Saml authorization – Google Search Appliance Security User Manual
Page 36
36
“Free” ACL example
<group>
<acl url='http://dummyhost.corp.google.com/'
inheritance-type="child-overrides" inherit-
from='http://corp.google.com/'>
<principal scope="user" access="permit">edward</principal>
<principal scope="user" access="deny"> william</principal>
<principal scope="user" access="deny"> ben </principal>
<principal scope="group" access="permit">nobles</principal>
<principal scope="group" access="deny">playwrights</principal>
</acl>
...
...
</group>
In this example, http://dummyhost.corp.google.com/ is a free ACL, which inherits from
http://corp.google.com/
and defines further principals. Since the ACL is of inheritance type child-
overrides, its child will override this ACL if any.
SAML authorization
You can fully customize the authorization process through an external SAML provider that resolves
authorization. It would be best to build such
process using the program language
that you are most familiar with. The SAML Authorization request is an XML-formatted request that the
search appliance sends to the service URL that you have configured in the Admin Console. That request
contains information about the user and the URLs to be authorized. SAML also supports batch
processes, so that multiple URLs can be sent at the same time, something that is very desirable to
implement when using this approach for performance benefits in avoiding Authorization chattiness.
T
contains more information about the SAML
XML format, which you can use to build a custom SAML authorization process. You have to implement
the service that runs on an external application server that parses the response, extracts the information
about whether the user has rights to access the document, and returns an XML-formatted response to the
search appliance. An example is the SAML Bridge which can perform batch authorization of Kerberized
content using Head Requests.
Key considerations
Considerations for using SAML authorization:
●
The main advantage of implementing this authorization model is that you can fully control the
security process at search time.
●
The main inconvenience of this approach is that it is intrinsically related to the late binding
method. That is, it might take more time to manage authorization, although batch processing can
mitigate it.