Skip past navigation linksSecure Global Desktop 4.40 Administration Guide > Users and Authentication > SecurID Authentication

SecurID Authentication

SecurID authentication allows users with RSA SecurID tokens to log in to SGD. SGD authenticates users against an RSA Authentication Manager (formerly known as ACE/Server).

RSA SecurID is a product from RSA Security, Inc., that uses two-factor authentication based on something you know (a PIN) and something you have (a tokencode supplied by a separate token such as a PIN pad, standard card or software token). The PIN and tokencode are combined to form a passcode which is used as the password when you log in to SGD.

This authentication mechanism is disabled by default.

This page includes the following topics:

How SecurID Authentication Works

At the SGD login screen, the user types their SecurID user name (for example indigo) and their passcode.

This authentication mechanism searches the local repository for a user profile with a Name attribute that matches the user name typed by the user. If there is no match, the search is repeated on the Login Name attribute, and finally on the Email Address attribute.

If a user profile is found, the Login Name attribute of that object is used as the SecurID user name. If no user profile is found, the name the user typed is used as the SecurID user name.

Next, SGD checks the SecurID user name, and the passcode typed by the user, against the Authentication Manager. If the authentication fails, the user cannot log in because there are no further authentication mechanisms to try.

If the authentication succeeds and the Login attribute for the user profile is not enabled, the user is not logged in. If the authentication succeeds and the Login attribute for the user profile is enabled, the user is logged in.

User Identity and User Profile

If a user profile was found in the local repository, this is used for the user identity and user profile. In the SGD Administration Console, the user identity is displayed as user-profile (Local). On the command line, the user identity is displayed as .../_ens/user-profile.

If no user profile was found in the local repository, the user identity is the SecurID user name. In the SGD Administration Console, the user identity is displayed as SecurID-username (SecurID). On the command line, the identity is displayed as .../_service/sco/tta/securid/SecurID-username. The profile object System Objects/SecurID User Profile is used for the user profile.

Application Sessions and Password Cache Entries

Application sessions and password cache entries belong to either the user profile or SecurID User Profile object, depending on which is used.

Enabling SecurID Authentication

  1. Ensure you are using a supported version of RSA SecurID.

    The Secure Global Desktop Release Notes has details of the supported versions of the RSA Authentication Manager.

  2. Ensure the RSA Authentication Manager is up to date.

    Update Authentication Manager with the latest patches released by RSA.

  3. Configure each SGD server in the array as an Agent Host.

    Configure each SGD server in the array as an Agent Host so that it can authenticate users against the Authentication Manager.

  4. Configure SGD for SecurID authentication.

    Configure SecurID authentication so that SecurID users can log in to SGD.

Configuring SGD servers as an Agent Hosts

To use SecurID authentication, each SGD server in the array must be configured as an Agent Host. As SecurID implementations can vary, the following procedure is an example only.

Before you begin, ensure you have access to the RSA Authentication Manager configuration file (sdconf.rec).

  1. On the SGD server, become superuser (root).
  2. Ensure the SGD server can contact the Authentication Manager on the network.

    You might have to open ports in your firewalls to allow an SGD server to contact the Authentication Manager.

    The default ports that must be open are the following:

  3. Specify the location of the Authentication Manager configuration file.
    1. Create the /etc/sdace.txt file with the following content: 
      Skip past command syntax or program codeVAR_ACE=/opt/ace/data
    2. Save the file.
  4. Copy the Authentication Manager configuration file to the SGD server.
    1. Create an /opt/ace/data directory.
    2. Copy the Authentication Manager Configuration File (sdconf.rec) file to the /opt/ace/data directory.
  5. Set the file permissions so that SGD can read and write the configuration files. 
    Skip past command syntax or program code# chmod 444 /etc/sdace.txt
# chown -R ttasys:ttaserv /opt/ace
# chmod -R 775 /opt/ace
  6. Repeat steps 1 to 5 on each SGD server in the array.
  7. Register the SGD servers as Agent Hosts in the Authentication Manager database.

    Use either the Authentication Manager Database Administration application or sdadmin application.

    Add the SGD server as a UNIX Agent Host in the database, using the fully qualified name server.domain.com.

    For each Agent Host, Configure Group or User Activation. Alternatively, set the Open to All Locally Known Users option.

    Note SGD supports either system-generated PINs or user-created PINs.

Configuring SGD for SecurID authentication.

  1. In the SGD Administration Console, display the Secure Global Desktop Authentication Configuration Wizard.

    On the Global Settings » Secure Global Desktop Authentication tab, click the Change Secure Global Desktop Authentication button.

  2. On the Third-Party/System Authentication step, ensure the System Authentication check box is selected.
  3. On the System Authentication - Repositories step, select the SecurID check box.
  4. On the Review Selections step, check your authentication configuration and click Finish.
Related Topics

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.