Secure Global Desktop Administration Guide > Users and authentication > The SecurID login authority

The SecurID login authority

Overview

The SecurID login authority allows users with RSA SecurID tokens to log in to Secure Global Desktop. This login authority authenticates against an RSA ACE/Server^®.

RSA SecurID is a product from RSA Security, Inc., that uses two-factor authentication based on something you know (a PIN) and something you have (a tokencode supplied by a separate "token" such as a PIN pad, standard card or software token). The PIN and tokencode are combined to form a passcode which is used as the password when you log in to Secure Global Desktop.

This login authority does not support ambiguous users and so ambiguous login requests are denied.

This login authority is disabled by default.

Logging in

The user types their RSA SecurID username, for example "indigo" and their passcode.

Authentication

1. This login authority searches ENS for a person object with a Name attribute matching what the user typed. If there's no match, the search is repeated on the Username attribute, and finally on the Email Address attribute.
2. If a person object is found, the Username attribute of that object is used as the RSA SecurID username.
3. If no person object is found, the name the user typed is used as the RSA SecurID username.
4. The RSA SecurID username and the passcode typed by the user are checked against the RSA ACE/Server.
5. If the authentication fails, the user can't log in because there are no further login authorities to try.
6. If the authentication succeeds, the user may log in unless:
   • there was a matching person object; and
   • the May Log In To Secure Global Desktop attribute for that person object is cleared.

User identity

If a person object was found in ENS, that object is used as the identity.

If no person object was found in ENS, the identity is .../_service/sco/tta/securid/SecurID-username.

Login profile

If a person object was found in ENS, that object is used as the login profile.

If no person object was found in ENS, the profile object o=Secure Global Desktop System Objects/cn=SecurID User Profile is used.

Emulator sessions and password cache entries

Emulator sessions and password cache entries belong to either the Person object or SecurID User Profile object, depending on which is used.

Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.