Secure Global Desktop 4.31 Administration Guide > Users and authentication > Can I use other web authentication schemes with Secure Global Desktop web server authentication?

Can I use other web authentication schemes with Secure Global Desktop web server authentication?

Yes. However Secure Global Desktop web server authentication relies on the web server setting the REMOTE_USER variable to identify the user. However, when users are authenticated using another web authentication scheme, it is likely that another variable is used to identify the user and this means they can't be authenticated to Secure Global Desktop. The solution is to export the value of your variable to REMOTE_USER. How you do this depends on whether you are using the classic webtop or the browser-based webtop.

The classic webtop

If you are using the classic webtop and your web authentication scheme uses another variable, you can export that variable using a wrapper script. For example:

#!/bin/sh
REMOTE_USER=$your_variable_name
export REMOTE_USER 
exec ./ttawlogin.cgi $*

Save the script to a sub-directory in the /opt/tarantella/var/docroot/cgi-bin/secure directory. The script must have the same file permissions as the other scripts in this directory.

To implement the wrapper script, follow this process on each array member:

1. Configure your web authentication scheme to protect the /tarantella/cgi-bin/secure/ directory.
2. Test that your web authentication scheme works.
3. Run the following command:

   tarantella config edit --tarantella-config-server-cgibin-bootscript secure/wrapper_script_name

   Note This command sets the path to the wrapper script and is relative to the /opt/tarantella/var/docroot/cgi-bin directory.

4. Restart the Secure Global Desktop server.

When this configuration is complete, enable web server authentication in Array Manager.

In a standard installation, Secure Global Desktop provides two such wrapper scripts:

• ttaclientcert.cgi for use with PKI client certificates. This exports the SSL_CLIENT_S_DN_CN variable.
• ttaauthsafeword.cgi for use with SafeWord® PremierAccess. This exports the HTTP_SAFEWORD_USER variable.

The browser-based webtop

If you are using the browser-based webtop and your web authentication scheme uses another variable, you must configure the webtop web application to export your variable to remote_user. For example:

1. On the web server, configure your web authentication scheme to protect the /sgd URL.
2. Test that your web authentication scheme works.
3. Configure the web server to export your_variable_name so that the Tomcat component of the Secure Global Desktop Web Server can access it. To do this for Apache component of the Secure Global Desktop Web Server:
   1. Edit the /opt/tarantella/webserver/apache/version/conf/httpd.conf file.
   2. Add a line:
      JkEnvVar your_variable_name " "
   3. Uncomment out the lines:
      <Location "/sgd">
SSLOptions +StdEnvVars +ExportCertData
</Location>
   4. In the //opt/tarantella/webserver/tomcat/version/webapps/sgd/resources/jsp directory, edit the sessionmanager.jsp and webtopsession.jsp files so that they export your_variable_name to remote_user. Use the code for the HTTP_SAFEWORD_USER and SSL_CLIENT_S_DN_CN variables as examples of how to do this.
4. Restart the Secure Global Desktop Web Server and the Secure Global Desktop server.

When this configuration is complete, enable web server authentication in Array Manager.

By default, the sessionmanager.jsp and webtopsession.jsp files export:

• the SSL_CLIENT_S_DN_CN variable for use with PKI client certificates.
• the HTTP_SAFEWORD_USER variable for use with SafeWord® PremierAccess.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.