any number of seconds.

300
Duration of unreachable host cache entry This parameter specifies, in seconds, the length of time that each item is maintained in the cache.

The value can be any number of seconds.

 600

You can click the Clear Caches button to immediately remove the authorization and unreachable host information. Use this button periodically to keep the authorization cache fresh.

For More Information

For more information about flexible authorization, see "Managing Search for Controlled-Access Content," which is linked to the Google Search Appliance help center.

 
© Google Inc.