Crawl and Index > Forms Authentication

The search appliance is designed to work with single sign-on (SSO) servers, which are available from a variety of vendors. Examples include eTrust™ SiteMinder from Computer Associates, Cams™ from Cafesoft, and Oracle Identity Management. Use of an SSO server has the advantage of requiring credentials from a user only one time. The SSO server unifies the authentication process by first authenticating the user and then by authorizing the user on the web servers to which that user has access.

The search appliance can serve pages that are protected by forms-based authentication through the use of certificate authorities (CA). For more information, see Serving > Forms Authentication.

About Forms Authentication Rules

A Forms Authentication rule contains the following information. The crawler uses this information to get access to documents that require login.

URL patterns	A URL pattern determines the crawled URLs to which the rule is applied. When the crawler needs to access a URL, it compares that URL to the URL patterns. If the desired URL matches one of the patterns, the crawler applies the rule.
Actions	Actions specify the crawler's behavior for a URL that matches a pattern specified in the rule. An action consists of a URL and the HTTP method GET or POST. If the HTTP method is POST, the action contains the form fields to submit for authentication. After the crawler performs these actions, it expects to receive a cookie with which to establish a login session. Once the login session is established, the crawler sends the cookie when it attempts to crawl other URLs that match the login patterns.
Authentication expiration time	A cookie expires after a specified time. After the cookie expires, the crawler must obtain new authentication and establish a new login session.

Creating a Forms Authentication Rule

You do not explicitly specify a forms authentication rule. Instead, you use a forms authentication login wizard to log in and the appliance captures the information that it needs to create the rule.

When you create a forms authentication rule, you provide an example of the protected content, and then log in, using the username and password credentials that you want the crawler to use. When you submit the login form, the appliance captures the rule.

Editing a Forms Authentication Rule

After a rule is set up, you can edit it as follows:

• You can add URL patterns.
• For each URL pattern, you can select the Make Public option. This option causes URLs that match the URL pattern to be included in public results.
• You can change the username or password.
• You can change the expiration time for the cookie. The default value is 300 seconds (5 minutes).

If you enter an additional Authorization HTTP Header on Crawl and Index > HTTP Headers, the web server may not grant the Single SignOn cookie when the cookie rule is executed.

Notes: To set the length of time that a user's authorization for secure URLs should be kept in the search appliance authorization cache, go to Serving > Access Control.

Create/Edit Forms Authentication Rule

To set up a rule for crawling pages behind a Forms Authentication login page:

1. Click Crawl and Index and then click Forms Authentication.
2. Enter a sample content URL. Choose a URL that redirects an unauthorized user to the login form. The login page must not include Javascript or use frames.
3. Enter a URL pattern that your secure documents will match. The documents that match this pattern should all be protected by the login page that protects the sample URL that you specified in the previous step. Make sure the pattern includes a final slash.
4. Click the Create a New Forms Authentication Rule button. A new browser window opens, displaying your login page in the lower half.
5. Type the correct username and password to log in to your site.

   Note: If you mistype the username or password, extra actions may be recorded and displayed on the forms login page. To avoid that, close the Forms Authentication Wizard window and restart the process on the Forms Authentication page.

6. Make sure that the page you expect to see appears.
7. Click the Save Forms Authentication Rule and Close Window button. You are returned to the Forms Authentication page where your new rule is listed with its pattern, action, and form fields.
8. Click the Save Forms Authentication Rule Configuration button.

To edit existing Forms Authentication rules:

1. Change the username and/or password, if necessary.
2. Change the time to wait for authentication by entering a new number of seconds or minutes, if you wish.
3. Click the Save Forms Authentication Rule Configuration button.

To delete the Forms Authentication rule:

1. Select the Delete Rule checkbox to the right of the rule.
2. Click the Save Forms Authentication Rule Configuration button.

Setup Log

After you have set up an authentication rule, you will see log files for the HTTP and HTTPS output of the Forms Authentication setup. The logs show the headers that pass between the appliance and your SSO server. You can use the logs to help troubleshoot any problems.

Crawler Log

If SSO problems occur, you can create a log of SSO-related crawling traffic to use in troubleshooting. Log entries are generated when a user enters a query whose results are protected.

The log is written to the Admin Console, until there is 1 megabyte of data. When the log reaches that size, the existing data is cleared and the log is restarted. To retain the log data, select and copy it, then paste it into a text editor.

To create a log of headers generated by forms authentication for the crawler:

• Scroll to the bottom of the Serving > Forms Authentication page and click the Start Logging button.

When logging is enabled, crawler performance slows and a warning message appears on each Admin Console page.