Secure Global Desktop Login properties (array-wide)

Choose the login theme to be used across the array. The login theme determines the style and appearance of the page users see when logging in to Secure Global Desktop from a web browser.

Note This attribute is only used with the classic webtop. The browser-based webtop does not use login themes.

This allows you to give webtops to users who have been authenticated by an external mechanism, such as web server authentication.

For the browser-based webtop:

--tarantella-config-login-thirdparty-searchens 1 | 0

See web server/third party authentication for details.

If more than one box is checked, the search methods are used in the order shown above. However, neither web server authentication nor third party authentication support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page displays and the user must log in to Secure Global Desktop in the normal way.

Note On the command line, there are separate commands for the classic and browser-based webtops. If you use the command line, we recommend you enable/disable the options for both webtops.

For the browser-based webtop:

--tarantella-config-ldap-thirdpartyldapcandidate-useens 1 | 0

For the browser-based webtop:

--tarantella-config-ldap-thirdpartyldapcandidate-useprofile 1 | 0

For the browser-based webtop:

--tarantella-config-login-thirdparty-allownonens 1 | 0

If web server authentication is enabled, when a user goes to the http://server/tarantella URL, the web server generates a token and this is accepted by the Secure Global Desktop server as proof of authentication. Each token is valid only once.

The token may need to be valid for a few minutes to allow client devices to download the Secure Global Desktop Java™ archive. If all users have the archive already installed, you can reduce the validity period to a few seconds.

Reducing the token validity period may result in failed logins on slow networks.

We recommend you use secure (HTTPS) web servers to ensure a token can't be intercepted and used by a third party while still valid.

Note This attribute is only used for web server authentication with the classic webtop.

The default is ttaserv as this is the user used by the Secure Global Desktop Web Server.

If you use your own web server, you must change this to the user you use for your web server, typically nobody.

This user is a trusted user for web authentication. We recommend you restrict access to this user and you restrict the processes that run as this user. It is more secure to have a user that is used to run the web server and nothing else.

All web servers used in the array must use the same username.

You must restart all array members for a change to this setting to take effect.

Note This attribute is only used for web server authentication with the classic webtop.

Check one or more boxes to enable those login authorities.

The login authorities are listed in the order in which they are tried. If one login authority authenticates the user, no more login authorities are tried.

For the LDAP login authority and third party/web server authentication, this is a semicolon-separated list of URLs. The URLs are used in the order they are listed. If the first LDAP directory server listed is unavailable, Secure Global Desktop tries the next one in the list. Each URL has the form ldap://server:port/searchroot where:

• server is the DNS name of the LDAP directory server.
• port is the TCP port on which the LDAP directory server listens for connections. You can omit this (and the preceding ":") to use the default port.
• searchroot is the position in the LDAP directory structure from which the LDAP login authority should start searching for matching users, for example dc=indigo-insurance,dc=com.

Note Use an ldaps:// URL if your LDAP directory server requires or allows SSL connections. Extra configuration is required for SSL connections, see Securing connections to LDAP directory servers for details.

For the Active Directory login authority, this is the URL of an Active Directory domain and takes the form ad://domain, for example ad://east.indigo-insurance.com. The URL must start ad:// and must not contain a searchroot. Only enter one domain.

The username and password of a user that has privileges to search an LDAP directory server/Active Directory server. This isn't required for some LDAP directory servers.

• For the LDAP login authority or third party/web server authentication, use a full username such as cn=Bill Orange,cn=Users,dc=indigo-insurance,dc=com.
• For the Active Directory login authority, use a user principal name such as orange@indigo-insurance.com

Note For security reasons, the password is not displayed even if it has been previously set.

For example, if the root domain is set to "indigo-insurance.com" and a user logs in with the username "rouge@west", the Active Directory login authority tries to authenticate "rouge@west.indigo-insurance.com".

For example, if the default domain is set to "east.indigo-insurance.com" and a user logs in with the username "rouge", the Active Directory login authority tries to authenticate "rouge@east.indigo-insurance.com".