Configuring Late Binding for the Connector for Databases

Purpose

Setting up late binding authorization in Connector for Databases in the GSA.

Prerequisites

GSA version 7.4.* or later
Connector for Databases Version 4.1.0 

Connector Setup

Set up Connector for Databases according the documentation, and set up “Access-Controlled serving in secure mode” according page 25, and Enable Connector Security.

The configuration options, that are relevant to the subject in the adaptor-config.properties files:

db.everyDocIdSql        = SELECT id FROM example ORDER BY id;
db.singleDocContentSql  = SELECT * FROM example WHERE id = ?;
db.uniqueKey            = id:int
...
db.aclSql               = SELECT GSA_PERMIT_USERS, GSA_DENY_USERS FROM acl WHERE example_id = ?;
db.aclSqlParameters     = id
db.aclPrincipalDelimiter=,
...
server.secure           = true
...
server.keyAlias         = adaptor

Please note that "server.secure=true" will switch the connector to use https protocol.

Please note this example configuration is used with mysql, change it according your environment.

Run your connector

java -Djava.util.logging.config.file=logging.properties -Djavax.net.ssl.keyStore=keys.jks -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=cacerts.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=changeit -cp mysql-connector-java-5.1.38-bin.jar:adaptor-database-4.1.0-withlib.jar com.google.enterprise.adaptor.database.DatabaseAdaptor

GSA Setup

Go to the Search Appliance Admin Console "Search > Secure Search > Flexible Authorization".

Above the “Add another rule” button, select SAML from the drop down list and click the “Add another rule button”.

 

 

Enter the Flexible Authorization Rule:

  • URL Pattern: the URL pattern to which this rule should apply to.
  • Authentication ID: the Credential Group the rule should apply to.
  • Timeout: desired timeout for the rule.
  • Authorization service ID: http://google.com/enterprise/gsa/adaptor
  • Authorization service URL: https://connector.example.com:5678/saml-authz

Authorization service ID depends on the "server.samlEntityId=" setting in the adaptor-config.properties, which is "http://google.com/enterprise/gsa/adaptor" by default if unset.

The Authorization service URL depends on the "server.port=" and "server.hostname="  setting in the adaptor-config.properties.

 

 

Move the SAML rule above HEADREQUEST:

 

 

Select the “Enable late binding for Policy and Per-Url-Acl” option under Authorization Parameters:

 

Security Manager Success log


Once successfully set up and tested you can verify the configuration by checking the below message in the Security Manager log:


Access PERMITTED by SAML: https://connector.example.com:5678/doc/3 

 

Security Manager log can download at the Search Appliance Admin Console at "Search > Secure Search > Universal Login > Download Security Manager logs".

References


GSA Connectors V4 Developer Guide version 4.1.0 :
Page 14: Late-binding authorization
Page 29: Authorization by connector


 

 

Was this article helpful?
How can we improve it?