This section describes how you can access SGD from the desktop Start or Launch Menu on the client device. Operating SGD in this way is called Integrated mode.
When users first connect to an SGD server, they usually start a browser and go to the http://server.example.com/sgd URL, where server.example.com is the name of an SGD server. They can then log in to SGD and display a webtop. However, once users have logged in, the SGD Client can be configured to use Integrated mode. When the SGD Client operates in Integrated mode, the links for starting applications are displayed in the desktop Start or Launch Menu, instead of on the webtop. This means that users can run remote applications in the same way as local applications. Depending on how you configure Start Menu integration, there might be no need to use a browser.
Use Integrated mode if your organization prefers not to use Java technology on the client device. See also Using SGD Without Java Technology.
The desktop systems that supported for Integrated mode are listed in the Oracle Secure Global Desktop 4.6 Platform Support and Release Notes available at http://docs.sun.com/app/docs/doc/821-1928.
This section includes the following topics:
When the SGD Client is in Integrated mode, the user logs in to SGD by clicking the Login link on their desktop Start or Launch Menu.
Figure 6-1 Logging In From the Desktop Start Menu
If the user has logged in to more than one SGD server, there is a Login link for each server in the Start or Launch Menu.
Note - To use Integrated mode, you must log in using the Start or Launch Menu. Integrated mode is not available if you start a browser and log in.
Once the user has logged in to SGD, the Start or Launch Menu is updated with the links for the applications they can run through SGD.
Figure 6-2 Application Links in the Desktop Start Menu
To start an application, the user clicks the application’s link on the Start or Launch Menu. To start another instance of the application, the user clicks the link again.
Working in Integrated mode simplifies session management. Unlike the webtop, there are no controls for suspending and resuming applications. Instead, when the user logs out, the SGD Client automatically suspends or ends all running application sessions. When the user logs in again, the SGD Client automatically resumes all suspended sessions.
In Integrated mode, users cannot start applications with a different user name and password, by pressing and holding down the Shift key when clicking the application’s link. See Users Can Start Applications With Different User Names and Passwords.
Printing is simplified too. Printing is always “on” and print jobs go straight to the printer the user has selected. Unlike the webtop, print jobs cannot be managed individually.
If the user needs to display a webtop, for example to be able to edit their profile, resume a suspended application, or manage printing, they can click the Webtop link on the Start Menu. The user is not prompted to log in, as they already have a user session. The webtop is displayed in their default browser.
If the user has arranged any of their webtop content to display in groups, those groups are also used in the Start or Launch Menu. If the group is configured to hide webtop content, the content does not display in the Start or Launch Menu.
To log out of SGD, the user clicks the Logout link on the Start or Launch Menu.
Setting up Integrated mode for the SGD Client involves the following configuration steps:
Enable at least one other authentication mechanism.
The user must log in and be authenticated by another authentication mechanism so that SGD can store a user identity and user profile when the user generates an authentication token.
You can use third-party authentication, or any of the other system authentication mechanisms, apart from anonymous user authentication.
Configure SGD for authentication token authentication.
In Integrated mode, if you configure the SGD Client to log in users in automatically to SGD, an authentication token is used to authenticate the user.
Enable client profile editing.
Client profile editing must be enabled, to allow users to generate authentication tokens. You can enable profile editing for all users, or just for users that require authentication tokens.
Configure the client profile for Integrated mode.
Integrated mode must be enabled in the client profile. Other settings in the client profile also affect how Integrated mode works.
Applications might have to be configured to give users the best experience.
Authentication token authentication enables users to log in to SGD if the SGD Client submits a valid authentication token.
Authentication token authentication can only be used when the SGD Client is operating in Integrated mode and a user has an authentication token.
Authentication token authentication is disabled by default.
This section includes the following topics:
When the SGD Client starts, it submits an authentication token to SGD. The user does not enter a user name or password.
If the authentication token is invalid or the SGD Client does not submit a token, the user is not logged in. The SGD login screen is displayed in a browser, so that the user can log in using another system authentication mechanism.
If the SGD Client submits a valid authentication token, the user is logged in.
The SGD server stores the authentication token against the identity of the user when they generated their authentication token. This means the user identity and user profile used are those of the authentication mechanism that originally authenticated the user. See Chapter 2, User Authentication for details of the SGD authentication mechanisms.
