Template profiles can also contain form and sub-form profiles. These list the fields to send to the GSA and also determine how to build document titles and summary meta values for the GSA.

A number of template profiles are provided for the more common Notes databases such as document libraries, discussion databases, and teamrooms. These can be used as it or modified as required. You can also create your own profiles as needed for any custom applications. Figure C shows how all of this fits together in my code.

FIGURE C


This is a model of how the whole process fits together. Roll over picture for a larger image.

Document stub retention
The system keeps a stub of every Notes document that is passed to the GSA. You can see the document stub list in Figure D.

FIGURE D


This connector's submitted view shows a list of document stubs. Roll over picture for a larger image.

These stubs contain key information about the submitted document, as shown in Figure E, including a security token. This token can be used to determine which users have access to the original document at search time.

FIGURE E


Here you can see document stub details. Roll over picture for a larger image.

The Access Control database
The Google Search Appliance has a powerful set of options to choose from when setting up security for your environment for both crawl and serving of results.

Authentication options include the use of LDAP, SSO, Forms-based authentication, Client certificates and integrated Windows authentication. Google also support authentication via a third-party access control system using Security Assertion Markup Language (SAML) messages. There are also a number of ways to handle authorization of search results, including user impersonation and seeking authorization via a third party Policy Decision Point (PDP) using SAML messages.

The Access Control database implements both the Google Authentication and Authorization Service Provider Interfaces (SPIs) offered at the GSA using SAML. In doing this we can ensure that respect for Notes document level security at serve time.

Setting the appliance up to use the Access Control database for both authentication and authorization is quite straightforward. We simply create the access control database on your Domino server from the template provided and wait for the system to build its user and group cache. Next, complete three fields in the GSA administration console, as shown in Figure F.

FIGURE F


Complete the Access Control Screen for the Google Search Appliance. Roll over picture for a larger image.

Authentication using the Domino Directory
The "User login URL" and the "Artifact service URL" are used together to deliver authentication. The actual process is as follows.

When a user performs a secure search, the GSA will redirect them to the user login URL. This is actually a form in the Access Control database. The Access Control database captures the user's identity in a login document and passes a SAML artifact back to the GSA.

The GSA then responds with the decoded artifact to the Artifact service URL. This is an agent in the Access Control database. This agent looks up the user's identity using the artifact and returns the username from the login document to the GSA. This process is shown in Figure G.