Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices
Use the settings on the Secure Global Desktop Authentication tab to control how users log in to SGD. The settings apply to all SGD servers in the array. Changes to the settings take effect immediately.
From the command line, use the Section D.16, “tarantella config list” command to list these settings, and the Section D.15, “tarantella config edit” command to edit these settings.
User authentication can be performed by an external authentication mechanism (third-party authentication), or SGD can perform the authentication using a specified repository (system authentication).
The Secure Global Desktop Authentication tab contains the following sections:
Tokens and Cache. This section contains the following attributes:
Secure Global Desktop Authentication Effective Sequence. This section displays a summary of the current SGD authentication settings. If you click the Change User Authentication button, the Authentication Wizard starts. The Wizard enables you to configure SGD authentication. See Section A.1.1, “The Authentication Wizard”.
The Authentication Wizard guides you through the process of setting up authentication for SGD users. The number of steps shown in the Authentication Wizard depend on the choices you make as you work though the Wizard.
The available steps in the Authentication Wizard are as follows:
Overview. Includes background information about how users authenticate to SGD.
Third-Party/System Authentication. Select whether you want to use third-party authentication, system authentication or both.
This step contains the following attributes:
Third-Party Authentication – User Identity and Profile. For third-party authentication only. Choose search methods to use for finding the user identity and user profile of the authenticated user.
This step contains the following attributes:
System Authentication – Repositories. For system authentication only. Select one or more check boxes to enable repositories that SGD uses for locating user information. The repositories are listed in the order in which they are tried. If one repository authenticates the user, no more repositories are tried.
This step contains the following attributes:
Unix Authentication – User Profile. For system authentication only. This screen is shown if UNIX authentication is selected. Select one or more check boxes to specify how to find the user profile for the authenticated UNIX system user. The authentication methods are listed in the order in which they are tried. If one method finds a matching user profile, no more search methods are tried.
This step contains the following attributes:
LDAP Repository Details. For third-party or system authentication. This screen is shown if an LDAP or Active Directory system authentication repository is selected, or if the Search LDAP Repository option is selected for third-party authentication. Here, you specify details of the LDAP repository to use.
This step contains the following attributes:
The LDAP Repository Details step enables you to create and
manage the service object called
generated. If more than one service
object is configured, you use the Service Object tab to
configure these details, see
Section A.2, “Service Objects Tab”.
Review Selections. Shows a summary of the choices you have made using the Wizard. You can review your authentication settings before confirming the changes.
Usage: Select or deselect the check box.
Whether to save the user name and password that the user types to log in to SGD in the password cache.
If you are using SecurID authentication, do not save the user name and password, as SecurID passwords cannot be reused.
SGD cannot store the user names and passwords of users authenticated with third-party authentication.
Command option:
--launch-savettapassword 1 |
0
Usage: Specify
1 (true) or 0 (false).
The following example saves user log in details in the password cache.
--launch-savettapassword 1
Usage: Select or deselect the check box.
Select the check box to enable third-party authentication.
This attribute enables you to give access to SGD to users who have been authenticated by a third-party mechanism, such as web authentication.
Command option:
--login-thirdparty 1 | 0
Usage: Specify
1 (true) or 0 (false).
The following example disables third-party authentication.
--login-thirdparty 0
Usage: Select or deselect the check box.
Specifies that user authentication is done by the SGD server. Selecting this option enables the Wizard screens for system authentication settings.
There is no command line equivalent for this attribute.
Usage: Select or deselect the check box.
This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.
This search method searches for the user identity in the local repository and then uses the matching user profile.
If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.
If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.
Command option:
--login-thirdparty-ens 1 | 0
Usage: Specify
1 (true) or 0 (false).
In the following example, searching the local repository for a matching user profile is disabled.
--login-thirdparty-ens 0
Usage: Select or deselect the check box.
Specifies that the LDAP repository is searched to find the user identity for a user who has been authenticated by a third-party authentication mechanism.
The search method used is defined by the Section A.1.8, “Use Default LDAP Profile” or Section A.1.9, “Use Closest Matching LDAP Profile” attribute.
