Secure Global Desktop 4.40 Administration Guide > Users and Authentication > Secure Global Desktop and User Authentication

Secure Global Desktop and User Authentication

Read This Topic to...
Understand the authentication stages involved in using SGD. Learn the difference between system authentication and third-party authentication. Understand the difference between a user identity and a user profile. Learn what system authentication mechanisms are available. Understand what happens if a user's password expires.

SGD has two stages to user authentication. First, users authenticate to an SGD server to log in to SGD. Second, users authenticate to an application server to run an application. This page describes the mechanisms available for authenticating to SGD. Authentication to an application server is described in Understanding Application Launch.

Overview of SGD Authentication

SGD is designed to integrate with your existing authentication infrastructure and supports the following two mechanisms for authenticating users:

System authentication - SGD tries to authenticate the user's credentials against one or more external authentication services, for example an LDAP directory. See System Authentication for details of the available system authentication mechanisms.
Third-party authentication - An external mechanism authenticates the user and SGD trusts that the authentication is correct. One common use of third-party authentication is web server authentication. See Third-Party Authentication for more details.

The following are main results of a successful authentication:

A user identity - the SGD idea of who a user is. See User Identity for more details.
A user profile - the user's SGD-related settings. See User Profile for more details.

Sometimes the user identity and the user profile are the same thing.

In the SGD Administration Console, you can monitor user sessions and application sessions using either the user identity or the user profile.

Depending on how users are authenticated, SGD can prompt users to change their password when they try to log in with an an expired password. See Password Expiry for details.

SGD authentication is global. A user can log in to each SGD server in the array with the same user name and password.

Secure Global Desktop Administrators can enable and disable each authentication mechanism independently, using the Global Settings » Secure Global Desktop Authentication tab in the SGD Administration Console, or by using the tarantella config command.

User Identity

A user identity is the SGD idea of who a user is. Each authentication mechanism has its own set of rules for determining the user identity.

A user identity is a name assigned by SGD and is sometimes referred to as the fully qualified name. The user identity is not necessarily the name of a user profile in the local repository. For example, for LDAP authentication the identity is the distinguished name (DN) of the user in the LDAP directory.

The user identity is associated with the user's SGD session, their application sessions, and their entries in the application server password cache.

User Profile

A user profile controls a user's SGD-specific settings. Depending on whether or not you are use the Directory Services Integration feature, a user profile can also control the applications a user can run (sometimes called webtop content). Each authentication mechanism has its own set of rules for determining the user profile.

A user profile is always an object in the local repository and is sometimes referred to as an equivalent name. A user profile can be a profile object stored in the System Objects organization. For example, for LDAP authentication the default user profile is System Objects/LDAP Profile.

System Authentication

The following table lists the available system authentication mechanisms and describes the basis for authentication.

Mechanism	Description
Anonymous user	Allows users to log in to SGD without using a user name and password. All anonymous users have the same webtop content.
Authentication token	Allows users to log in to SGD if the SGD Client supplies a valid authentication token. Users might have their own webtop content, depending on configuration.
UNIX system (Search Unix User ID in Local Repository)	Allows users to log in to SGD if they have user profiles in the local repository and UNIX or Linux system accounts on the SGD host. Users might have their own webtop content, depending on configuration.
Windows Domain	Allows users to log in to SGD if they belong to a specified Windows domain. Users might have their own webtop content, depending on configuration.
LDAP	Allows users to log in to SGD if they have an entry in an LDAP directory. Users might have their own webtop content, depending on configuration.
Active Directory	Allows users to log in to SGD if they have an account in an Active Directory domain. Users might have their own webtop content, depending on configuration.
UNIX system (Search Unix Group ID in Local Repository)	Allows users to log in to SGD if they UNIX or Linux system accounts on the SGD host. All users in the same UNIX group have the same webtop content.
UNIX system (Use Default User Profile)	Allows users to log in to SGD if they UNIX or Linux system accounts on the SGD host. All UNIX users have the same webtop content.
SecurID	Allows users with RSA SecurID tokens to log in to SGD. Users might have their own webtop content, depending on configuration.

When a user logs in, the enabled authentication mechanisms are tried in the order they are listed table above. When you configure SGD authentication, the SGD Administration Console shows the order in which the mechanisms are tried. The first authentication mechanism that authenticates a user "wins" and no further authentication mechanisms are tried.

Password Expiry

In most circumstances, SGD can handle the expiry of the user's password if configured to do so. When a user attempts to log in with an expired password, the Aged Password dialog displays. This dialog does the following:

Confirms that the password has expired
Allows the user to enter and confirm a new password

If the new password is accepted, the user is logged in to SGD.

The following table shows which authentication mechanisms support aged passwords.

Authentication Mechanism	Supports aged passwords?
Active Directory	Yes, see the Kerberos configuration for Active Directory authentication for details.
Anonymous user	Not applicable. User logs in without a user name or password.
Authentication token	Not applicable. User logs in without a user name or password.
LDAP	Yes, see LDAP Authentication and Password Expiry for details.
SecurID	Yes. If the user's PIN has expired, a new PIN dialog is displayed instead of the Aged Password dialog.
Third-party (including web server authentication)	No. The expiry of the user's password is handled by the third-party authentication mechanism and is nothing to do with SGD.
UNIX system	Yes, see UNIX System Authentication and PAM for details.
Windows domain	No.

Related Topics
Third-Party Authentication Web Server Authentication