A.1. Secure Global Desktop Authentication Tab

Use the settings on the Secure Global Desktop Authentication tab to control how users log in to SGD. The settings apply to all SGD servers in the array. Changes to the settings take effect immediately.

From the command line, use the Section D.16, “tarantella config list” command to list these settings, and the Section D.15, “tarantella config edit” command to edit these settings.

User authentication can be performed by an external authentication mechanism (third-party authentication), or SGD can perform the authentication using a specified repository (system authentication).

The Secure Global Desktop Authentication tab contains the following sections:

A.1.1. The Authentication Wizard

The Authentication Wizard guides you through the process of setting up authentication for SGD users. The number of steps shown in the Authentication Wizard depend on the choices you make as you work though the Wizard.

The available steps in the Authentication Wizard are as follows:

A.1.2. Password Cache

Usage: Select or deselect the check box.

Description

Whether to save the user name and password that the user types to log in to SGD in the password cache.

If you are using SecurID authentication, do not save the user name and password, as SecurID passwords cannot be reused.

SGD cannot store the user names and passwords of users authenticated with third-party authentication.

Command Line

Command option: --launch-savettapassword 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example saves user log in details in the password cache.

--launch-savettapassword 1

A.1.3. Third-Party Authentication

Usage: Select or deselect the check box.

Description

Select the check box to enable third-party authentication.

This attribute enables you to give access to SGD to users who have been authenticated by a third-party mechanism, such as web authentication.

Command Line

Command option: --login-thirdparty 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example disables third-party authentication.

--login-thirdparty 0

A.1.4. System Authentication

Usage: Select or deselect the check box.

Description

Specifies that user authentication is done by the SGD server. Selecting this option enables the Wizard screens for system authentication settings.

Command Line

There is no command line equivalent for this attribute.

A.1.5. Search Local Repository

Usage: Select or deselect the check box.

Description

This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.

This search method searches for the user identity in the local repository and then uses the matching user profile.

If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

Command Line

Command option: --login-thirdparty-ens 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching the local repository for a matching user profile is disabled.

--login-thirdparty-ens 0

A.1.6. Search LDAP Repository

Usage: Select or deselect the check box.

Description

Specifies that the LDAP repository is searched to find the user identity for a user who has been authenticated by a third-party authentication mechanism.

The search method used is defined by the Section A.1.8, “Use Default LDAP Profile” or Section A.1.9, “Use Closest Matching LDAP Profile” attribute.

Command Line

There is no command line equivalent for this attribute.

A.1.7. Use Default Third-Party Identity

Usage: Select or deselect the check box.

Description

This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.

This search method does not perform a search. The user identity is the third-party user name. The third-party user profile, System Objects/Third Party Profile, is used.

If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

Command Line

Command option: --login-thirdparty-nonens 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, using the default user profile is disabled.

--login-thirdparty-nonens 0

A.1.8. Use Default LDAP Profile

Usage: Select the option.

Description

This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.

This search method searches for the user identity in an LDAP repository and then uses the default LDAP user profile, System Objects/LDAP Profile.

If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

Command Line

Command option: --login-ldap-thirdparty-profile 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching LDAP and using the default LDAP profile is disabled.

--login-ldap-thirdparty-profile 0

A.1.9. Use Closest Matching LDAP Profile

Usage: Select the option.

Description

This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.

This search method searches for the user identity in an LDAP repository and then uses the closest matching user profile in the local repository, allowing for differences between the LDAP and SGD naming systems.

SGD searches for the following until a match is found:

  • A user profile with the same name as the LDAP person object.

    For example, if the LDAP person object is cn=Emma Rald,cn=Sales,dc=example,dc=com, SGD searches the local repository for dc=com/dc=example/cn=Sales/cn=Emma Rald.

  • A user profile in the same organizational unit as the LDAP person object but with the name cn=LDAP Profile.

    For example, dc=com/dc=example/cn=Sales/cn=LDAP Profile.

  • A user profile in any parent organizational unit with the name cn=LDAP Profile.

    For example, dc=com/dc=example/cn=LDAP Profile.

  • If there is no match, the profile object System Objects/LDAP Profile is used for the user profile.

If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

Command Line

Command option: --login-ldap-thirdparty-ens 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching LDAP and using the closest matching LDAP profile is disabled.

--login-ldap-thirdparty-ens 0

A.1.10. LDAP/Active Directory

Usage: Select or deselect the check box.

Description

Specifies that an LDAP directory server or Active Directory server is used for authentication.

Selecting this option enables the Wizard screen where you can type in LDAP directory server or Active Directory server details.

Command Line

There is no command line equivalent for this attribute.

A.1.11. Unix

Usage: Select or deselect the check box.

Description

Enables UNIX authentication.

Selecting this option enables the Wizard screen where you can configure UNIX authentication settings.

Command Line

There is no command line equivalent for this attribute.

A.1.12. SecurID

Usage: Select or deselect the check box.

Description

Enables users with RSA SecurID tokens to log in to SGD.

Command Line

Command option: --login-securid 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, SecurID authentication is disabled.

--login-securid 0

A.1.13. Anonymous

Usage: Select or deselect the check box.

Description

Enables users to log in to SGD without supplying a user name and password.

Command Line

Command option: --login-anon 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, anonymous user authentication is disabled.

--login-anon 0

A.1.14. Search Unix User ID in Local Repository

Usage: Select or deselect the check box.

Description

Specifies a search method used to find the user profile for an authenticated UNIX system user. Select this attribute to search for the user identity in the local repository and use the matching user profile.

Command Line

Command option: --login-ens 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching for the UNIX User ID in the local repository is enabled.

--login-ens 1

A.1.15. Search Unix Group ID in Local Repository

Usage: Select or deselect the check box.

Description

Specifies a search method used to find the user profile for an authenticated UNIX system user. Select this attribute to use the UNIX user identity and search for a user profile in the local repository that matches the user's UNIX Group ID.

Command Line

Command option: --login-unix-group 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching for the UNIX Group ID in the local repository is enabled.

--login-unix-group 1

A.1.16. Use Default User Profile

Usage: Select or deselect the check box.

Description

Specifies a search method used to find the user profile for an authenticated UNIX system user. Select this attribute to use the default UNIX user profile, System Objects/UNIX User Profile, for the authenticated user.

Command Line

Command option: --login-unix-user 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, using the default UNIX user profile (System Objects/UNIX User Profile) is enabled.

--login-unix-user 1

A.1.17. Active Directory

Usage: Select the option.

Description

Enables Active Directory authentication.

Command Line

Command option: --login-ad 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, Active Directory authentication is enabled.

--login-ad 1

A.1.18. LDAP

Usage: Select the LDAP option.

Description

Enables LDAP authentication.

Command Line

Command option: --login-ldap 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, LDAP authentication is enabled.

--login-ldap 1