Page Comparison

What is security?

From the ayfie point of view, security is about finding out:

• Who you are, in order to perform a secure login. This is referred to as authentication.
  
• If you have a minimum of read access to the data sources you want to search, and to any result element within each data source before placing it in your search results list. This is referred to as authorization.

ayfie maintains security with heterogeneous data environments, with a variety of data sources like file servers, mail servers, database systems, groupware applications like SharePoint and IBM Domino, and others.

• Confirming the identity of a user.
  
• Microsoft Active Directory is an example of an authentication system.
  

Authorization

• Confirming that a specific user has access rights to a specific resource.
• Checking if user "johndoe" has read access to the file "performance_stats.docx" on the file share "C:\performance_documents\" is an example of determining authorization.
  

Impersonation and Delegation

These are methods used by Microsoft .Net to authenticate a person and to perform security authorization requests.

• Impersonation is using a person's credential to grant access (authentication) on login, and to check object level security (authorization).
• Delegation is a server side feature, required to be able to perform the impersonation.
• These are valid for any Microsoft Active Directory source, such as Microsoft Windows File, Exchange, and SharePoint servers, and other Active Directory integrated data sources.

The Locator security model contains methods to handle both authentication and authorization.  To meet the requirements for high security Enterprise Indexing, the VirtualWorks system architecture utilizes three key security methods:

• Integrated Microsoft Active Directory user authentication.
• Microsoft Active Directory Single Sign-On support.
• Integrated security for non-AD data sources.
  

When using ordinary MS Active Directory (AD) authentication, the user will be presented with a web form, asking the user to submit the Windows username and password.  The option "Keep me signed in" will use browser cookies to store the user details.
ayfie matches the credentials provided against the security list handled by the repository authority.  For example:

• For Microsoft Fileserver, SharePoint, Exchange, the repository authority is Active Directory.
• For IBM Domino, the repository authority is the Domino Server.
• For Database Applications, the authority is the database (SQL, Oracle Server).

To allow ayfie Locator users a "seamless" experience when using ayfie search, the ayfie Locator administrator can choose to configure the Locator server to use Single Sign-on (SSO).   This will allow users to login to Locator without having to provide their user credentials.  By default, Locator uses Microsoft NTLM for SSO authentication.  When SSO is enabled on the ayfie Locator server, the user's credentials are supplied by the user's Windows session, and carried by the NTLM token to the ayfie Locator server, which will automatically login the user.  

SSO is enabled from the ayfie Locator Management Console by the Locator administrator.  For instructions to enable SSO, please refer to the Management Console Sign-on Options page in the Administrator Guide.

As an alternative to NTLM, Locator can also be configured to use Microsoft Kerberos for SSO authentication.  Please see the article Configuring Kerberos Authentication in the Administrator Guide for details.