Secure Global Desktop Administration Guide > Users and authentication > Using the authentication token login authority for automatic logins
The authentication token login authority allows users to log in automatically to Secure Global Desktop if the Sun Secure Global Desktop Client submits a valid authentication token to the Secure Global Desktop server. Authentication tokens can only be used when the Secure Global Desktop Client is operating in in integrated mode.
To enable automatic logins:
Note The authentication token login authority can only be used with the Secure Global Desktop Client. The Native Client and Java™ technology clients do not support this login authority.
The Secure Global Desktop Release Notes has details of which client desktop systems support running the Secure Global Desktop Client in integrated mode.
To be able to use the authentication token login authority, at least one other authentication mechanism must also be enabled. This is because the user must log in at least once and display a webtop in order to generate an authentication token. You can use third party authentication or any of the other login authorities, apart from the anonymous user login authority.
To enable the authentication token login authority:
To use automatic logins, integrated mode and automatic logins must be enabled in the user's profile. Secure Global Desktop Administrators can configure this for users by creating profiles for organization and organizational unit objects. However, users have to manually generate an authentication token by editing their profile. This means profile editing must be enabled for users.
To generate an authentication token, users:
Users must generate an authentication token for each Secure Global Desktop server they log in to.
Note Users must log out of Secure Global Desktop and log in again for changes to their profile to take effect.
If users need to generate a new authentication token, they must edit their profile as follows:
When a user saves their profile, the Secure Global Desktop server sends the authentication token to the Secure Global Desktop Client. The Secure Global Desktop Client stores the token in the profile cache on the client device.
To ensure an authentication token cannot be intercepted and used by a third party, use secure (HTTPS) web servers and enable Secure Global Desktop security services.
When a user generates an authentication token, Secure Global Desktop server maintains a record of the tokens issued in a token cache. Secure Global Desktop stores the authentication tokens using the current identity of the user when the token was generated. When a user logs in with an authentication token, the authentication token allows Secure Global Desktop to "remember" the user's original identity and login profile. All webtop sessions and emulator sessions are managed using the original identity and profile. If the original login becomes invalid, for example because the UNIX account is disabled or the password has expired, the user can still log in automatically if they have a valid token. However they will not be able to launch any applications using the invalid login.
Administrators use the tarantella tokencache
command to list the tokens in the token cache and delete them. Deleting a token from
the token cache makes the token stored on a client device invalid. If the Secure Global Desktop Client presents an invalid token, the user is prompted to log in with a username and password. The user must then
generate another authentication token if they want to log in automatically.
Administrators can disable the ability to generate new tokens by clearing the Generate authentication tokens box on the Secure Global Desktop Login properties panel in Array Manager. Clearing this box disables the Automatic Client Login option when users edit their profile. If the authentication token login authority is still enabled, users with existing authentication tokens can still log in.
To troubleshoot problems with automatic logins, set a server/login/*
and a server/tokencache/*
log filter. The server/login/*
filter allows you see when authentication tokens are being used for authentication and when they fail. The server/tokencache/*
filter allows you to see errors with operations on the token cache, for example to see why a token has not been added to the cache.
Copyright © 1997-2006 Sun Microsystems, Inc. All rights reserved.