| Exit Print View | |
Oracle Secure Global Desktop Administration Guide for Version 4.6 |
|
|
|
|
Secure Global Desktop Authentication
System Authentication Mechanisms
Active Directory Authentication
How Active Directory Authentication Works
Setting Up Active Directory Authentication
Preparing for Active Directory Authentication
Configuring SGD for Kerberos Authentication
How to Enable Active Directory Authentication
How Anonymous User Authentication Works
How to Enable Anonymous User Authentication
Setting Up LDAP Authentication
Preparing for LDAP Authentication
How to Enable LDAP Authentication
How SecurID Authentication Works
Setting Up SecurID Authentication
How Third-Party Authentication Works
Setting Up Third-Party Authentication
How to Enable Third-Party Authentication
SGD Administrators and Third-Party Authentication
Trusted Users and Third-Party Authentication
How UNIX System Authentication Works
UNIX System Authentication and PAM
How to Enable UNIX System Authentication
How Windows Domain Authentication Works
How to Enable Windows Domain Authentication
Passwords, Domains, and Domain Controllers
Tuning Directory Services for Authentication
Filtering LDAP or Active Directory Logins
Search Only the Global Catalog
Active Directory Authentication and LDAP Discovery
Troubleshooting Secure Global Desktop Authentication
Setting Log Filters for Authentication Problems
Denying Users Access to SGD After Failed Login Attempts
Users Cannot Log In to Any SGD Server
Using Shared Accounts for Guest Users
Solaris OS Users Cannot Log in When Security is Enabled
An Ambiguous User Name Dialog Is Displayed When a User Tries to Log in
3. Publishing Applications to Users
7. SGD Servers, Arrays, and Load Balancing
B. Secure Global Desktop Server Settings
SecurID authentication enables users with RSA SecurID tokens to log in to SGD. SGD authenticates users against an RSA Authentication Manager, formerly known as ACE/Server.
RSA SecurID is a product from RSA Security, Inc., that uses two-factor authentication based on something you know, a PIN, and something you have, a tokencode supplied by a separate token such as a PIN pad, standard card, or software token. The PIN and tokencode are combined to form a passcode which is used as the password when you log in to SGD.
This authentication mechanism is disabled by default.
This section includes the following topics:
At the SGD login screen, the user types their SecurID user name, for example indigo, and their passcode.
This authentication mechanism searches the local repository for a user profile with a Name attribute that matches the user name typed by the user. If there is no match, the search is repeated on the Login Name attribute, and finally on the Email Address attribute.
If a user profile is found, the Login Name attribute of that object is used as the SecurID user name. If no user profile is found, the name the user typed is used as the SecurID user name.
Next, SGD checks the SecurID user name, and the passcode typed by the user, against the RSA Authentication Manager. If the authentication fails, the user cannot log in because there are no further authentication mechanisms to try.
If the authentication succeeds and the Login attribute for the user profile is not enabled, the user is not logged in. If the authentication succeeds and the Login attribute for the user profile is enabled, the user is logged in.
If a user profile was found in the local repository, this is used for the user identity and user profile. In the SGD datastore, the user identity is in the Local namespace. In the Administration Console, the text “(Local)” is displayed next to the user identity. On the command line, the user identity is located in .../_ens.
If no user profile was found in the local repository, the user identity is the SecurID user name. In the SGD datastore, the user identity is in the SecurID namespace. In the Administration Console, the text “(SecurID)” is displayed next to the user identity. On the command line, the user identity is located in .../_service/sco/tta/securid.
The profile object System Objects/SecurID User Profile is used for the user profile.
Setting up SecurID authentication involves the following configuration steps:
Install and configure RSA SecurID.
Ensure you are using a supported version of RSA SecurID. The supported versions of SecurID are listed in the Oracle Secure Global Desktop 4.6 Platform Support and Release Notes available at http://docs.sun.com/app/docs/doc/821-1928.
Ensure the RSA Authentication Manager is up to date with the latest patches released by RSA.
Configure each SGD server in the array as an Agent Host.
Each SGD server in the array acts an Agent Host so that it can authenticate users against the RSA Authentication Manager.
Enable SecurID authentication in SGD.
Configure SecurID authentication so that SecurID users can log in to SGD.
To use SecurID authentication, each SGD server in the array must be configured as an Agent Host. As SecurID implementations can vary, the following procedure is an example only. Consult your SecurID documentation for details of how to configure an Agent Host.
Before you begin, ensure you have access to the RSA Authentication Manager configuration file, sdconf.rec.
Log in as superuser (root) on the SGD host.
Ensure the SGD server can contact the RSA Authentication Manager on the network.
You might have to open ports in your firewalls to enable an SGD server to contact the RSA Authentication Manager.
The default ports that must be open are the following:
UDP port 5500 from the SGD server to the Authentication Manager.
UDP ports 1024 to 65535 from the Authentication Manager to the SGD server.
Specify the location of the RSA Authentication Manager configuration file.
Copy the RSA Authentication Manager configuration file to the SGD server.
Set the file permissions so that SGD can read and write the configuration files.
# chmod 444 /etc/sdace.txt # chown -R ttasys:ttaserv /opt/ace # chmod -R 775 /opt/ace
Register the SGD servers as Agent Hosts in the RSA Authentication Manager database.
Use either the RSA Authentication Manager Database Administration application or sdadmin application.
Add the SGD server as a UNIX Agent Host in the database, using the fully qualified name, server.domain.com.
For each Agent Host, Configure Group or User Activation. Alternatively, set the Open to All Locally Known Users option.
In the SGD Administration Console, display the Secure Global Desktop Authentication Configuration Wizard.
Go to the Global Settings -> Secure Global Desktop Authentication tab and click the Change Secure Global Desktop Authentication button.
On the Third-Party/System Authentication step, ensure the System Authentication check box is selected.
On the System Authentication - Repositories step, select the SecurID check box.
On the Review Selections step, check your authentication configuration and click Finish.
|
|
