The GSA (Google Search Appliance) has support for forms based authentication but there are situations when configuring the authentication through the administration panel won’t work. A situation like that could be that you have an intranet or extranet with forms based authentication (such as EPiServer) but the authentication is acutally done by a third party (SSO). In this particular case it’s our own SAML-SSO service that authenticate the user on behalf of the intranet.

HTTPHeaders to the rescue!

The HTTPHeaders setting in GSA administration can be used to send an authentication cookie to the server being crawled. To use this setting you first need to get your dirty hands on a valid cookie value. The easiest way to find a valid cookie value is to set up a temporary page on the site to be crawled that when visited sets a persistent cookie for the GSA crawler account. Point your Firefox browser to that page and view cookies for the domain (Page info -> Security -> View cookies). Enter the cookie name and value into the HTTPHeaders setting in GSA in the following format: Cookie:cookiename=cookievalue.

gsa httpheader setting

This GSA is set to swedish language but if you’re familillar with GSA you’ll understand. I blurred out some info for security reasons.

It’s very important that you understand the security implication. This setting is global, meaning the cookie will be sent to all sites indexed by the GSA. In ASP.NET the password for a user is never stored in the authentication ticket/cookie so it’s not a big deal IF you can restrict access to your protected site by IP per account. In EPiServer 4.x (not possible in EPiServer CMS 5+) this is not a problem, you’re not getting in even through you have the correct cookie if you’re not from the defined IP. If you’re only indexing sites you trust however (ie. internal resources), this is of little or no concern.

Related posts