Deployment Scenario Handbook

Silent Authentication—Integrating with NTLM and the SAML Bridge

Scenario overview


Acme Inc. uses NTLM with Integrated Windows Authentication (IWA) with an Active Directory back end. In the use case for this scenario, they would prefer their users have a seamless, silent authentication experience with search after logging into the Windows domain and using Internet Explorer for browsing.

Requirements


  • Index and securely serve NTLM-protected content.
  • Provide a general search box, which would return a results page with most relevant links across all indexed content.
  • Present search results for secure content only to users authorized to see the content.
  • Provide seamless silent authentication with search after a user initially logs into the Windows Domain.

Assumptions


  • The IIS Server hosting the content accepts HEAD requests.
  • All crawled content is under the same Windows Domain that users log into.

Key considerations


  • Confirm the assumption that all content sources use the same Windows domain that users log into.
  • Make sure all servers in the deployment architecture are time synched to the same time server.
  • Make sure there is a certificate available in IIS that can be used to sign SAML Post binding requests.
  • To enable communication with the SAML Bridge over HTTPS, configure the GSA with the root certificate of the SAML Bridge.

Recommended approach


Google’s recommended approach for implementing silent authentication by integrating with NTLM and the SAML Bridge covers the following areas:

Authentication

Acme Inc. will use the SAML Bridge to authenticate users with Active Directory, taking advantage of the silent authentication benefit provided by IWA. For this to work, the domain controller that is running Active Directory must meet the following requirements:

  • Windows 2003 Kerberos Extension must be available as Kerberos is used for authentication between the SAML Bridge and the content server.
  • The domain functional level must be set to Windows Server 2003.
  • Active Directory must be configured to permit the SAML Bridge to use delegated credentials from the user to access content on the content server.

To configure the SAML Bridge for use by the GSA in performing authentication, use the Search > Secure Search > Universal Login Auth Mechanisms page in the Admin Console.

Authorization

Since authorization with NTLM is required, the SAML Bridge will also be used for authorization. In this case, the SAML Bridge must be configured as the Authorization Provider on the Search > Secure Search > Access Control page in the Admin Console. The GSA will then delegate authorization checks for individual documents to the SAML Bridge. The SAML Bridge will respond with PERMIT or DENY, accordingly.

Process flow for authentication and authorization with the SAML Bridge

  1. A user creates a search query for secure content.
  2. The GSA’s Authentication SPI is used to delegate to the SAML Bridge for Authentication. NTLM, which is configured on the user’s browser, is used to authenticate the user.
  3. After authenticating the user, the GSA determines the most relevant results for the user. If these results contain secure documents, the GSA uses the Authorization SPI to delegate the authorization checks to the SAML Bridge for these documents.
  4. The SAML Bridge obtains a Kerberos ticket on the user’s behalf and impersonates the user to the content server.
  5. The SAML Bridge sends a PERMIT or DENY message back to the GSA and the GSA displays the results that a user is permitted to see on a search results page.

Alternative approach


Switch to Kerberos as the authentication mechanism for content servers. Upon switching to Kerberos, there is the possibility that deploying the SAML Bridge can be bypassed in configuring silent authentication.

Project task overview


The following table lists the project tasks and activities for implementing silent authentication, integrating with NTLM and the SAML Bridge.

Task Activities
Plan deployment architecture
  • Deploy SAML Bridge on domain controller and make necessary configuration adjustments
  • Configure certificates for POST Binding and communication over HTTPS
Configure SAML Bridge on the GSA
  • Configure Authorization SPI to use SAML Bridge

Long term enhancement


Perform an architecture review as new content sources are brought on to see if existing architecture needs to be modified for onboarding new content.

Was this helpful?
How can we improve it?