Secure Global Desktop 4.40 Administration Guide > Users and Authentication > Third-Party Authentication

Third-Party Authentication

Overview

Third-party authentication allows users to log in to SGD if they have been authenticated by an external mechanism.

If you are using the SGD webtop, the only form of third-party authentication you can use is web server authentication. If you develop your own webtop applications using the SGD web services, you can use any third-party authentication mechanism.

Third-party authentication is disabled by default.

How Third-party Authentication Works

The user types in a user name and password directly to the external mechanism, typically using their web browser's authentication dialog.

Third-party authentication is based on trust. SGD trusts that the third-party mechanism has authenticated the user correctly and so they are authenticated to SGD.

Next SGD performs a search to establish the user identity and user profile (see the following section). If the searches do not produce a match, SGD cannot establish an identity for the user and the user cannot log in. SGD displays the standard login page so that the user can log in using system authentication.

User Identity and User Profile

SGD supports the following search methods for establishing the user identity and user profile:

• Search Local Repository
• Search LDAP Repository
• Use Default Third-Party Identity

If more than one search method is enabled, the methods are tried in the order they are listed above.

Third-party authentication does not support ambiguous users and so the first match found is used.

Search Local Repository

This search method searches the local repository for a user profile with a Name attribute that matches the user's third-party user name. If there is no match, the search is repeated on the Login Name attribute, and finally on the Email Address attribute. If no user profile is found, the next search method is tried.

If a user profile is found, that object is used for the user identity and user profile. In the SGD Administration Console, the user identity is displayed as user-profile (Local). On the command line, the user identity is displayed as .../_ens/user-profile

Search LDAP Repository

This search method searches an LDAP directory for a person object with a cn (common name) attribute that matches the user name typed by the user. If there is no match, the search is repeated on the uid (username) attribute, and finally on the mail (email address) attribute. If a person object is not found, the next search method is tried.

If a person object is found, that object is used for the user identity. In the SGD Administration Console, the user identity is displayed as LDAP-ID (LDAP). On the command line, the user identity is displayed as .../_service/sco/tta/ldapcache/LDAP-ID.

Next SGD searches for the user profile. When searching for the user profile, you can specify Use Default LDAP Profile or Use Closest Matching LDAP Profile. Use Default LDAP Profile is the default.

If Use Default LDAP Profile is selected, the profile object System Objects/LDAP Profile is used for the user profile.

If Use Closest Matching LDAP Profile is selected, SGD establishes the user profile by searching the local repository, allowing for differences between the LDAP and SGD naming systems. SGD searches for the following until a match is found:

• A user profile with the same name as the LDAP person object.

  For example, if the LDAP person object is cn=Emma Rald,cn=Sales,dc=Indigo Insurance,dc=com, SGD searches the local repository for dc=com/dc=Indigo Insurance/cn=Sales/cn=Emma Rald.

• A user profile in the same organizational unit as the LDAP person object but with the name cn=LDAP Profile.

  For example, dc=com/dc=Indigo Insurance/cn=Sales/cn=LDAP Profile.

• A user profile in any parent organizational unit with the name cn=LDAP Profile.

  For example, dc=com/dc=Indigo Insurance/cn=LDAP Profile.

If there is no match, the profile object System Objects/LDAP Profile is used for the user profile.

Use Default Third-Party Identity

This search method does not perform a search.

The user identity is always the third-party user name. In the SGD Administration Console, the user identity is displayed as third-party-username (3rd party). On the command line, the user identity is displayed as .../_service/sco/tta/thirdparty/thirdparty-username.

The profile object System Objects/Third Party Profile is always used for the user profile.

Application Sessions and Password Cache Entries

Application sessions and password cache entries belong to the identity established by the third-party search methods.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.