Configuring Late Binding for the Connector for Databases


Setting up late binding authorization in Connector for Databases in the GSA.


GSA version 7.4.* or later
Connector for Databases Version 4.1.0 

Connector Setup

Set up Connector for Databases according the documentation, and set up “Access-Controlled serving in secure mode” according page 25, and Enable Connector Security.

The configuration options, that are relevant to the subject in the files:

db.everyDocIdSql        = SELECT id FROM example ORDER BY id;
db.singleDocContentSql  = SELECT * FROM example WHERE id = ?;
db.uniqueKey            = id:int
db.aclSql               = SELECT GSA_PERMIT_USERS, GSA_DENY_USERS FROM acl WHERE example_id = ?;
db.aclSqlParameters     = id
...           = true
server.keyAlias         = adaptor

Please note that "" will switch the connector to use https protocol.

Please note this example configuration is used with mysql, change it according your environment.

Run your connector

java -cp mysql-connector-java-5.1.38-bin.jar:adaptor-database-4.1.0-withlib.jar

GSA Setup

Go to the Search Appliance Admin Console "Search > Secure Search > Flexible Authorization".

Above the “Add another rule” button, select SAML from the drop down list and click the “Add another rule button”.



Enter the Flexible Authorization Rule:

  • URL Pattern: the URL pattern to which this rule should apply to.
  • Authentication ID: the Credential Group the rule should apply to.
  • Timeout: desired timeout for the rule.
  • Authorization service ID:
  • Authorization service URL:

Authorization service ID depends on the "server.samlEntityId=" setting in the, which is "" by default if unset.

The Authorization service URL depends on the "server.port=" and "server.hostname="  setting in the



Move the SAML rule above HEADREQUEST:



Select the “Enable late binding for Policy and Per-Url-Acl” option under Authorization Parameters:


Security Manager Success log

Once successfully set up and tested you can verify the configuration by checking the below message in the Security Manager log:



Security Manager log can download at the Search Appliance Admin Console at "Search > Secure Search > Universal Login > Download Security Manager logs".


GSA Connectors V4 Developer Guide version 4.1.0 :
Page 14: Late-binding authorization
Page 29: Authorization by connector



Was this helpful?
How can we improve it?