Skip past navigation linksSecure Global Desktop Administration Guide > Users and authentication > Login authorities

Login authorities

Read this topic to...
  • Learn what login authorities are and what they do.
  • Learn what login authorities are available.
  • Learn what login profiles are.

A login authority provides two services:

Each login authority has its own rules for determining the identity and the login profile.

Secure Global Desktop has the following login authorities:

Login authority Description
Anonymous user
  • Allows users to log in to Secure Global Desktop without using a username and password.
  • All anonymous users have the same webtop content.
Authentication token
  • Allows users to log in to Secure Global Desktop if the Sun Secure Global Desktop Client supplies a valid authentication token.
  • Users may have their own webtop content, depending on configuration.

Note This login authority cannot be used with the classic webtop.

ENS
  • Allows users to log in to Secure Global Desktop if they have person objects in ENS and UNIX/Linux accounts on the Secure Global Desktop host.
  • Users have their own webtop content.
NT
  • Allows users to log in to Secure Global Desktop if they belong to a specified Windows domain.
  • Users may have their own webtop content, depending on configuration.
LDAP
  • Allows users to log in to Secure Global Desktop if they have an entry in an LDAP directory.
  • Users may have their own webtop content, depending on configuration.
Active Directory
  • Allows users to log in to Secure Global Desktop if they have an account in an Active Directory domain.
  • Users may have their own webtop content, depending on configuration.
UNIX Group
  • Allows users to log in to Secure Global Desktop if they have UNIX/Linux accounts on the Secure Global Desktop host.
  • All UNIX users in the same UNIX group have the same webtop content.
UNIX User
  • Allows users to log in to Secure Global Desktop if they have UNIX/Linux accounts on the Secure Global Desktop host.
  • All UNIX users have the same webtop content.
SecurID
  • Allows users with RSA SecurID tokens to log in to Secure Global Desktop.
  • Users may have their own webtop content, depending on configuration.

When a user logs in, the enabled login authorities are tried in the order they are listed in Array Manager (the same as the table above). The first login authority that authenticates a user "wins" and no further login authorities are tried.

Secure Global Desktop Administrators can enable and disable each login authority independently. You can configure login authorities either in Array Manager using the Secure Global Desktop Login panel or by using the tarantella config command. Secure Global Desktop server authentication is configured array-wide.

User identities

A successful authentication by a login authority results in an identity or fully qualified name. An identity is a TFN name assigned by a login authority and is the Secure Global Desktop idea of who a user is. The identity is associated with the user's webtop session, their emulator sessions and their entries in the application server password cache.

The identity is not necessarily the name of a person object in ENS. For example, the UNIX User login authority assigns identities in the .../_user namespace. This is because it authenticates against the UNIX/Linux user database.

Login profiles

A user's webtop content and other Secure Global Desktop-specific settings are controlled by a login profile. Each login authority has its own set of rules for determining the login profile. Login profiles are always objects in ENS (this is why they are sometimes called ENS equivalents). A login profile can be a standard person object or a profile object stored in the Tarantella System Objects organization.

For example, although the UNIX Group login authority assigns identities in the .../_user namespace, the login profile is always is always the profile object .../_ens/o=Tarantella System Objects/cn=UNIX User Profile.

To allow you to monitor sessions from Object Manager, all webtop and emulator sessions are shown on the Sessions tab for login profiles, not for identities. This is because Object Manager only lets you search and browse ENS and many identities are in other namespaces.

Related topics