Authentication and Authorization when using Searchbox for Sharepoint

The Searchbox for Sharepoint is deprecated. The last supported version is 3.2.

Introduction

Search box for Sharepoint feature helps to embed Google search appliance (GSA) search within your Sharepoint environment. This document explains the step by step interaction of various components involved when a user performs a search. It also includes a UML (Unified Modeling Language) diagram describing the complete flow.

Terminology

GSA - Google Search Appliance

Security Manager - Component inside the GSA which handles authentication

SAML - Security Assertion Markup Language is an XML-based standard for exchanging authentication and authorization data

NTLM - NT Lan Manager (A Windows authentication protocol)

Kerberos - Network authentication protocol

Prerequisites

This document assumes that the steps listed in Configuring Google Search Box for Microsoft Sharepoint have been followed.

Search Box for Sharepoint Overview

The user (Browser) uses the search box for Sharepoint to get search results from the GSA using NTLM or Kerberos authentication. The Search box configured on the Sharepoint server in turn uses the SAML bridge for performing silent authentication using Kerberos/NTLM. Once Authenticated, authorization is performed through the Sharepoint connector before results are displayed to the user. The following example illustrates HTTP header captures using NTLM authentication as the Sharepoint server (used in the example) only supports NTLM. For Kerberos, the data flow is similar except the authorization headers will be different.

1. When a user initiates a search in the web browser using the Google Search box for Sharepoint, the browser does a POST of the search request.

POST /_layouts/GSASearchresults.aspx?k=default%2Easpx&selectedScope=Enterprise&isPublicSearch=false HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://w2k8-sp10-3.gdc-psl.net/SitePages/Home.aspx
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: w2k8-sp10-3.gdc-psl.net
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: WSS_KeepSessionAuthenticated={8f767f34-6e6e-4746-bbb9-f5aec0c4d4e6}; ASP.NET_SessionId=15my5cmdplyjml2vryyuwabx
Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==
 

2. The Sharepoint server responds with a 401 unauthorized response. In this example, “WWW-Authenticate: NTLM” header from the Sharepoint server informs the browser to choose NTLM authentication mechanism, as the Sharepoint server supports only NTLM for authentication. If the Sharepoint server supports Kerberos as well, then “WWW-Authenticate: Negotiate” header will be sent as part of 401 unauthorized response. Negotiate provides the option to either choose Kerberos or NTLM, although Kerberos takes precedence over NTLM. For Kerberos to work the user‘s browser should be configured for Kerberos.

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/7.5
SPRequestGuid: 0902aaa8-248a-4d49-a2e5-e32c91c9bb3c
WWW-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAAFgomiVWPospBmBB0AAAAAAAAAAKIAogBGAAAABgGwHQAAAA9HAEQAQwAtAFAAUwBMAAIADgBHAEQ
….....
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 14.0.0.4762
Date: Mon, 18 Jul 2011 22:36:09 GMT
Content-Length: 0
 

3. The browser then continues to use NTLM for authentication by sending NTLM credentials silently. If SAML Bridge is not properly configured then the user will get prompted for NTLM credentials. Check SAML Bridge troubleshooting guide for more details.

POST /_layouts/GSASearchresults.aspx?k=default%2Easpx&selectedScope=Enterprise&isPublicSearch=false HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://w2k8-sp10-3.gdc-psl.net/SitePages/Home.aspx
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: w2k8-sp10-3.gdc-psl.net
Content-Length: 7295
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: WSS_KeepSessionAuthenticated={8f767f34-6e6e-4746-bbb9-f5aec0c4d4e6}; ASP.NET_SessionId=15my5cmdplyjml2vryyuwabx
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJ4AAABiAWIBtgAAAA4ADgBYAAAAGgAaAGYAAAAeAB4AgAAAAAAAAAAYAgAABYKIogYBsB0AAAAPXF69WJ8oivQ
…..............

MSOWebPartPage_PostbackSource=&MSOTlPn_SelectedWpId=&MSOTlPn_View=0&MSOTlPn_ShowSettings=False&MSOGallery_SelectedLibrary=&MSOGallery_FilterString=&MSOTlPn_Button=none&_wikiPageMode=&__EVENTTARGET=&__EVENTARGUMENT=&__REQUESTDIGEST=0xF0E25C1B53993C2C0908496BD0716B6C78DD5A813338D324BE0E9BA5087E494BD9A3C4F2398F75119FB88163CDDF33CB7E2120D5A1758EB14EC8E1A7555AAFB6%2C18+Jul+2011+22%3A34%3A26+-0000&MSOAuthoringConsole_FormContext=&MSOAC_EditDuringWorkflow=&InputComments=&_wikiPageCommand=&SPPageStateContext_PreviousAuthoringVersion=5&MSOSPWebPartManager_DisplayModeName=Browse&MSOSPWebPartManager_ExitingDesignMode=false&MSOWebPartPage_Shared=&MSOLayout_LayoutChanges=&MSOLayout_InDesignMode=&_wpSelected=&_wzSelected=&MSOSPWebPartManager_OldDisplayModeName=Browse&MSOSPWebPartManager_StartWebPartEditingName=false&MSOSPWebPartManager_EndWebPartEditing=false&_maintainWorkspaceScrollPosition=0&__LASTFOCUS=&SPPageStateContext_PreviousAuthoringItemUser=1&__VIEWSTATE=%2FwEPDwUILTc2NTI4NzYPZBYCZg9kFgICAQ9kFgICAw9kFhACAw9kFgIFJmdfY2NmNTgyNTdfOWY5Nl80ZDkwX2EwMzZfM2E2MTE2NzEwNzVlEA8W.....................FBsYWNlSG9sZGVyVG9wTmF2QmFyJFBsYWNlSG9sZGVySG9yaXpvbnRhbE5hdiRUb3BOYXZpZ2F0aW9uTWVudVY0Dw9kBQRIb21lZGSy%2FeO6RiTPtnwn8oiy3ihmhOL%2F&__SCROLLPOSITIONX=0&__SCROLLPOSITIONY=0&__EVENTVALIDATION=%2FwEWEQKtmPflDwLKnfnKCAKexuDwAwL1iuCkDwKYlYieCQKZjrGJBwL7r%2BnGBQKq%2F%2FPjDwKh59roAQLgj5dUAtTs3uwNAov%2BjcwCAqOEqYYOAo6RpvsMAtiyqPQGAvb2ookHAteHwdUL7JwvpJFC%2F%2B%2FEg6UrVGCKJ4m4%2B2c%3D&ctl00%24ctl29=&ctl00%24PlaceHolderPageTitleInTitleArea%24wikiPageNameEditTextBox=Home&ctl00%24PlaceHolderSearchArea%24ctl01%24hfPublicSearch=false&ctl00%24PlaceHolderSearchArea%24ctl01%24hfStrEncodedUrl=http%3A%2F%2Fw2k8-sp10-3.gdc-psl.net%2F_layouts%2FGSASearchresults.aspx&ctl00%24PlaceHolderSearchArea%24ctl01%24hfUserSelectedScope=&ctl00%24PlaceHolderSearchArea%24ctl01%24idSearchScope=Enterprise&ctl00%24PlaceHolderSearchArea%24ctl01%24hfSelectedScope=http%3A%2F%2Fw2k8-sp10-3.gdc-psl.net%2FSitePages&ctl00%24PlaceHolderSearchArea%24ctl01%24txtSearch=default.aspx&__spText1=&__spText2=&_wpcmWpid=&wpcmVal=
 

4. The Sharepoint server then forwards the search request (GET method) to the GSA using the credentials provided by the user (Kerberos ticket in case of Kerberos).

