Google Search Appliance Authentication/Authorization for Enterprise SPI Guide User Manual
Page 21
Google Search Appliance: Authentication/Authorization for Enterprise SPI Guide
21
<element name="Subject" type="saml:SubjectType"/>
<complexType name="SubjectType">
<choice>
<sequence>
<choice>
<element ref="saml:BaseID"/>
<element ref="saml:NameID"/>
<element ref="saml:EncryptedID"/>
</choice>
<element ref="saml:SubjectConfirmation" minOccurs="0"
maxOccurs="unbounded"/>
</sequence>
<element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
</choice>
</complexType>
<element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
<complexType name="AuthzDecisionQueryType">
<complexContent>
<extension base="samlp:SubjectQueryAbstractType">
<sequence>
<element ref="saml:Action" maxOccurs="unbounded"/>
<element ref="saml:Evidence" minOccurs="0"/>
</sequence>
<attribute name="Resource" type="anyURI" use="required"/>
</extension>
</complexContent>
</complexType>
The <Subject> element contains the identity of the search user. For the <Subject> element, the
<NameID> element is used. The format of this identity is whatever is passed to the Google Search
Appliance from the Authentication portion of the Authorization Server/PDP. The Resource attribute is
the URL for which we are checking authorization.
For the Action element, the attribute for the namespace has the value
urn:oasis:names:tc:SAML:1.0:action:ghpp. The value for the text of the Action element is GET.
The following elements are not sent to the Policy Decision Point by the search appliance.
•
<saml:Issuer> element
•
<ds:Signature> element
•
<samlp:Extensions> element
•
Consent attribute
•
<SubjectConfirmation> element
•
NameQualifier attribute
•
SPNameQualifier attribute
•
Format attribute
•
SPProvidedID attribute
•
<Evidence> element