Skip past navigation linksSecure Global Desktop 4.31 Administration Guide > Users and authentication > Using the authentication token login authority for automatic logins

Using the authentication token login authority for automatic logins

The authentication token login authority allows users to log in automatically to Secure Global Desktop if the Sun Secure Global Desktop Client submits a valid authentication token to the Secure Global Desktop server. Authentication tokens can only be used when the Secure Global Desktop Client is operating in in integrated mode.

To enable automatic logins:

  1. Secure Global Desktop Administrators must enable the authentication token login authority.
  2. Users must enable integrated mode and generate an authentication token.

Note The authentication token login authority can only be used with the Secure Global Desktop Client. The Native Client and Java technology clients do not support this login authority.

The Secure Global Desktop Release Notes has details of which client desktop systems support running the Secure Global Desktop Client in integrated mode.

Enabling the authentication token login authority

To be able to use the authentication token login authority, at least one other authentication mechanism must also be enabled. This is because the user must log in at least once and display a webtop in order to generate an authentication token. You can use third party authentication or any of the other login authorities, apart from the anonymous user login authority.

To enable the authentication token login authority:

  1. In Array Manager, display Secure Global Desktop Login properties.
  2. Check the Authentication token login authority box.
  3. Check the Generate authentication tokens box.
  4. Click Apply.

Enabling integrated mode and generating authentication tokens

To use automatic logins, integrated mode and automatic logins must be enabled in the user's profile. Secure Global Desktop Administrators can configure this for users by creating profiles for organization and organizational unit objects. However, users have to manually generate an authentication token by editing their profile. This means profile editing must be enabled for users.

To generate an authentication token, users:

  1. Log in to Secure Global Desktop and display a webtop.
  2. Click the Edit button on the Applications area of the webtop.
  3. Click the Client Settings tab.
  4. Check the Automatic Client Login box.
  5. Check the Add applications to Start Menu box.
  6. Click Save.

Users must generate an authentication token for each Secure Global Desktop server they log in to.

Note Users must log out of Secure Global Desktop and log in again for changes to their profile to take effect.

If users need to generate a new authentication token, they must edit their profile as follows:

  1. Clear the Automatic Client Login box.
  2. Click Save.
  3. Check the Automatic Client Login box.
  4. Click Save.

Administering the authentication token login authority

When a user saves their profile, the Secure Global Desktop server sends the authentication token to the Secure Global Desktop Client. The Secure Global Desktop Client stores the token in the profile cache on the client device.

To ensure an authentication token cannot be intercepted and used by a third party, use secure (HTTPS) web servers and enable Secure Global Desktop security services.

When a user generates an authentication token, Secure Global Desktop server maintains a record of the tokens issued in a token cache. Secure Global Desktop stores the authentication tokens using the current identity of the user when the token was generated. When a user logs in with an authentication token, the authentication token allows Secure Global Desktop to "remember" the user's original identity and login profile. All webtop sessions and emulator sessions are managed using the original identity and profile. If the original login becomes invalid, for example because the UNIX account is disabled or the password has expired, the user can still log in automatically if they have a valid token. However they will not be able to launch any applications using the invalid login.

Administrators use the tarantella tokencache command to list the tokens in the token cache and delete them. Deleting a token from the token cache makes the token stored on a client device invalid. If the Secure Global Desktop Client presents an invalid token, the user is prompted to log in with a username and password. The user must then generate another authentication token if they want to log in automatically.

Administrators can disable the ability to generate new tokens by clearing the Generate authentication tokens box on the Secure Global Desktop Login properties panel in Array Manager. Clearing this box disables the Automatic Client Login option when users edit their profile. If the authentication token login authority is still enabled, users with existing authentication tokens can still log in.

To troubleshoot problems with automatic logins, set a server/login/* and a server/tokencache/* log filter. The server/login/* filter allows you see when authentication tokens are being used for authentication and when they fail. The server/tokencache/* filter allows you to see errors with operations on the token cache, for example to see why a token has not been added to the cache.

Related topics

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.