| Help Center
Home
Crawl and Index
Serving
Front Ends
Output Format
KeyMatch
Related Queries
Filters
Remove URLs
OneBox Modules
Query Expansion
 Access Control
Forms Authentication
OneBox Modules
Status and Reports
Administration
More Information
|
![]() |
![]() |
Serving > Access Control
This page contains parameters that relate to these access control options:
- Authentication (AuthN) identifies users to the appliance.
- The Authentication/Authorization Service Provider Interface (SPI) lets you develop an identity provider for handling authentication requests and a policy decision point for handling authorizaton, so that the appliance can securely show search results with a single web sign-on. For more information on the security SPI, go to code.google.com.
- Authorization (AuthZ) gives users access to documents according to the users' credentials. The authorization parameters are used whether or not you use an SPI.
Authentication SPI
Complete this section if you used the Authentication SPI to create an Identity Provider between your authentication server and the appliance.
| Parameter |
Description |
Default Value |
| User Login URL |
This is a URL for the login service of the identity provider. The appliance will redirect unauthenticated search users to this login URL. You can use nearly any authentication mechanism,
such as an HTML form, a client certificate authentication of your own, an NTLM
pass-through authentication, or whatever is required by your organization. |
None |
Artifact Service
URL |
This is a URL for the artifact resolution service of the identity provider. After a user has logged in and been authenticated, the artifact service provides a mapping between an artifact and the logged in user's identity. The relationship between the appliance and the identity provider, and the use of artifacts in authentication is described more fully in the SPI guide on code.google.com. |
None |
| Session cookie timeout |
This value specifies the duration of the user's session cookie, in minutes. When the cookie times out, the search user must authenticate again.
This value has a relationship with another timeout value that is sometimes supplied by an identity provider. A timeout value can be specified by the NotOnOrAfter attribute in the XML message that authenticates the search user. The value that you specify here is used if that attribute value is missing or if this value would cause timeout to occur sooner.
The value must be a positive integer. |
480 |
Disable prompt for
Basic authentication
or NTLM
authentication |
This option suppresses a username/password prompt that appears by default if the index contains secure content. You can disable the prompt if you are using authorization by client certification authority (CA) or authorization (AuthZ) SPI. |
Not checked |
If you complete this section, you must also complete the Authorization SPI section.
Authorization SPI
Complete this section if you have implemented an authorization service using the authorization (AuthZ) SPI.
- Enter the URL of the service so that the system can access the service when authorization is needed. When finished, click the Save Settings button.
- Before using the Authorization SPI, you must configure the appliance to crawl secure content. You can crawl secure content through one of the following mechanisms:
- For content that requires HTTP Basic Authentication or NTLM HTTP credentials, set up the crawl under Crawler Access.
- For content that requires a Forms Authentication rule to authenticate via a single sign-on (SSO) server, set up the crawl under Forms Authentication.
- For content that requires a certificate authority (CA) for authentication,
check the SSL settings screen to make sure that Server Certificate Authentication
is enabled and that the search appliance is configured with a valid SSL certificate.
For more information on certificate authorities, refer to SSL
Settings.
Authorization Parameters
For each user who performs a search query that involves secure content, the appliance first determines the relevant URLs and then determines whether the user has access to the content. The appliance makes an authorization request to the appropriate web servers and then stores the authorization data. The appliance uses the cached authorization information for subsequent searches, making those searches faster.
The following table explains the parameters that control the authorization
request and the cache that controls the returned information. The default values
are suitable for most environments. It is strongly recommended that you avoid
tuning these parameters unless a Google Support engineer instructs
you to do so. If you need to improve search response time for the end user,
it is a good idea to first consider improvements to web servers.
These parameters are standard to the appliance and apply whether or not you are using the authorization SPI.
| Parameter |
Description |
Default Value |
Timeout for
batch of
authorization
requests |
The appliance processes authorization requests in batches. This parameter specifies, in seconds, how long the appliance waits to fully process authorization for a batch of requests. When a batch of requests time out, the appliance uses the results that it received and processes another batch of URLs, if it has sufficient time before it displays results to the user. You can use this value to limit the time that the appliance waits for responses from a slow or unresponsive server.
Because a batch can contain URLs on different servers, the appliance separately sends the requests from the same batch to the servers. Those individual requests are governed by a different timeout value, which follows.
This value must be a positive number that is less than or equal to 25. The value for this batch timeout should be larger than the value for individual requests, to ensure that individual requests in the batch have sufficient round-trip time. |
5 |
Timeout for
individual
authorization
request |
This parameter specifies, in seconds, how long the appliance waits for the response to a single authorization request to a web server.
If you tune this parameter, consider that if you shorten the timeout value, slow servers may unable to respond to authorization requests in time. User results could be incomplete and skewed toward content on the fast servers. In contrast, if you lengthen the timeout value, slow web servers can provide additional results but users will experience longer response times.
The value must be a number that is greater than zero (0), but equal to or smaller than 5. If you increase this value, you might need to also increase the batch timeout.
|
2.5 |
Maximum number
of concurrent authorization
requests per server |
This value, also called hostload, specifies how many concurrent requests the appliance can send to a single server. This parameter helps prevent overloading of servers. |
10 |
Duration of authorization
cache entry |
This parameter specifies how long the appliance maintains an authorization entry, in seconds. This value should be sufficiently large to encompass a user's typical search session.
The value can be any positive integer. A value of zero (0) disables the cache and negatively affects performance. |
3600 |
The following table explains the parameters that control the way that the appliance handles unresponsive servers.
A server can be unreachable because it is down or because it is overloaded and refusing new connections.
| Parameter |
Description |
Default Value |
Timeouts
permitted
before host is
considered unreachable |
This parameter specifies the number of times the appliance attempts to contact an unresponsive server before adding it to the cache of unreachable hosts. Fluctuations in server traffic might cause a certain normal number of timeouts without indicating system failure. The value should allow for multiple failed attempts to contact a server.
The value can be any positive integer. |
100 |
| Timeout measurement period |
This parameter specifies, in seconds, the timeframe during which the Timeouts permitted parameter is applied. For example, the default values permit 100 timeouts during a 300 second (five minute) measurement period. The value should be large enough to accommodate short-lived server unavailability.
The value can be any number of seconds. |
300 |
Duration of
host cache
entry |
This parameter specifies, in seconds, the length of time that each item is maintained in the cache.
The value can be any number of seconds. |
600 |
Enable cache
of unreachable
hosts |
Select this option to enable the appliance to maintain information about servers that do not respond to authorization requests. This information ensures that the appliance avoids making repeated failed requests to the same server. |
Not enabled |
| Timeouts permitted before host is considered unreachable |
This parameter specifies the number of timeout errors the appliance must receive from the web server before the appliance considers the web server as unreachable. |
100 |
| Timeout measurement period |
This parameter specifies, in seconds, the time frame during which the Timeouts permitted parameter is applied.
For example, the default values permit 100 timeouts during a 300 second (five minute) measurement period. The value should be large enough to accommodate short-lived server unavailability. |
300 |
| Duration of unreachable host cache entry |
This parameter specifies, in seconds, the length of time that the web server is maintained as an unreachable server in the cache. |
|
You can click the Clear Caches button to immediately remove the authorization and unreachable host information. Use this button periodically to keep the authorization cache fresh.
Related Information
For more information, see
Administration > LDAP Setup
and Crawl and Index > Crawler Access.
|
