Behavior for multiple auth mechs for a single credential group

6 views
Skip to first unread message

Michael Hill

unread,
Feb 18, 2015, 7:04:14 PM2/18/15
to Google-Search-...@googlegroups.com
Hello,

I'm trying to get a better understanding of how the GSA authenticates users.

We have a GSA search configured with multiple cookie authn mechs under the same credential group. From the logs, it looks like users must pass authentication with all of those mechanisms -- not just one. Is this the intended behavior?

I would expect users to only need one mechanism to validate their authentication before the GSA performs the search.

In gsa_search_log_failure.txt, the GSA goes through all four mechanisms and only one verifies the user. No results are returned and there is no "Authentication successful!" line.
In gsa_search_log_success.txt, the three mechanisms that were refuting the user have been removed. Results are returned.

This seems strange to me. I'm still looking but I haven't found any documentation about this yet. Has anyone else run into this?

Mike
gsa_search_log_failure.txt
gsa_search_log_success.txt

Michael Hill

unread,
Feb 18, 2015, 8:02:24 PM2/18/15
to Google-Search-...@googlegroups.com

Dave Watts

unread,
Feb 19, 2015, 11:08:40 AM2/19/15
to Google-Search-...@googlegroups.com
My understanding is that the GSA isn't really intended to use one
credential group with multiple authentication mechanisms, unless one
of those "authentication" mechanisms is really only being used for
group lookups. That's the point of having multiple credential groups.
How would late-binding authorization work if you could have multiple
authentication mechanisms within a single credential group, for
example? Would it only use the authentication mechanism that succeeded
for authorization checks?

If you want to provide multiple authorization paths, even if the
corresponding authentication mechanisms all point to the same user
repository under the covers, you're going to need to provide multiple
credential groups. And if you want to have multiple authentication
mechanisms that point to different user repositories, you definitely
want to use multiple credential groups.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business
(SDVOSB) on GSA Schedule, and provides the highest caliber vendor-
authorized instruction at our training centers, online, or onsite.
Reply all
Reply to author
Forward
0 new messages