Search
Clear search
Close search
Google apps
Main menu
true

Configuring Late Binding for the Connector for Databases

Purpose

Setting up late binding authorization in Connector for Databases in the GSA.

Prerequisites

GSA version 7.4.* or later
Connector for Databases Version 4.1.0 

Connector Setup

Set up Connector for Databases according the documentation, and set up “Access-Controlled serving in secure mode” according page 25, and Enable Connector Security.

The configuration options, that are relevant to the subject in the adaptor-config.properties files:

db.everyDocIdSql        = SELECT id FROM example ORDER BY id;
db.singleDocContentSql  = SELECT * FROM example WHERE id = ?;
db.uniqueKey            = id:int
...
db.aclSql               = SELECT GSA_PERMIT_USERS, GSA_DENY_USERS FROM acl WHERE example_id = ?;
db.aclSqlParameters     = id
db.aclPrincipalDelimiter=,
...
server.secure           = true
...
server.keyAlias         = adaptor

Please note that "server.secure=true" will switch the connector to use https protocol.

Please note this example configuration is used with mysql, change it according your environment.

Run your connector

java -Djava.util.logging.config.file=logging.properties -Djavax.net.ssl.keyStore=keys.jks -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=cacerts.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=changeit -cp mysql-connector-java-5.1.38-bin.jar:adaptor-database-4.1.0-withlib.jar com.google.enterprise.adaptor.database.DatabaseAdaptor

GSA Setup

Go to the Search Appliance Admin Console "Search > Secure Search > Flexible Authorization".

Above the “Add another rule” button, select SAML from the drop down list and click the “Add another rule button”.

 

 

Enter the Flexible Authorization Rule:

  • URL Pattern: the URL pattern to which this rule should apply to.
  • Authentication ID: the Credential Group the rule should apply to.
  • Timeout: desired timeout for the rule.
  • Authorization service ID: http://google.com/enterprise/gsa/adaptor
  • Authorization service URL: https://connector.example.com:5678/saml-authz

Authorization service ID depends on the "server.samlEntityId=" setting in the adaptor-config.properties, which is "http://google.com/enterprise/gsa/adaptor" by default if unset.

The Authorization service URL depends on the "server.port=" and "server.hostname="  setting in the adaptor-config.properties.

 

 

Move the SAML rule above HEADREQUEST:

 

 

Select the “Enable late binding for Policy and Per-Url-Acl” option under Authorization Parameters:

 

Security Manager Success log


Once successfully set up and tested you can verify the configuration by checking the below message in the Security Manager log:


Access PERMITTED by SAML: https://connector.example.com:5678/doc/3 

 

Security Manager log can download at the Search Appliance Admin Console at "Search > Secure Search > Universal Login > Download Security Manager logs".

References


GSA Connectors V4 Developer Guide version 4.1.0 :
Page 14: Late-binding authorization
Page 29: Authorization by connector


 

 

Was this article helpful?
How can we improve it?