When a user generates an authentication token and saves their client profile, the SGD server sends the authentication token to the SGD Client. The SGD Client stores the token in the profile cache on the client device. See About the Profile Cache.
To ensure an authentication token cannot be intercepted and used by a third party, use secure HTTP over Secure Sockets Layer (HTTPS) web servers and enable SGD security services.
When a user generates an authentication token, SGD maintains a record of the tokens issued in a token cache. SGD stores the authentication token using the current identity of the user when the token was generated.
When a user logs in with an authentication token, the authentication token enables SGD to “remember” the user’s original identity and user profile. All user sessions and application sessions are managed using the original user identity and user profile.
If the original login becomes invalid, for example because the UNIX system account is disabled or the password has expired, the user can still log in automatically if they have a valid token. However, they cannot run any applications using the invalid credentials.
On the Global Settings -> Secure Global Desktop Authentication tab, click the Change Secure Global Desktop Authentication button.
The Secure Global Desktop Authentication Configuration Wizard closes.
SGD Administrators can use the Administration Console or the tarantella tokencache command to administer authentication tokens. The following administration tasks can be done:
Viewing the tokens in the token cache
Deleting tokens from the token cache
Preventing users from generating new tokens
If token generation is enabled, users can generate a new authentication token from the webtop.
You can view the entries in the token cache that belong to a particular user identity or user profile.
Tip - On the command line, you can use the tarantella tokencache list command to show all entries in the token cache.
Deleting a token from the token cache makes the token stored on a client device invalid. If the SGD Client presents an invalid token, the user is prompted to log in with a user name and password. The user must then generate another authentication token if they want to log in automatically.
Select the check box next to a token and click Delete.
Select the check box next to a token and click Delete.
Tip - On the command line, you can use the tarantella tokencache delete command to delete token cache entries. You can run the tarantella tokencache delete command on any SGD server in the array. The change is replicated to the other servers in the array.
Use this procedure to prevent SGD from issuing new authentication tokens. If authentication token authentication is still enabled, users with existing authentication tokens can still log in to SGD.
Deselect the Token Generation check box and click Save.
$ tarantella config edit --login-autotoken 0
If a user needs to generate a new authentication token, they must edit their client profile.
See Setting Up the SGD Client for Integrated Mode for more details about using an authentication token to log in to SGD.
To troubleshoot problems with automatic logins, use the following log filters:
server/login/*:autologin%%PID%%.log server/login/*:autologin%%PID%%.jsl server/tokencache/*:autologin%%PID%%.log server/tokencache/*:autologin%%PID%%.jsl
The server/login/* filter enables you to see when authentication tokens are used for authentication and when they fail.
The server/tokencache/* filter enables you to see errors with operations on the token cache. For example, to see why a token is not added to the token cache.
See Using Log Filters to Troubleshoot Problems With an SGD Server for more information on configuring and using SGD log filters.
The following settings in a client profile are applicable when using Integrated mode.
SGD Administrators can configure all these settings apart from the Automatic Client Login.
When configuring Integrated mode, ensure that the login URL in the client profile contains a fully qualified domain name.
All of the available client profile settings for Integrated mode can be configured by both SGD Administrators and users, except for the Automatic Client Login setting.
The Automatic Client Login setting enables automatic logins to SGD, and can only be configured by individual users. This is because when Automatic Client Login is first enabled, SGD generates a unique authentication token for the user when the client profile is saved. The authentication token is stored in the profile cache on the user’s client device. This means that users must be able to edit their client profiles, in order to generate an authentication token.
If a user logs in to different SGD servers, they must log in to each SGD server and edit their client profile.
If a user edits their client profile, they must log out of SGD and log in again for the changes to take effect.
To use automatic logins, users click the SGD Login link in their desktop Start menu. If the Connect on System Login check box in the client profile is selected, the SGD Client logs in automatically when a user logs in to their desktop.
For applications that are configured with a Window Type of Independent Window, closing the window might end or suspend the application session, depending on the setting of the application’s Window Close Action attribute.
In Integrated mode, there are no controls for suspending and resuming individual application instances. Applications that are configured to be always resumable are automatically suspended when you log out and resumed when you log in. In the Administration Console, application objects that are always resumable have an Application Resumability setting of General in the Launch tab.
While in Integrated mode, you can only resume a suspended session by displaying a webtop and using the session controls for the application.
You might also want to configure the Number of Instances attribute, to limit the number of instances of applications that users can run.