GET /search?q=default.aspx&btnG=Google+Search&access=a&client=default_frontend&output=xml_no_dtd&proxystylesheet=default_frontend&sort=date%3AD%3AL%3Ad1&oe=UTF-8&ie=UTF-8&ud=1&exclude_apps=1&site=default_collection HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://foo.com/search?site=default_collection&client=default_frontend&output=xml_no_dtd&proxystylesheet=default_frontend&proxycustom=
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: foo.com
Connection: Keep-Alive
 

5. Since the user is performing a secure search, the GSA redirects the user to Security Manager for authentication.

HTTP/1.0 302 Found
Date: Mon, 18 Jul 2011 22:35:39 GMT
Location: http://foo.com/security-manager/samlauthn?SAMLRequest=fZLbjtMwEIbvkXiHyPc5tUmTWklWhdIlK1gVWlhp7xxnknrr2MF22uXtyaErioC9ndP//TOT3Dw33DqB0kyKFPmOhywQVJZM1Cn6tt/YMbrJ3r5JNGl4i1edOYiv8KMDbay%2BU2g8JlLUKYEl0UxjQRrQ2FC8W33%2BhGeOh1sljaSSIytfp%2BjY1qSgR3h6Is3hSHhbyLoqBAfOGBwKTmnRippSZH1/wZoNWLnWHeRCGyJMH/J83/Yi24/3sxmeh3i%2BfETW9qL0jonJwWtYxVSk8cf9fmuvlGEVoWYccmIlqPu%2BI0W1lDUHh8pmQNgSrdmpD1eEa0DZuBc8oqmrhbwu3M%2BAXk0KlB2MabHr/hZxQRhQrWIa3FoTdxfa683D4/LLw/x2cX%2B3S9wrxexyloE0X28lZ/SnteJcnt8rIKbHNKoDZG2kaoj5P5Tv%2BGOElXY1luJO6BYoqxiUyHJfdD48GxDDSXSWTMj4VpMd6CGWl5cFTJkUXbydz2fnyh/KwiBexHG8jEi4DKEIoCABISQiCy8IomieuP%2BYnU3G/2Rw//7K/ld/AQ%3D%3D&RelayState=/search?q%3Ddefault.aspx%26btnG%3DGoogle%2BSearch%26access%3Da%26client%3Ddefault_frontend%26output%3Dxml_no_dtd%26proxystylesheet%3Ddefault_frontend%26sort%3Ddate%253AD%253AL%253Ad1%26oe%3DUTF-8%26ie%3DUTF-8%26ud%3D1%26exclude_apps%3D1%26site%3Ddefault_collection
Content-Type: text/html
Content-Length: 0
Set-Cookie: GSA_SESSION_ID=548688897a595eb4eba4aaa7a6044773
Connection: close

GET /security-manager/samlauthn?SAMLRequest=fZLbjtMwEIbvkXiHyPc5tUmTWklWhdIlK1gVWlhp7xxnknrr2MF22uXtyaErioC9ndP//TOT3Dw33DqB0kyKFPmOhywQVJZM1Cn6tt/YMbrJ3r5JNGl4i1edOYiv8KMDbay%2BU2g8JlLUKYEl0UxjQRrQ2FC8W33%2BhGeOh1sljaSSIytfp%2BjY1qSgR3h6Is3hSHhbyLoqBAfOGBwKTmnRippSZH1/wZoNWLnWHeRCGyJMH/J83/Yi24/3sxmeh3i%2BfETW9qL0jonJwWtYxVSk8cf9fmuvlGEVoWYccmIlqPu%2BI0W1lDUHh8pmQNgSrdmpD1eEa0DZuBc8oqmrhbwu3M%2BAXk0KlB2MabHr/hZxQRhQrWIa3FoTdxfa683D4/LLw/x2cX%2B3S9wrxexyloE0X28lZ/SnteJcnt8rIKbHNKoDZG2kaoj5P5Tv%2BGOElXY1luJO6BYoqxiUyHJfdD48GxDDSXSWTMj4VpMd6CGWl5cFTJkUXbydz2fnyh/KwiBexHG8jEi4DKEIoCABISQiCy8IomieuP%2BYnU3G/2Rw//7K/ld/AQ%3D%3D&RelayState=/search?q%3Ddefault.aspx%26btnG%3DGoogle%2BSearch%26access%3Da%26client%3Ddefault_frontend%26output%3Dxml_no_dtd%26proxystylesheet%3Ddefault_frontend%26sort%3Ddate%253AD%253AL%253Ad1%26oe%3DUTF-8%26ie%3DUTF-8%26ud%3D1%26exclude_apps%3D1%26site%3Ddefault_collection HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://foo.com/search?site=default_collection&client=default_frontend&output=xml_no_dtd&proxystylesheet=default_frontend&proxycustom=
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: foo.com
Connection: Keep-Alive
Cookie: GSA_SESSION_ID=548688897a595eb4eba4aaa7a6044773
 

6. The Security Manager detects that the user is not authenticated and since SAML authentication is configured, it redirects the user to the SAML Login URL login.aspx (login.aspx is served from the server where SAML Bridge is installed).

