Back to Home | Admin Console Help | Log Out
 Admin Console Help
 
Admin Console Help

Home

Content Sources

Index

Search
  Search Features
  Secure Search
    Access Control
    Head Requestor Deny Rules
    Policy ACLs
    Universal Login
    Universal Login Auth Mechanisms
      Cookie
      HTTP
      Client Certificate
      Kerberos
      SAML
      Connectors
      LDAP
    Universal Login Form Customization
    Flexible Authorization
    Trusted Applications
  Diagnostics

Reports

GSA Unification

GSAn

Administration

More Information

Search > Secure Search > Universal Login Auth Mechanisms >Cookie

Use the Search > Secure Search > Universal Login Auth Mechanisms > Cookie page to configure a credential group for cookie-based authentication by adding credential groups rules.

Before Starting this Task

Before adding rules for credential groups for cookie-based authentication, set up credential groups by using the Search > Secure Search > Universal Login page.

Adding a Credential Group Rule for Cookie-Based Authentication

Add a credential group rule for cookie-based authentication by supplying a sample URL for a group and a mechanism name, as described in the following table. You can also add a redirect URL and a trust duration, which are optional.

Option Description
When sample URL check fails, expect the sample page to redirect to a form and log in to that form Click this checkbox to enable the sample URL to send a redirect response that leads the search appliance to a login form.
Mechanism Name The Mechanism Name that you enter will appear in the Authentication ID pull-down menu on the Search > Secure Search > Flexible Authorization page. The Mechanism Name enables you to instruct the authorization mechanism to use a session identity from a specific credential group or instance of an authentication mechanism.
A mechanism name must not be the same as another mechanism name or credential group name. Mechanism names are case-insensitive and can be up to 200 characters long, and can contain only alphanumeric characters, underscores, and hyphens. A name cannot begin with a hyphen.
Sample URL Supply a sample URL, which is any page in the protected site that all authenticated users can view.
The sample URL is used to detect whether a user has correct credentials for a particular authentication method.  Each sample URL is checked before the Universal Login Form is presented, to determine if the user's initial set of cookies can "pre-satisfy" any or all credential groups. In additional, if any cookie-based authentication methods are defined, the search appliance uses credentials gathered in the Universal Login Form to gather cookies and then uses those cookies to retrieve the sample URL page. If the retrieval is successful, the credentials are verified as correct.  If a user has the correct cookies, content is presented. If a user does not have the correct cookies, the sample URLs page should redirect to the forms-based login system.
For the URL pattern http://www.abcreports.com/, an example of a sample URL is http://www.abcreports.com/standard.html
Redirect URL (optional) Supply a redirect URL. In case the sample URL check fails, the search appliance is redirected to a form where it can log in.
If you supply a redirect URL, the authentication mechanism changes significantly. In non-redirect mode, the search appliance transfers a username / password from the Universal Login Form to a login form found when attempting to retrieve the sample URL. With a redirect URL, the search appliance will automatically redirect to that URL. The service at that URL can then authenticate the user in whatever way it wishes. Upon completion of that authentication, the service at the redirect URL should grant a cookie to the user which provides access to secure content (and to the sample URL, if provided), and redirect the user back to the search appliance.
Return URL Parameter (optional) Specify a return URL parameter. The return URL parameter gives the server for the redirect URL information about the quickest path back to the search appliance. The server for the redirect URL follows this path when it sends a redirect response that leads back to the search appliance after it has authenticated the user. To use a return URL parameter, the administrator of the server for the redirect URL must modify the server so that it respects a return URL parameter.

Timeout (seconds)
(Default 3 seconds if none specified)

This value indicates the time for making a network connection. The default value is 3 seconds. If the search appliance does not make the network connection in the specified time, it abandons the attempt. Use this field to override the default timeout of 3 seconds.
Trust Duration (seconds)
(Default 300 if none specified) 		Specify how long the authentication mechanisms's verification of user credentials will be trusted, in seconds. Once a successful verification is received from the authentication mechanism, further requests within the specified trust duration re-use the verification results that were previously obtained without contacting the authentication mechanism. After the trust duration expires, the authentication mechanism is contacted again. The user will need to provide his credentials again at this time.
Take note that a user might also be prompted to provide credentials again if the Session Idle Time times out. In fact, the user is prompted to provide credentials when the shortest setting (session idle time or trust duration) times out first. For this reason, Google recommends coordinating the two settings. To set Session Idle Time, use the Search > Secure Search > Access Control page.

To add a credential group rule for cookie-based authentication:

  1. Click Search > Secure Search > Universal Login Auth Mechanisms > Cookie.
  2. Select a credential group from the pull-down menu.
  3. Optionally, click When sample URL check fails, expect the sample page to redirect to a form and log in to that form.
  4. In the Mechanism Name box, type a unique name for the authentication mechanism.
  5. Type a sample URL for the site in the Sample URL box.
  6. Optionally, type a URL in the Redirect URL box.
  7. Optionally, change the default time for the search appliance to make a network connection by entering the number of seconds in the Timeout box.
  8. Optionally, type the number of seconds that the verification of user credentials will be trusted in the Trust Duration box.
  9. Click Save.

Alternatively, you can imports rules for all the URL patterns in the rules created on the Content Sources > Web Crawl > Secure Crawl > Forms Authentication page by clicking Import Domains From Crawl And Index.

To delete a rule:

  1. Click Search > Secure Search > Universal Login Auth Mechanisms > Cookie.
  2. Click Delete this rule.
  3. Click Save.

Using Silent Authentication

With silent authentication, users are authenticated without being directed to a login page. Inbound cookie forwarding from the content server to the search appliance can provide silent authentication without a verified identity, if the sample URL check passes. If you require a verified identity, then silent authentication can only be achieved with cookie cracking.

For information about silent authentication and cookie cracking, see "Managing Search for Controlled-Access Content," which is linked to the Google Search Appliance help center.

For More Information

For more information about Universal Login and credential groups, see "Managing Search for Controlled-Access Content," which is linked to the Google Search Appliance help center.
 
© Google Inc.