Secure Global Desktop Login properties (array-wide)

• Choose the login theme to be used across the array.
• The login theme determines the style and appearance of the page users see when logging in to Secure Global Desktop from a web browser.

Note This attribute is only used with the classic webtop. The browser-based webtop does not use login themes.

• Check the box to enable web server authentication for the classic webtop.

• Check the box to enable third party authentication for the browser-based webtop.
• Allows you to give webtops to users who have been authenticated by an external mechanism, such as web server authentication.

For the browser-based webtop:
--tarantella-config-login-thirdparty-searchens 1 | 0

• Check one or more boxes to select the search methods you want Secure Global Desktop to use to determine the identity and login profile of a user who has been authenticated by an external authentication method.
• See web server/third party authentication for details.
• If more than one box is checked, the search methods are used in the order shown above. However, neither web server authentication nor third party authentication support ambiguous users and so the first match found is used.
• If the searches do not produce a match, the standard login page displays and the user must log in to Secure Global Desktop in the normal way.

Note On the command line, there are separate commands for the classic and browser-based webtops. If you use the command line, we recommend you enable/disable the options for both webtops.

For the browser-based webtop:
--tarantella-config-ldap-thirdpartyldapcandidate-useens 1 | 0

For the browser-based webtop:
--tarantella-config-ldap-thirdpartyldapcandidate-useprofile 1 | 0

For the browser-based webtop:
--tarantella-config-login-thirdparty-allownonens 1 | 0

• The validity period of the web server authentication token in seconds. The number of seconds must be between 1 and 600. The default value is 180.
• If web server authentication is enabled, when a user goes to the http://server.example.com/tarantella URL, the web server generates a token and this is accepted by the Secure Global Desktop server as proof of authentication. Each token is valid only once.
• The token may need to be valid for a few minutes to allow client devices to download the Secure Global Desktop Java™ archive. If all users have the archive already installed, you can reduce the validity period to a few seconds.
• Reducing the token validity period may result in failed logins on slow networks.
• To ensure a token cannot be intercepted and used by a third party while still valid, use secure (HTTPS) web servers.

Note This attribute is only used for web server authentication with the classic webtop.

• The username of the user that owns web server (httpd) processes.
• The default is ttaserv as this is the user used by the Secure Global Desktop Web Server.
• If you use your own web server, you must change this to the user you use for your web server, typically nobody.
• This user is a trusted user for web authentication. We recommend you restrict access to this user and you restrict the processes that run as this user. It is more secure to have a user that is used to run the web server and nothing else.
• All web servers used in the array must use the same username.
• You must restart all array members for a change to this setting to take effect.

Note This attribute is only used for web server authentication with the classic webtop.

• Check one or more boxes to enable those login authorities.
• The login authorities are listed in the order in which they are tried. If one login authority authenticates the user, no more login authorities are tried.
• SecurID authentication is not supported on the Solaris Operating System on x86 platforms.
• The authentication token login authority can only be used when the Secure Global Desktop Client is operating in integrated mode. The Native Client and Java technology clients do not support this login authority.

• The name of the Windows domain that the NT login authority uses to authenticate users.

• The location of the LDAP directory/Active Directory server(s) used for the LDAP login authority, the Active Directory login authority, third party/web server authentication (the LDAP user identity mapping options) and Directory Services Integration.
• For the LDAP login authority and third party/web server authentication, this is a semicolon-separated list of URLs. The URLs are used in the order they are listed. If the first LDAP directory server listed is unavailable, Secure Global Desktop tries the next one in the list. Each URL has the form ldap://server:port/searchroot where:
  • server is the DNS name of the LDAP directory server.
  • port is the TCP port on which the LDAP directory server listens for connections. You can omit this (and the preceding ":") to use the default port.
  • searchroot is the position in the LDAP directory structure from which the LDAP login authority should start searching for matching users, for example dc=indigo-insurance,dc=com.

  Note Use an ldaps:// URL if your LDAP directory server requires or allows SSL connections. Extra configuration is required for SSL connections, see Securing connections to LDAP directory servers for details.

• For the Active Directory login authority, this is the URL of an Active Directory domain and takes the form ad://domain, for example ad://east.indigo-insurance.com. The URL must start ad:// and must not contain a searchroot. Only enter one domain.

• The username and password of a user that has privileges to search an LDAP directory server/Active Directory server. This is not required for some LDAP directory servers.
• For the LDAP login authority or third party/web server authentication, use a full username such as cn=Bill Orange,cn=Users,dc=indigo-insurance,dc=com.
• For the Active Directory login authority, use a user principal name such as orange@indigo-insurance.com

Note For security reasons, the password is not displayed even if it has been previously set.

• Whether to use client certificates to authenticate the connection to an Active Directory server.
• This is disabled by default.
• See Securing connections to Active Directory and LDAP directory servers for details

• The domain the Active Directory login authority uses if users only supply a partial domain when they log in.
• For example, if the root domain is set to "indigo-insurance.com" and a user logs in with the username "rouge@west", the Active Directory login authority tries to authenticate "rouge@west.indigo-insurance.com".

• The domain the Active Directory login authority uses if users do not supply a domain when they log in.
• For example, if the default domain is set to "east.indigo-insurance.com" and a user logs in with the username "rouge", the Active Directory login authority tries to authenticate "rouge@east.indigo-insurance.com".

• Whether to create authentication tokens for users so they can be authenticated with the authentication token login authority.
• To ensure an authentication token cannot be intercepted and used by a third party, use secure (HTTPS) web servers and enable Secure Global Desktop security services.