HTTP/1.0 302 Moved Temporarily
Date: Mon, 18 Jul 2011 22:35:40 GMT
Server: Apache-Coyote/1.1
Cache-control: no-cache, no-store
Pragma: no-cache
Location: http://saml-w2k3-32.gdc-psl.net:8888/saml-bridge/Login.aspx?SAMLRequest=fZLbTuMwEIbv9yks3%2BfkkNJYTVBFBWJVEEs4SNysvM40NZvYWY%2FThbdfpw2rIiR8Z8%2FMN%2F%2F848XZa9eSHVhURhc0CWNKQEtTK90U9OH%2BIpjTs%2FLbAkXXsp4vB7fVd%2FBnAHRkiQjW%2Bbpzo3HowFZgd0rCw926oFvneh5FoN3bSzwLt8aFTS2DHttQg4sQ5GCVews6oUUDNhobiHegnICUrHwjpYXbq5uYY2rwl%2F1Og5QdQ%2Fncn0P0l1V1A9HaNEqHAvtXSq5WBf05y7I8yTeQiDirsxOZp2wOACw%2BFVDPNtKn4a2XoXZQ0I1oEcYXHOBKoxPaFZTFSRLEp0Eyv2eMpxk%2FicM4zZ8pubVmp2qwN6LzxZfGNC2QapqTXB%2FmpOTx3Ws2eu3d18gP7hZ0sJobgQq59hDkTvJqeb3mPpX31jgjTUvLwzL4Xpc9JnwN%2BO8uLScjm73GUJpu3BPY3iqEqEERVVmwunh6zn88pZezm%2B%2FVp30tomMR5XT9%2BEHKfw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=IbS%2FP1Uad%2BNdHXvM5MfZh2jC2Ws7GzRjt1guphlpBkFKPwFh28a9PkAK0YdCOmX%2FygjcVWA6%2FzOmmueMfLxbebeXHIcjs42sU2fT%2BbPNgeIGU5%2FHyS9JX5WK5wZYeQsZlOS2ls6tK2hRrblCqQCxAwdBx3gPrkb4Io8AfyNk0ws%3D
Content-Length: 0
Connection: close
Content-Type: text/plain

GET /saml-bridge/Login.aspx?SAMLRequest=fZLbTuMwEIbv9yks3%2BfkkNJYTVBFBWJVEEs4SNysvM40NZvYWY%2FThbdfpw2rIiR8Z8%2FMN%2F%2F848XZa9eSHVhURhc0CWNKQEtTK90U9OH%2BIpjTs%2FLbAkXXsp4vB7fVd%2FBnAHRkiQjW%2Bbpzo3HowFZgd0rCw926oFvneh5FoN3bSzwLt8aFTS2DHttQg4sQ5GCVews6oUUDNhobiHegnICUrHwjpYXbq5uYY2rwl%2F1Og5QdQ%2Fncn0P0l1V1A9HaNEqHAvtXSq5WBf05y7I8yTeQiDirsxOZp2wOACw%2BFVDPNtKn4a2XoXZQ0I1oEcYXHOBKoxPaFZTFSRLEp0Eyv2eMpxk%2FicM4zZ8pubVmp2qwN6LzxZfGNC2QapqTXB%2FmpOTx3Ws2eu3d18gP7hZ0sJobgQq59hDkTvJqeb3mPpX31jgjTUvLwzL4Xpc9JnwN%2BO8uLScjm73GUJpu3BPY3iqEqEERVVmwunh6zn88pZezm%2B%2FVp30tomMR5XT9%2BEHKfw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=IbS%2FP1Uad%2BNdHXvM5MfZh2jC2Ws7GzRjt1guphlpBkFKPwFh28a9PkAK0YdCOmX%2FygjcVWA6%2FzOmmueMfLxbebeXHIcjs42sU2fT%2BbPNgeIGU5%2FHyS9JX5WK5wZYeQsZlOS2ls6tK2hRrblCqQCxAwdBx3gPrkb4Io8AfyNk0ws%3D HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://foo.com/search?site=default_collection&client=default_frontend&output=xml_no_dtd&proxystylesheet=default_frontend&proxycustom=
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: saml-w2k3-32.gdc-psl.net:8888
Connection: Keep-Alive
 

7. SAML Bridge Login uses Kerberos as it's primary authentication mechanism while NTLM is used as secondary. SAML Bridge returns an unauthorized response and asks the user to authenticate using Kerberos.

HTTP/1.1 401 Unauthorized
Content-Length: 83
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Mon, 18 Jul 2011 22:35:40 GMT

<html><head><title>Error</title></head><body>Error: Access is Denied.</body></html>
 

8. The SearchBox impersonates the user, performs a protocol transition (NTLM to Kerberos) and sends a request (GET method) with valid Kerberos tokens to the IIS server where the Login.aspx page of SAML Bridge resides.

GET /saml-bridge/Login.aspx?SAMLRequest=fZLbTuMwEIbv9yks3%2BfkkNJYTVBFBWJVEEs4SNysvM40NZvYWY%2FThbdfpw2rIiR8Z8%2FMN%2F%2F848XZa9eSHVhURhc0CWNKQEtTK90U9OH%2BIpjTs%2FLbAkXXsp4vB7fVd%2FBnAHRkiQjW%2Bbpzo3HowFZgd0rCw926oFvneh5FoN3bSzwLt8aFTS2DHttQg4sQ5GCVews6oUUDNhobiHegnICUrHwjpYXbq5uYY2rwl%2F1Og5QdQ%2Fncn0P0l1V1A9HaNEqHAvtXSq5WBf05y7I8yTeQiDirsxOZp2wOACw%2BFVDPNtKn4a2XoXZQ0I1oEcYXHOBKoxPaFZTFSRLEp0Eyv2eMpxk%2FicM4zZ8pubVmp2qwN6LzxZfGNC2QapqTXB%2FmpOTx3Ws2eu3d18gP7hZ0sJobgQq59hDkTvJqeb3mPpX31jgjTUvLwzL4Xpc9JnwN%2BO8uLScjm73GUJpu3BPY3iqEqEERVVmwunh6zn88pZezm%2B%2FVp30tomMR5XT9%2BEHKfw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=IbS%2FP1Uad%2BNdHXvM5MfZh2jC2Ws7GzRjt1guphlpBkFKPwFh28a9PkAK0YdCOmX%2FygjcVWA6%2FzOmmueMfLxbebeXHIcjs42sU2fT%2BbPNgeIGU5%2FHyS9JX5WK5wZYeQsZlOS2ls6tK2hRrblCqQCxAwdBx3gPrkb4Io8AfyNk0ws%3D HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://foo.com/search?site=default_collection&client=default_frontend&output=xml_no_dtd&proxystylesheet=default_frontend&proxycustom=
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: saml-w2k3-32.gdc-psl.net:8888
Connection: Keep-Alive
Authorization: Negotiate YIIGZQYGKwYBBQUCoIIGWTCCBlWgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBh8EggYbYIIGFwYJKoZIhvcSAQICAQBuggYGMIIGAqADAgEFoQMCAQ6iBwMFACAAAACjggSGYYIEgjCCBH6gAwIBBaENGwtHREMtUFNMLk5FVKIrMCmgAwIBAqEiMCAbBEhUVFAbGHNhbWwtdzJrMy0zMi5nZGMtcHNsLm5ldKOCBDkwggQ1oAMCARehAwIBB6KCBCcEggQjxPjw6/hbTvw6tCwy8LJEpQ2lpvs65EU/IqGcEGLz624E/jg8wufUx6OymbFFgjru6Py2EPsAc8jA7i4LeUWnJfLDbj+E1BRnHmblIWVRNMHHGdxSj3cV8y0Jc+CsiwurYr2D7NPGqkBIlI8d5sTCP7uip2B5WbNY92A78UtysAY/Lk067joQBznfVRtZs8GH2zMIyzhGDszS0n6qeo6UmXL0BKqy6RuZRlJ9wGnunsi0QCtu6dVC/jVqwI4j5+n5FgesczAc4eO42qz4O14UI5jXTE88Xb9c+7eP+0iBpfoif2KY2WQrFiWpXO7btwvetdPJjFcB02n9HKe3fewMdHANc6hjm2iKrVtGULYh17zvYz6XkAHlmmba0xlka2uVDww6En..............................W7BpmhA7D+3NO0dGtuRy4ozAmgGGtAzSxOYs+1JnSup/F4r+y4OEMHgO0unfO/MmNG6WDRhwhyNLdblVpRJC4nH371LbCtsj5zQBnOiVg+FXlFFinJ5jfAQtsN
 

