Hello,
We are using the WebSphere Application Server plug-in (WAS6) on Windows 2003 in order to have IIS(6) and Domino(7) installed on the same server. The main reason we are doing this is to enable the Integrated Windows Authentication so our users don’t have to login to access the Intranet. When a request is made, IIS answers first and authenticate the user using Integrated Windows Authentication. The request is then send to Domino using the WebSphere plug-in. The user doesn’t have to enter its credentials.
I followed Technote #1228190 to complete this setup.
Everything has been working fine for over a year… and our users are pleased to not have to enter their username/password to access protected content.
However, we now want to purchase the Google Search Appliance in order to have a good enterprise search for our Intranet:
http://code.google.com/apis/searchappliance/documentation/50/index.html
I created a special user used by the GSA to crawl protected Domino databases. That part is working fine.
However, when a user do a search in the GSA, if some protected documents are to be returned for that particular search query, the GSA must then authenticate the user and see if he’s authorized to see the snippets in the results page. If he’s not authorized, the snippets won’t be available in the results page… which is correct.
However, I want to prevent the GSA prompt for username/password before displaying the results.
I found the Enabling Windows Integrated Authentication documentation :
http://code.google.com/apis/searchappliance/documentation/50/admin/wia.html
I followed this documentation and I almost make their SAML Bridge works.
Unfortunately, I do have a big problem.
Here’s an example of this SAML Bridge with an IIS only solution:
-
The search query must return a protected document.
-
The GSA uses the SAML Bridge to authenticate the user.
-
The GSA then check if the user is authorized to see the content.
-
If the user has access (NTFS security on the file), the content is displayed in the result page.
-
If the user doesn’t have access (not listed in the NTFS security), the content is not displayed in the result page.
That solution is working flawlessly.
Here’s an example of this SAML Bridge with an IIS/Domino solution (using WAS6):
-
The search query must return a protected document.
-
The GSA uses the SAML Bridge to authenticate the user.
-
The GSA then check if the user is authorized to see the content.
-
All users are authorized to access the WebSphere plug-in. The security is made in the ACL of the Domino databases instead. That means that every requests made to a Domino database using this SAML Bridge always returns “Permit” cause they are all able to go thru IIS Integrated Windows Authentication security. When the request is sent to Domino, then Domino will return its domcfg.nsf page saying “You’re attempting to access something you’re not authorized” (we’re using Multiple Servers (SSO)).
-
All the users can now see the content in the results page. They will eventually get prompted by Domino (“You’re attempting to access…”) when they click on the link in the results page, so they won’t be able to open the document. However, they will be able to see the snippets in the search results page, which could contain some sensitive informations.
I know it’s quite a complicated setup… but I’m hoping that someone out there has been there before… or might have a few clues on how to solve this.
I swear I will give some beers to the person solving my issue 
Thanks a lot!
Pascal