4.1. Authenticating Users

The following table describes the supported mechanisms for authenticating users to an SGD server.

Table 4.1. User Authentication Mechanisms

Authentication Mechanism

More Information

System authentication. SGD checks the user’s credentials against one or more external authentication services, for example a Lightweight Directory Access Protocol (LDAP) directory.

Third-party authentication. An external mechanism authenticates the user and SGD trusts that the authentication is correct. The most common use of third-party authentication is web server authentication.

4.1.1. Password Security

When logging in to SGD, passwords are only encrypted if there is an HTTPS connection. By default, the SGD server is configured for HTTPS connections.

SGD uses external mechanisms for authenticating users. The security of passwords when authenticating users is as follows:

  • Active Directory authentication uses the Kerberos protocol for authentication, which is secure

  • LDAP authentication can be configured to use a secure connection

  • Web server authentication is only secure if the user has an HTTPS connection

  • All other authentication mechanisms use the native protocols for authenticating users

4.1.2. Two-Factor Authentication

For enhanced authentication security, you can use the RSA SecurID two-factor authentication system to authenticate SGD users. In SGD this is called SecurID authentication.

RSA SecurID uses two-factor authentication based on something you know, a PIN, and something you have, a tokencode supplied by a separate token such as a PIN pad.

SecurID authentication enables users with RSA SecurID tokens to log in to SGD. SGD authenticates users against an RSA Authentication Manager.

See SecurID Authentication for details of how to configure SGD to use SecurID authentication.

See Chapter 6, Troubleshooting an SGD Deployment for more examples of using two-factor authentication with SGD.