Back to Home | Admin Console Help | Log Out
 Admin Console Help
 
Admin Console Help

Home

Content Sources

Index

Search
  Search Features
  Secure Search
    Access Control
    Head Requestor Deny Rules
    Policy ACLs
    Universal Login
    Universal Login Auth Mechanisms
      Cookie
      HTTP
      Client Certificate
      Kerberos
      SAML
      Connectors
      LDAP
    Universal Login Form Customization
    Flexible Authorization
    Trusted Applications
  Diagnostics

Reports

GSA Unification

GSAn

Administration

More Information

Search > Secure Search> Universal Login

Use the Search > Secure Search > Universal Login page to perform the following tasks:

The search appliance keeps logs about Universal Login that you can also download by clicking SecMgr Log.

Configuring Perimeter Security

Perimeter security ensures that the search appliance doesn't serve any results without user authentication

When perimeter security is enabled, the search appliance prompts the user for credentials when he first visits the search page. The search appliance authenticates the user by using the authentication mechanisms that are configured for Universal Login.

If the user is successfully authenticated, the search appliance serves results. If the user is searching for public content only, no authorization is required to view results. If the user is searching for both public and secure content, the search appliance uses the credentials it has gathered to perform authorization on secure documents. The user is not prompted again for credentials.

If the user cannot be authenticated, the search appliance doesn't serve any results.

To configure perimeter security

  1. Click the Enable perimeter security checkbox.
  2. Click Save.

Setting Up Credential Groups

A credential group is an administrator-defined set of domains that share a user directory or use duplicated user directories. You might think of a credential group as all the login services that use the same username and password. Credential groups enable the Google Search Appliance to gather user credentials by using the Universal Login Form.

Set up credential groups by performing the following tasks:

  1. Creating Credential Groups
  2. Configuring Credential Groups

Default Credential Group

The Google Search Appliance provides a built-in credential group named Default. You can configure the Default credential group.

Credential Group Name and Display Name

For each credential group that you set up, you can provide a name by using the Credential Group Name box. If you want a different name for the credential group to appear on the Universal Login form, type this name in the Credential Group Display Name box. If you do not provide a Credential Group Display Name, the Credential Group Name appears on the Universal Login Form.

Credential Group Options

For each credential group that you create, you can choose two options:

  • Require a User-name for this credential group?
  • Group is Optional?

The following table describes these options.

Option Description
Require a user-name for this credential group?

This option ensures that the system has a username for an authenticated user. This option is important when your configuration uses cookie-based authentication in combination with an authorization mechanism that requires user-names, such as policy ACLs and SAML.

If a user presents pre-existing cookies that are sufficient for access to configured sample URLs, but no cookie cracker is in use, the search appliance does not know the user's name. In this case, if the box is checked, the credential group is not pre-satisified, even if the sample URL check succeeds, and a Universal Login Form is presented to the user. If a user-name is available, from a different authentication mechanism, a previous Universal Login Form, or a cookie cracker, then the group can be pre-satisfied, and if all credential groups are pre-satisfied, then the Universal Login Form is skipped altogether.
Group is optional? This option controls the behavior of the Universal Login Form.
If this option is checked, the user is not required to type a username and password in the Universal Login Form for this credential group. The user can submit the Universal Login Form and view search results. However, if the user does not login, then search results do not include secure results protected by that credential group.
If this option is not checked, the user is required to type a username and password in the Universal Login Form. The user cannot view any search results until he has supplied his username and password. He will keep being sent back to the Universal Login Form until he provides the correct credentials.

Creating Credential Groups

To create a new credential group:

  1. Click Search > Secure Search > Universal Login.
  2. In the Credential Group Name box, type a unique name for the new credential group. A credential group name must not be the same as another credential group name or mechanism name.
    Credential group names can be up to 200 characters long and can contain only alphanumeric characters, underscores, and hyphens. A name cannot begin with a hyphen.
  3. (Optional) Type the name that you want to appear on the Universal Login form in the Credential Group Display Name box. There are no character or format restrictions on the Credential Group Display Name.
  4. Select Require a user-name for this credential group? and Group is optional?, as described in the preceding table.
  5. Click Save.
    The new credential group's name appears in the list of credential groups.

Configuring Credential Groups

After you create a new credential group, you can configure it by adding a credential group rule on the Search > Secure Search > Universal Login Auth Mechanisms page. This page provides tabs for adding resources in different types of authentication domains to credential groups. For information about a tab, see the help page for that tab.

Editing a Credential Group

To edit a credential group:

  1. Click Search > Secure Search > Universal Login.
  2. Click the Edit link next to the credential group name you want to edit.
  3. Make changes to the credential group.
  4. Click Save.

Deleting a Credential Group

To delete a credential group:

  1. Click Search > Secure Search > Universal Login.
  2. Click theĀ Delete link next to the credential group that you want to delete.

Related Task

You can modify the appearance of the Universal Login Form or replace the Universal Login Form with your own fully customized HTML page. For information about these topics, click Admin Console Help > Search > Secure Search > Universal Login Form Customization.

For More Information

For more information about Universal Login and credential groups, see "Managing Search for Controlled-Access Content," which is linked to the Google Search Appliance help center.

 
© Google Inc.