FIGURE G


Here you can see the authentication process. Roll over picture for a larger image.

Other forms of authentication
Use of Domino authentication is not a requirement. The system can use any other authentication scheme also available to the GSA such as LDAP or client certificates to obtain a user's identity. Regardless of how the user's identity is obtained, the GSA can still use the Access Control database for authorization. The system provides the ability to map a user's Notes name to a foreign name through the use of fields in the Person document, or through a formula, which can be evaluated at run time.

Authorization of search results
When a secure document is found in the search results, the GSA will pass the username to the Authorization service URL, which is a Notes agent in the Access Control database.

For Notes URLs, the system will determine whether the user is allowed to see the original document. When considering a user's access, the system takes into account not only the database ACL but also any document level security fields, and database roles. The system also respects nested groups within the Domino directory. The system responds to the incoming request with either a "Permit" or a "Deny" message to the GSA so that it knows whether to show the document in the search results.

For non-Notes URLs, the system can return an "Indeterminate" response. This allows the GSA to fallback onto a secondary authorization scheme such as user impersonation against file share documents.

The Access Control database allows you to log all incoming authentication and authorization requests. This feature was added during development as a way of tracking the conversation during the Domino server and the GSA, but it has also proven to be very useful during product evaluation and demonstration to show that security of Notes documents is really being respected so I decided to leave this in the final product.

FIGURE H


Here's a record of the incoming authentication and authorisation requests from the Google Search Appliance. Roll over picture for a larger image.

It's probably worth pointing out that every index entry has a flag that tells the GSA whether the entry should be subject to authorization checks. The connector determines whether a document can be seen by all authenticated Domino users at crawl time by combining the database ACL with any document level security restrictions and flags each document as required for the GSA. In turn, the GSA will only seek authorization against documents that have been marked as secure by the connector.

Wrap-up
Well, that just about concludes this discussion about the Domino Connector and the Google Search Appliance. I hope you have enjoyed the read. It was great fun to be part of this project and I have learned a great deal about the GSA in the process.

For me, the exciting part is seeing what might happen next. Google is making enhancements and adding new features all the time. I am currently looking at using parametric search techniques to allow results to be easily filtered and categorised, and it's worth keeping an eye on the Google labs as they bring out new features such as integrated public search, and "fast as you type" search results.

Bain McKay is Executive Vice President and Chief Scientist of CIRI Lab Inc. where he and his research team build advanced Knowledge Management technology using the latest methods in Cognitive Science and computing technology. Bain can be reached at bmckay@cirilab.com or at http://www.cirilab.com.