Secure Global Desktop 4.31 Administration Guide > Users and authentication > Introducing web server authentication

Introducing web server authentication

Web server authentication is different to the Secure Global Desktop login authority system because the authentication is actually performed externally by a web server. You configure Secure Global Desktop to trust this authentication and it then determines the user's identity and their login profile.

When users log in, they see their browser's authentication dialog instead of the Secure Global Desktop login page. Once they have typed their username and password, users go directly to their webtop.

How web server authentication works

Web server authentication (or HTTP authentication) is supported by all web servers and web browsers.

With HTTP authentication:

• A web server administrator protects a section of a web site.
• When a web browser first tries to access a URL within the protected section, the web server responds by requesting authentication.
• The web browser displays an authentication dialog to the user.
• The user types a username and password, which the browser sends to the web server.
• The web server authenticates the user's credentials and allows access to the requested URL.

The web browser caches the credentials, either temporarily (until the user closes the browser) or permanently (if the user checks the box on the browser's authentication dialog). It does this because, with HTTP authentication, the credentials must be sent with every request to a protected URL. The browser sends the credentials automatically.

Determining the user's identity and login profile

Once the web server has authenticated the user, Secure Global Desktop then obtains the user's identity from the REMOTE_USER environment variable. The web server sets this variable after it has authenticated the user. Secure Global Desktop uses this identity to search for a matching login profile.

You can use web server authentication and login authorities together. If Secure Global Desktop can't find a matching login profile, the standard Secure Global Desktop login page displays. The user must log in to Secure Global Desktop and be authenticated by a login authority before they can access their webtop.

Web server authentication does not support ambiguous users. This means users get the webtop of the first matching login profile.

Points to note about web server authentication

• The way you enable web server authentication depends on whether you are using the browser-based webtop or the classic webtop. You can enable web authentication in both webtops at the same time.
• The Sun Secure Global Desktop Native Client does not support web server authentication.
• You can use any web server authentication plug-in as long as it sets the REMOTE_USER variable. If the plug-in you use doesn't set that variable you can export the variable your plug-in uses.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.