9. The IIS authenticates the user, grants access to Login.aspx page which extracts the username and stores it in SAML Cache. The IIS server then redirects the user back to the GSA with an Artifact ID (redirect URL is configured in the SAML Bridge).

HTTP/1.1 302 Found
Date: Mon, 18 Jul 2011 22:35:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWisNxK6Z7k22PxxV9JFbVnKKRfEokC3c33og9F5gVua2Oear1z0/ouyzdusFKivyo1Gsc3LgW2YyotuWN4aocf8NnHJK7w+NDCJ56dVROYptOrFq/dEzgOwhfg==
X-AspNet-Version: 2.0.50727
Location: http://foo.com/security-manager/samlassertionconsumer?SAMLart=a02282baa1f5a48529362c310878f1dfb&RelayState=
Set-Cookie: ASP.NET_SessionId=2ujsbg5505vy2n451kf40e45; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 244

<html><head><title>Object moved<title></head><body>
<h2>Object moved to here<>.</h2>
</body></html>

GET /security-manager/samlassertionconsumer?SAMLart=a02282baa1f5a48529362c310878f1dfb&RelayState= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://foo.com/search?site=default_collection&client=default_frontend&output=xml_no_dtd&proxystylesheet=default_frontend&proxycustom=
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Cookie: GSA_SESSION_ID=548688897a595eb4eba4aaa7a6044773
Connection: Keep-Alive
Host: foo.com
 

10. The GSA (Security Manager) then does a POST to the SAML Bridge server (using the Resolve url configured in the GSA) for resolving the Artifact ID obtained from SharePoint server.

POST /saml-bridge/Resolve.aspx HTTP/1.1
User-Agent: SecMgr
Cache-control: no-cache, no-store
Pragma: no-cache
Content-Type: text/xml
SOAPAction: http://www.oasis-open.org/committees/security
Host: saml-w2k3-32.gdc-psl.net:8888
Content-Length: 567

<?xml version="1.0" encoding="UTF-8"?>
<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/"><soap11:Body><saml2p:ArtifactResolve ID="_04510f3d394eabf0b9e057566cdf6c8a" IssueInstant="2011-07-18T22:35:40.642Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://google.com/enterprise/gsa/S5-DFWZ9QW3G6NJS/security-manager</saml2:Issuer><saml2p:Artifact>a02282baa1f5a48529362c310878f1dfb</saml2p:Artifact></saml2p:ArtifactResolve></soap11:Body></soap11:Envelope>
 

11. The SAML Bridge checks its cache for the given Artifact ID and returns its value (verified username) along with a time window during which the Artifact ID is valid.

