Secure Global Desktop 4.40 Administration Guide > Users and Authentication > Authentication Token Authentication

Authentication Token Authentication

Authentication token authentication allows users to log in to SGD if the SGD Client submits a valid authentication token.

Authentication token authentication can only be used when the SGD Client is operating in Integrated mode and a user has previously generated an authentication token.

Authentication token authentication is disabled by default.

This page includes the following topics:

How Authentication Token Authentication Works
Authentication Tokens and Security
Enabling Automatic Logins with Authentication Tokens
Administering Authentication Tokens
Troubleshooting Automatic Logins

How Authentication Token Authentication Works

When the SGD Client starts, it submits the authentication token to SGD. The user does not enter a user name or password.

If the authentication token is invalid or the SGD Client does not submit a token, the user is not logged in. The SGD login screen is displayed in a web browser so that the user can log in using another system authentication mechanism.

If the SGD Client submits a valid authentication token, the user is logged in.

User Identity and User Profile

The SGD server stores the authentication token against the identity of the user when they generated their authentication token. This means the user identity and user profile used are those of the authentication mechanism that originally authenticated the user.

Application Sessions and Password Cache Entries

Application sessions and password cache entries belong to the user identity of the original authentication.

Authentication Tokens and Security

When a user generates an authentication token and saves their client profile, the SGD server sends the authentication token to the SGD Client. The SGD Client stores the token in the profile cache on the client device. To ensure an authentication token cannot be intercepted and used by a third party, use secure (HTTPS) web servers and enable SGD security services.

When a user generates an authentication token, SGD maintains a record of the tokens issued in a token cache. SGD stores the authentication token using the current identity of the user when the token was generated. When a user logs in with an authentication token, the authentication token allows SGD to "remember" the user's original identity and user profile. All user sessions and application sessions are managed using the original user identity and user profile. If the original login becomes invalid, for example because the UNIX system account is disabled or the password has expired, the user can still log in automatically if they have a valid token. However, they cannot run any applications using the invalid credentials.

Enabling Automatic Logins with Authentication Tokens

To enable automatic logins with authentication tokens:

Enable at least one other authentication mechanism.
The user must log in and be authenticated by another authentication mechanism so that SGD can store a user identity and user profile when the user generates an authentication token.

You can use third-party authentication, or any of the other system authentication mechanisms, apart from anonymous user authentication.
(Optional) Enable SGD security services.
Use secure connections between SGD Clients and SGD servers to prevent the interception of authentication tokens.
(Optional) Configure the SGD Web Server to use HTTPS.
Use secure connections between client devices and SGD Web Servers to prevent the interception of authentication tokens.
Enable client profile editing.
Client profile editing must be enabled to allow users to generate authentication tokens. You can enable profile editing for all users or just for users that require authentication tokens.
Configure SGD for authentication token authentication.
See Configuring Authentication Token Authentication for details.
Configure the client device for automatic logins.
Enable Integrated mode in the client profile and generate an authentication token. If a user logs in to different SGD servers, an authentication token is needed for each SGD server.

See Configure the Client Device for Automatic Logins for details.

Configuring SGD for Authentication Token Authentication

In the SGD Administration Console, display the Secure Global Desktop Authentication Configuration Wizard.
On the Global Settings » Secure Global Desktop Authentication tab, click the Change Secure Global Desktop Authentication button.
On the Third-Party/System Authentication step, ensure the System Authentication check box is selected.
On the System Authentication - Repositories step, select the Authentication Token check box.
On the Review Selections step, check your authentication configuration and click Finish. The Wizard closes.
On the Secure Global Desktop Authentication tab, select the Token Generation check box.
Click Save.

Configure the Client Device for Automatic Logins

The following procedure is performed by users and enables automatic logins on the client device. If a user logs in to different SGD servers, they must repeat this procedure on each server.

Profile editing must be enabled for the user.

Using a web browser, log in to an SGD server.
Edit the client profile.
On the webtop, click the Edit button. The Edit Client Settings page displays.
(Optional) Select the Connect on System Login check box.
If the check box is selected, the user is logged in automatically to SGD when they log in to the desktop.
Select the Add Applications to Start Menu check box.
The box might already be selected if a Secure Global Desktop Administrator has configured the client profile using the Profile Editor tool.
Select the Automatic Client Login check box.
Click Save. The webtop displays.
Log out of SGD.
You must log out of SGD and log in again for changes to a client profile to take effect.

Users must click the SGD Login link in their desktop Start menu to use automatic logins. If the Connect on System Login check box in the client profile is selected, this happens automatically when a user logs in to the desktop.

Administering Authentication Tokens

Administrators can use the SGD Administration Console or the command line to administer authentication tokens. You can view the tokens in the token cache and delete them. You can also prevent users from generating new tokens.

How to View Authentication Tokens

You view the users (either by the user identity or the user profile) that have authentication tokens as follows:

In the SGD Administration Console:
- On the Caches » Tokens tab, use the search to find a user identity if needed
- On the Sessions tab, click a user identity and then click the Token tab
- On the User Profiles tab, select a user profile and then click the Tokens tab
Alternatively, use the following command:
```
tarantella tokencache list
```

How to Delete Authentication Tokens

Deleting a token from the token cache makes the token stored on a client device invalid. If the SGD Client presents an invalid token, the user is prompted to log in with a user name and password. The user must then generate another authentication token if they want to log in automatically.

You delete authentication tokens as follows:

In the SGD Administration Console:
- On the Caches » Tokens tab, use the search to find a user identity if needed. Select the check box next to a token and click Delete.
- On the User Sessions tab, click a user identity and then click the Token tab. Click Delete.
- On the User Profiles tab, click a user profile and then click the Tokens tab. Select the check box next to a token and click Delete.
On the command line, use the following command:
```
tarantella tokencache delete --username username | --all
```
The username must match the user name displayed by the tarantella tokencache list command. Use --all to delete all tokens from the cache.

Note You can run this command on any SGD server in the array. The change is replicated to the other servers in the array.

How to Disable Token Generation

Use this procedure to prevent SGD from issuing new authentication tokens. If authentication token authentication is still enabled, users with existing authentication tokens can still log in.

In the SGD Administration Console, click the Global Settings » Secure Global Desktop Authentication tab. Deselect the Token Generation check box and click Save.
On the command line, use the following command:
```
tarantella config edit --login-autotoken 0
```

Troubleshooting Automatic Logins

To troubleshoot problems with automatic logins, use the following log filters:

server/login/*:destination
server/tokencache/*:destination

The server/login/* filter allows you see when authentication tokens are used for authentication and when they fail. The server/tokencache/* filter allows you to see errors with operations on the token cache, for example to see why a token is not added to the cache.

Related Topics
Secure Global Desktop and User Authentication Configuring the SGD Client for Desktop Start or Launch Menu Integration Integrating SGD With the Desktop Start or Launch Menu Client Profiles and the SGD Client