Back to Home | Help Center | Log Out
 Help Center
 
Help Center

Home

Crawl and Index
  Crawl URLs
  Databases
  Feeds
  Crawl Schedule
  Crawler Access
  Proxy Servers
  Forms Authentication
  Case-Insensitive Patterns
  HTTP Headers
  Duplicate Hosts
  Document Dates
  Host Load Schedule
  Coverage Tuning
  Freshness Tuning
  Collections
  Composite Collections
  Index Settings
  Entity Recognition

Serving

Status and Reports

Connector Administration

Social Connect

Cloud Connect

GSA Unification

GSAn

Administration

More Information

Crawl and Index > Forms Authentication

Use the Crawl and Index > Forms Authentication page to configure forms authentication rules for crawling secure access content.

The Google Search Appliance can integrate with a form-based single sign-on system. Examples of such systems are Computer Associates SiteMinder (single domain only), Oracle Identity Management, and Cams from Cafesoft. The single sign-on products for which Google has tested compatibility are listed in the Guide to the Software Release, available from theGoogle Search Appliance help center. Use of an SSO server has the advantage of requiring credentials from a user only one time. The SSO server unifies the authentication process by first authenticating the user and then by authorizing the user on the web servers to which that user has access.

The search appliance can securely serve pages that are protected by forms-based authentication. For more information, see Serving >Universal Login Auth Mechanisms > Cookie Based.

About Forms Authentication Rules

You do not explicitly specify a forms authentication rule. Instead, you use a forms authentication login wizard to log in and the search appliance captures the information that it needs to create the rule. The crawler uses the information in the following table to get access to documents that require login.

RuleDescription
URL patterns

A URL pattern determines the crawled URLs to which the rule is applied. When the crawler needs to access a URL, it compares that URL to the URL patterns. If the desired URL matches one of the patterns, the crawler applies the rule.

Actions

Actions specify the crawler's behavior for a URL that matches a pattern specified in the rule.

An action consists of a URL and the HTTP method GET or POST. If the HTTP method is POST, the action contains the form fields to submit for authentication.

After the crawler performs these actions, it expects to receive a cookie with which to establish a login session. Once the login session is established, the crawler sends the cookie when it attempts to crawl other URLs that match the login patterns.

Authentication expiration time A cookie expires after a specified time. After the cookie expires, the crawler must obtain new authentication and establish a new login session.

If the URL pattern that matches the forms authentication rule includes a logout page, the search appliance attempts to crawl the logout page, which essentially results in cookie expiration. If the SSO system includes a logout page, then exclude the logout page by adding it to Do Not Crawl URLs with the Following Patterns on the Crawl and Index > Crawl URLs page.

Creating a Forms Authentication Rule

When you create a forms authentication rule, you provide an example of the protected content, and then log in, using the username and password credentials that you want the crawler to use. When you submit the login form, the search appliance captures the rule.

Editing a Forms Authentication Rule

After a rule is set up, you can edit it in any of the following ways:

  • You can add URL patterns.
  • For each URL pattern, you can select the Make Public option. This option causes URLs that match the URL pattern to be included in public results.
  • You can change the username or password.
  • You can change the expiration time for the cookie. The default value is 300 seconds (5 minutes).

If you enter an additional Authorization HTTP Header on Crawl and Index > HTTP Headers, the web server may not grant the Single Sign-On cookie when the cookie rule is executed.

Notes: To set the length of time that a user's authorization for secure URLs should be kept in the search appliance authorization cache, go to Serving > Access Control.

Create and Edit Forms Authentication Rule

To set up a rule for crawling pages behind a Forms Authentication login page:

  1. Click Crawl and Index > Forms Authentication.
  2. Type a sample content URL. Choose a URL that redirects an unauthorized user to the login form. The login page must not include Javascript or use frames.
  3. Type a URL pattern that your secure documents will match. The documents that match this pattern should all be protected by the login page that protects the sample URL that you specified in the previous step. Make sure the pattern includes a final slash.
  4. Click the Create a New Forms Authentication Rule button. A new browser window opens, displaying your login page in the lower half.
  5. Type the correct username and password to log in to your site.

    Note: If you mistype the username or password, extra actions may be recorded and displayed on the forms login page. To avoid that, close the Forms Authentication Wizard window and restart the process on the Forms Authentication page.

  6. Make sure that the page you expect to see appears.
  7. Click the Save Forms Authentication Rule and Close Window button. The Forms Authentication page appears and your new rule is listed with its pattern, action, and form fields.
  8. Click Save Forms Authentication Rule Configuration.

To edit existing Forms Authentication rules:

  1. Change the username and/or password, if necessary.
  2. Change the time to wait for authentication by entering a new number of seconds or minutes, if you wish.
  3. Click Save Forms Authentication Rule Configuration.

To delete the Forms Authentication rule:

  1. Select the Delete Rule checkbox to the right of the rule.
  2. Click Save Forms Authentication Rule Configuration.

Certificate Authorities and Forms Authentication Rules

If HTTPS sites are used when creating a Forms Authentication rule, you might need to install their CA certificates by using the Administration > Certificate Authorities page. The search appliance does have a default certificate store for the most common Root CA certificates, but not all of them. So if your HTTPS servers are using self-signed or other CA certificates that might not be common, you might need to install those certificates.

When you install any CA certificates by using the Administration > Certificate Authorities page, the default certificate store is not used. The search appliance only uses the CA certificates from Administration > Certificate Authorities. The search appliance performs strict certificate path validation during an SSL handshake. Therefore, Google recommends the following process to avoid potential failures:

  1. Try creating the Forms Authentication rule without installing any CA certificates in the certificate authorities store. If there is an issue with the SSL handshake process, the following error message appears in the Admin Console: "Forms Authentication Login failed."
  2. If you receive an error in step 1, import the Root and Intermediate CAs that signed your HTTPS server certificate into the search appliance certificate store by using the Administration > Certificate Authorities page. In some cases your HTTPS server may be signed by a self-signed certificate. Then you just need to import that into the Certificate Authorities store.

Setup Log

After you have set up an authentication rule, you will see log files for the HTTP and HTTPS output of the Forms Authentication setup. The logs show the headers that pass between the search appliance and your SSO server. You can use the logs to help troubleshoot any problems.

For More Information

For more information about forms authentication, see the following topics:


 
© Google Inc.