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 22:35:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=uwaqix45wv1jna55rew1tdnp; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1753

<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="a0235bdb5bea74d85a0d0e35585ee885d" Version="2.0" InResponseTo="_04510f3d394eabf0b9e057566cdf6c8a" IssueInstant="2011-07-18T22:35:40Z"><Issuer>saml-bridge</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><samlp:Response ID="_04510f3d394eabf0b9e057566cdf6c8a" Version="2.0" IssueInstant="2011-07-18T22:35:40Z"><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion Version="2.0" ID="a09c04230ee3844b18aa531a6b41c3028" IssueInstant="2011-07-18T22:35:40Z"><Issuer>saml-bridge</Issuer><Subject><NameID>administrator@GDC-PSL</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_655919fe1a05d54c9328eee207aed6fc" Recipient="http://foo.com/security-manager/samlassertionconsumer" NotOnOrAfter="2011-07-18T22:35:45Z" /></SubjectConfirmation></Subject><Conditions NotBefore="2011-07-18T22:35:40Z" NotOnOrAfter="2011-07-18T22:35:45Z"><AudienceRestriction><Audience>http://google.com/enterprise/gsa/S5-DFWZ9QW3G6NJS/security-manager</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2011-07-18T22:35:40Z" SessionIndex="a13f3edf4818b429b88b120347a50c83f"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response></samlp:ArtifactResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
 

12. Once the the GSA (Security Manager) receives the SAML response, it extracts the username from the response. The GSA in the background uses the username (primary verified ID) to perform authorization requests in batches (Serving > Access Control). Authorization response (PERMIT/DENY/INDETERMINATE) for each request in the batch is sent from the SAML Bridge server to the GSA. The user is then redirected to the GSA’s frontend.

HTTP/1.0 302 Moved Temporarily
Date: Mon, 18 Jul 2011 22:35:40 GMT
Server: Apache-Coyote/1.1
Location: http://foo.com/SamlArtifactConsumer?SAMLart=AAQAAGlO4a1EdHMlFDopfr5moKAqMolumNqgcvP2PO46XrRyhkiDCUpVV0A%3D&RelayState=%2Fsearch%3Fq%3Ddefault.aspx%26btnG%3DGoogle%2BSearch%26access%3Da%26client%3Ddefault_frontend%26output%3Dxml_no_dtd%26proxystylesheet%3Ddefault_frontend%26sort%3Ddate%253AD%253AL%253Ad1%26oe%3DUTF-8%26ie%3DUTF-8%26ud%3D1%26exclude_apps%3D1%26site%3Ddefault_collection
Content-Length: 0
Connection: close
Content-Type: text/plain
 

13. The SearchBox on the Sharepoint server follows the redirect to fetch results from GSA FrontEnd.

GET /search?q=default.aspx&btnG=Google+Search&access=a&client=default_frontend&output=xml_no_dtd&proxystylesheet=default_frontend&sort=date%3AD%3AL%3Ad1&oe=UTF-8&ie=UTF-8&ud=1&exclude_apps=1&site=default_collection HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://foo.com/search?site=default_collection&client=default_frontend&output=xml_no_dtd&proxystylesheet=default_frontend&proxycustom=
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Cookie: GSA_SESSION_ID=548688897a595eb4eba4aaa7a6044773
Connection: Keep-Alive
Host: foo.com
 

14. SearchBox (SearchResults.aspx page) receives the search results in a compressed format from the GSA.

HTTP/1.0 200 OK
Date: Mon, 18 Jul 2011 22:35:41 GMT
Server: saws
Cache-Control: private
Content-Type: text/html
x-content-type-options: nosniff
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 3049
Connection: close
 

15. The Browser decompresses the compressed content it received from the GSA and displays the search results.

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
SPRequestGuid: 240836cf-6f98-4e3b-a10c-9a9b9ae9019b
Set-Cookie: WSS_KeepSessionAuthenticated={8f767f34-6e6e-4746-bbb9-f5aec0c4d4e6}; path=/
X-SharePointHealthScore: 4
Set-Cookie: WSS_KeepSessionAuthenticated={8f767f34-6e6e-4746-bbb9-f5aec0c4d4e6}; path=/
X-AspNet-Version: 2.0.50727
Persistent-Auth: true
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 14.0.0.4762
Date: Mon, 18 Jul 2011 22:36:11 GMT
Content-Length: 22207

Data Flow Diagram

The following UML Diagram depicits the complete data flow of a secure search.

Was this helpful?
How can we improve it?