Secure Global Desktop 4.40 Administration Guide > Users and Authentication > Secure Global Desktop and User Authentication
|Read This Topic to...|
SGD has two stages to user authentication. First, users authenticate to an SGD server to log in to SGD. Second, users authenticate to an application server to run an application. This page describes the mechanisms available for authenticating to SGD. Authentication to an application server is described in Understanding Application Launch.
SGD is designed to integrate with your existing authentication infrastructure and supports the following two mechanisms for authenticating users:
The following are main results of a successful authentication:
Sometimes the user identity and the user profile are the same thing.
In the SGD Administration Console, you can monitor user sessions and application sessions using either the user identity or the user profile.
Depending on how users are authenticated, SGD can prompt users to change their password when they try to log in with an an expired password. See Password Expiry for details.
SGD authentication is global. A user can log in to each SGD server in the array with the same user name and password.
Secure Global Desktop Administrators can enable and disable each authentication mechanism independently,
using the Global Settings » Secure Global Desktop Authentication tab in the SGD Administration Console,
or by using the
tarantella config command.
A user identity is the SGD idea of who a user is. Each authentication mechanism has its own set of rules for determining the user identity.
A user identity is a name assigned by SGD and is sometimes referred to as the fully qualified name. The user identity is not necessarily the name of a user profile in the local repository. For example, for LDAP authentication the identity is the distinguished name (DN) of the user in the LDAP directory.
The user identity is associated with the user's SGD session, their application sessions, and their entries in the application server password cache.
A user profile controls a user's SGD-specific settings. Depending on whether or not you are use the Directory Services Integration feature, a user profile can also control the applications a user can run (sometimes called webtop content). Each authentication mechanism has its own set of rules for determining the user profile.
A user profile is always an object in the local repository and is sometimes referred to as an
equivalent name. A user profile can be a profile object stored in the System Objects organization.
For example, for LDAP authentication the default user profile is
System Objects/LDAP Profile.
The following table lists the available system authentication mechanisms and describes the basis for authentication.
| UNIX system
(Search Unix User ID in Local Repository)
| UNIX system
(Search Unix Group ID in Local Repository)
| UNIX system
(Use Default User Profile)
When a user logs in, the enabled authentication mechanisms are tried in the order they are listed table above. When you configure SGD authentication, the SGD Administration Console shows the order in which the mechanisms are tried. The first authentication mechanism that authenticates a user "wins" and no further authentication mechanisms are tried.
In most circumstances, SGD can handle the expiry of the user's password if configured to do so. When a user attempts to log in with an expired password, the Aged Password dialog displays. This dialog does the following:
If the new password is accepted, the user is logged in to SGD.
The following table shows which authentication mechanisms support aged passwords.
|Authentication Mechanism||Supports aged passwords?|
|Active Directory||Yes, see the Kerberos configuration for Active Directory authentication for details.|
|Anonymous user||Not applicable. User logs in without a user name or password.|
|Authentication token||Not applicable. User logs in without a user name or password.|
|LDAP||Yes, see LDAP Authentication and Password Expiry for details.|
|SecurID||Yes. If the user's PIN has expired, a new PIN dialog is displayed instead of the Aged Password dialog.|
(including web server authentication)
|No. The expiry of the user's password is handled by the third-party authentication mechanism and is nothing to do with SGD.|
|UNIX system||Yes, see UNIX System Authentication and PAM for details.|
Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.