There is no command line equivalent for this attribute.
Usage: Select or deselect the check box.
This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.
This search method does not perform a search. The user identity
is the third-party user name. The third-party user profile,
System Objects/Third Party Profile, is
used.
If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.
If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.
Command option:
--login-thirdparty-nonens 1 |
0
Usage: Specify
1 (true) or 0 (false).
In the following example, using the default user profile is disabled.
--login-thirdparty-nonens 0
Usage: Select the option.
This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.
This search method searches for the user identity in an LDAP
repository and then uses the default LDAP user profile,
System Objects/LDAP Profile.
If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.
If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.
Command option:
--login-ldap-thirdparty-profile 1 |
0
Usage: Specify
1 (true) or 0 (false).
In the following example, searching LDAP and using the default LDAP profile is disabled.
--login-ldap-thirdparty-profile 0
Usage: Select the option.
This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.
This search method searches for the user identity in an LDAP repository and then uses the closest matching user profile in the local repository, allowing for differences between the LDAP and SGD naming systems.
SGD searches for the following until a match is found:
A user profile with the same name as the LDAP person object.
For example, if the LDAP person object is cn=Emma
Rald,cn=Sales,dc=example,dc=com, SGD
searches the local repository for
dc=com/dc=example/cn=Sales/cn=Emma Rald.
A user profile in the same organizational unit as the LDAP
person object but with the name cn=LDAP
Profile.
For example, dc=com/dc=example/cn=Sales/cn=LDAP
Profile.
A user profile in any parent organizational unit with the
name cn=LDAP Profile.
For example, dc=com/dc=example/cn=LDAP
Profile.
If there is no match, the profile object System
Objects/LDAP Profile is used for the user profile.
If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.
If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.
Command option:
--login-ldap-thirdparty-ens 1 |
0
Usage: Specify
1 (true) or 0 (false).
In the following example, searching LDAP and using the closest matching LDAP profile is disabled.
--login-ldap-thirdparty-ens 0
Usage: Select or deselect the check box.
Specifies that an LDAP directory server or Active Directory server is used for authentication.
Selecting this option enables the Wizard screen where you can type in LDAP directory server or Active Directory server details.
There is no command line equivalent for this attribute.
Usage: Select or deselect the check box.
Enables UNIX authentication.
Selecting this option enables the Wizard screen where you can configure UNIX authentication settings.
There is no command line equivalent for this attribute.
Usage: Select or deselect the check box.
Enables users with RSA SecurID tokens to log in to SGD.
Command option:
--login-securid 1 | 0
Usage: Specify
1 (true) or 0 (false).
In the following example, SecurID authentication is disabled.
--login-securid 0
Usage: Select or deselect the check box.
Enables users to log in to SGD without supplying a user name and password.
Command option:
--login-anon 1 | 0
Usage: Specify
1 (true) or 0 (false).
In the following example, anonymous user authentication is disabled.
--login-anon 0
Usage: Select or deselect the check box.
Specifies a search method used to find the user profile for an authenticated UNIX system user. Select this attribute to search for the user identity in the local repository and use the matching user profile.
Command option:
--login-ens 1 | 0
Usage: Specify
1 (true) or 0 (false).
In the following example, searching for the UNIX User ID in the local repository is enabled.
--login-ens 1
Usage: Select or deselect the check box.
Specifies a search method used to find the user profile for an authenticated UNIX system user. Select this attribute to use the UNIX user identity and search for a user profile in the local repository that matches the user's UNIX Group ID.
Command option:
--login-unix-group 1 | 0
Usage: Specify
1 (true) or 0 (false).
In the following example, searching for the UNIX Group ID in the local repository is enabled.
--login-unix-group 1
Usage: Select or deselect the check box.
Specifies a search method used to find the user profile for an
authenticated UNIX system user. Select this attribute to use the
default UNIX user profile, System Objects/UNIX User
Profile, for the authenticated user.
Command option:
--login-unix-user 1 | 0
Usage: Specify
1 (true) or 0 (false).
In the following example, using the default UNIX user profile
(System Objects/UNIX User Profile) is
enabled.
--login-unix-user 1
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices