Secure Global Desktop Authentication Tab

Use the settings on the Secure Global Desktop Authentication tab to control how users log in to SGD. The settings apply to all SGD servers in the array. Changes to the settings take effect immediately.

From the command line, use the tarantella config list command to list these settings, and the tarantella config edit command to edit these settings.

User authentication can be performed by an external authentication mechanism (third-party authentication), or SGD can perform the authentication using a specified repository (system authentication).

The Secure Global Desktop Authentication tab contains the following sections:

• Tokens and Cache. This section contains the following attributes:

  • Token Generation

  • Password Cache

• Secure Global Desktop Effective Sequence. This section displays a summary of the current SGD authentication settings. If you click the Change User Authentication button, the Authentication Wizard starts. The Wizard enables you to configure SGD authentication. See The Authentication Wizard.

The Authentication Wizard

The Authentication Wizard guides you through the process of setting up authentication for SGD users. The number of steps shown in the Authentication Wizard depend on the choices you make as you work though the Wizard.

The available steps in the Authentication Wizard are as follows:

• Overview. Includes background information about how users authenticate to SGD.

• Third-Party/System Authentication. Select whether you want to use third-party authentication, system authentication or both.

  This step contains the following attributes:

  • Third-Party Authentication

  • System Authentication

• Third-Party Authentication – User Identity and Profile. For third-party authentication only. Choose search methods to use for finding the user identity and user profile of the authenticated user.

  This step contains the following attributes:

  • Search Local Repository

  • Search LDAP Repository

  • Use Default Third-Party Identity

  • Use Default LDAP Profile

  • Use Closest Matching LDAP Profile

• System Authentication – Repositories. For system authentication only. Select one or more check boxes to enable repositories that SGD uses for locating user information. The repositories are listed in the order in which they are tried. If one repository authenticates the user, no more repositories are tried.

  This step contains the following attributes:

  • LDAP/Active Directory

  • Unix

  • Authentication Token

  • Windows Domain Controller

  • SecurID

  • Anonymous

• Unix Authentication – User Profile. For system authentication only. This screen is shown if UNIX authentication is selected. Select one or more check boxes to specify how to find the user profile for the authenticated UNIX system user. The authentication methods are listed in the order in which they are tried. If one method finds a matching user profile, no more search methods are tried.

  This step contains the following attributes:

  • Search Unix User ID in Local Repository

  • Search Unix Group ID in Local Repository

  • Use Default User Profile

• Windows Domain Authentication – Domain Controller. For system authentication only. This screen is shown if the Windows Domain Controller system authentication repository is selected. Here, you specify the name of the domain controller.

  This step contains the Windows Domain attribute.

• LDAP Repository Details. For third-party or system authentication. This screen is shown if an LDAP or Active Directory system authentication repository is selected, or if the Search LDAP Repository option is selected for third-party authentication. Here, you specify details of the LDAP repository to use.

  This step contains the following attributes:

  • Active Directory

  • LDAP

  • URLs

  • User Name and Password

  • Connection Security

  • Active Directory Base Domain

  • Active Directory Default Domain

  The LDAP Repository Details step enables you to create and manage the service object called generated. If more than one service object is configured, you use the Service Object tab to configure these details, see Service Objects Tab.

• Review Selections. Shows a summary of the choices you have made using the Wizard. You can review your authentication settings before confirming the changes.

Token Generation

Usage: Select or deselect the check box.

Description

Whether to create authentication tokens for users so they can log in automatically to SGD.

To ensure that an authentication token cannot be intercepted and used by a third party, use secure Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) web servers and enable SGD security services.

Command Line

Command option: --login-autotoken 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example enables generation of authentication tokens for users.

--login-autotoken 0

Password Cache

Usage: Select or deselect the check box.

Description

Whether to save the user name and password that the user types to log in to SGD in the password cache.

If you are using SecurID authentication, do not save the user name and password, as SecurID passwords cannot be reused.

SGD cannot store the user names and passwords of users authenticated with third-party authentication.

Command Line

Command option: --launch-savettapassword 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example saves user log in details in the password cache.

--launch-savettapassword 1

Third-Party Authentication

Usage: Select or deselect the check box.

Description

Select the check box to enable third-party authentication.

This attribute enables you to give access to SGD to users who have been authenticated by a third-party mechanism, such as web server authentication.

Command Line

Command option: --login-thirdparty 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example disables third-party authentication.

--login-thirdparty 0

System Authentication

Usage: Select or deselect the check box.

Description

Specifies that user authentication is done by the SGD server. Selecting this option enables the Wizard screens for system authentication settings.

Command Line

There is no command line equivalent for this attribute.

Search Local Repository

Usage: Select or deselect the check box.

Description

This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.

This search method searches for the user identity in the local repository and then uses the matching user profile.

If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

Command Line

Command option: --login-thirdparty-ens 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching the local repository for a matching user profile is disabled.

--login-thirdparty-ens 0

Search LDAP Repository

Usage: Select or deselect the check box.

Description

Specifies that the LDAP repository is searched to find the user identity for a user who has been authenticated by a third-party authentication mechanism.

The search method used is defined by the Use Default LDAP Profile or Use Closest Matching LDAP Profile attribute.

Command Line

There is no command line equivalent for this attribute.

Use Default Third-Party Identity

Usage: Select or deselect the check box.

Description

This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.

This search method does not perform a search. The user identity is the third-party user name. The third-party user profile, System Objects/Third Party Profile, is used.

If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

Command Line

Command option: --login-thirdparty-nonens 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, using the default user profile is disabled.

--login-thirdparty-nonens 0

Use Default LDAP Profile

Usage: Select the option.

Description

This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.

This search method searches for the user identity in an LDAP repository and then uses the default LDAP user profile, System Objects/LDAP Profile.

If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

Command Line

Command option: --login-ldap-thirdparty-profile 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching LDAP and using the default LDAP profile is disabled.

--login-ldap-thirdparty-profile 0

Use Closest Matching LDAP Profile

Usage: Select the option.

Description

This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.

This search method searches for the user identity in an LDAP repository and then uses the closest matching user profile in the local repository, allowing for differences between the LDAP and SGD naming systems.

SGD searches for the following until a match is found:

• A user profile with the same name as the LDAP person object.

  For example, if the LDAP person object is cn=Emma Rald,cn=Sales,dc=example,dc=com, SGD searches the local repository for dc=com/dc=example/cn=Sales/cn=Emma Rald.

• A user profile in the same organizational unit as the LDAP person object but with the name cn=LDAP Profile.

  For example, dc=com/dc=example/cn=Sales/cn=LDAP Profile.

• A user profile in any parent organizational unit with the name cn=LDAP Profile.

  For example, dc=com/dc=example/cn=LDAP Profile.

• If there is no match, the profile object System Objects/LDAP Profile is used for the user profile.

If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

Command Line

Command option: --login-ldap-thirdparty-ens 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching LDAP and using the closest matching LDAP profile is disabled.

--login-ldap-thirdparty-ens 0

LDAP/Active Directory

Usage: Select or deselect the check box.

Description

Specifies that an LDAP directory server or Active Directory server is used for authentication.

Selecting this option enables the Wizard screen where you can type in LDAP directory server or Active Directory server details.

Command Line

There is no command line equivalent for this attribute.

Unix

Usage: Select or deselect the check box.

Description

Enables UNIX authentication.

Selecting this option enables the Wizard screen where you can configure UNIX authentication settings.

Command Line

There is no command line equivalent for this attribute.

Authentication Token

Usage: Select or deselect the check box.

Description

Enables authentication using an authentication token.

Authentication using an authentication token can only be used when the SGD Client is operating in Integrated mode.

Command Line

Command option: --login-atla 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, authentication using an authentication token is disabled.

--login-atla 0

Windows Domain Controller

Usage: Select or deselect the check box.

Description

Enables authentication against a Windows domain controller.

Command Line

Command option: --login-nt 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, Windows Domain Controller authentication is disabled.

--login-nt 0

SecurID

Usage: Select or deselect the check box.

Description

Enables users with RSA SecurID tokens to log in to SGD.

Command Line

Command option: --login-securid 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, SecurID authentication is disabled.

--login-securid 0

Anonymous

Usage: Select or deselect the check box.

Description

Enables users to log in to SGD without supplying a user name and password.

Command Line

Command option: --login-anon 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, anonymous user authentication is disabled.

--login-anon 0

Search Unix User ID in Local Repository

Usage: Select or deselect the check box.

Description

Specifies a search method used to find the user profile for an authenticated UNIX system user. Select this attribute to search for the user identity in the local repository and use the matching user profile.

Command Line

Command option: --login-ens 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching for the UNIX User ID in the local repository is enabled.

--login-ens 1

Search Unix Group ID in Local Repository

Usage: Select or deselect the check box.

Description

Specifies a search method used to find the user profile for an authenticated UNIX system user. Select this attribute to use the UNIX user identity and search for a user profile in the local repository that matches the user’s UNIX Group ID.

Command Line

Command option: --login-unix-group 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching for the UNIX Group ID in the local repository is enabled.

--login-unix-group 1

Use Default User Profile

Usage: Select or deselect the check box.

Description

Specifies a search method used to find the user profile for an authenticated UNIX system user. Select this attribute to use the default UNIX user profile, System Objects/UNIX User Profile, for the authenticated user.

Command Line

Command option: --login-unix-user 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, using the default UNIX user profile (System Objects/UNIX User Profile) is enabled.

--login-unix-user 1

Windows Domain

Usage: Type the Windows domain name in the field.

Description

The name of the domain controller used for Windows domain authentication.

Command Line

Command option: --login-nt-domain dom

Usage: Replace dom with the name of the Windows domain controller used to authenticate users.

In the following example, users are authenticated with the Windows domain controller sales.indigo-insurance.com.

--login-nt-domain sales.indigo-insurance.com

Active Directory

Usage: Select the option.

Description

Enables Active Directory authentication.

Command Line

Command option: --login-ad 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, Active Directory authentication is enabled.

--login-ad 1

LDAP

Usage: Select the LDAP option.

Description

Enables LDAP authentication.

Command Line

Command option: --login-ldap 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, LDAP authentication is enabled.

--login-ldap 1