Smart card

Citrix Workspace app for ChromeOS supports USB smart card readers with StoreFront. You can use smart cards for the following purposes:

  • Smart card sign-in authentication to Citrix Workspace app.
  • Smart card-aware published apps to access local smart card devices.
  • Smart cards for signing documents and email. For example, Microsoft Word and Outlook that are launched in ICA sessions.

Supported smart cards (with USB smart card readers) include:

  • Personal Identity Verification (PIV)
  • Common Access Cards (CAC)


  • StoreFront versions 3.6 or later
  • XenDesktop 7.6 or later
  • XenApp 6.5 or later
  • Citrix Virtual Apps and Desktops 1808 or later
  • Citrix Workspace app 1808 or later


Device configuration prerequisites

  • Google Smart Card Connector is an app that interacts with the USB smart card readers on the device. The connector app reveals Personal Computer Smart Card (PCSC) Lite APIs to other apps including the Citrix Workspace app.

  • Certificate providers are the middleware apps written by vendors that interact with the smart card connector. The middleware apps access the smart card reader, read certificates, and provide smart card certificates to ChromeOS.

    The middleware apps also implement signing functionality using PIN prompts. For example, CACKey.

    For more information, see Deploy Smartcards on ChromeOS.

  • When you configure smart card authentication on StoreFront, Citrix Workspace app requests ChromeOS to provide client certificates on the smart card. ChromeOS presents the certificates as received from the providers. PIN prompts indicate authentication.

    Citrix Workspace app has an approved list of allowed operating systems for smart card authentication. StoreFront 3.6 and later approve the ChromeOS as well. For earlier versions of StoreFront, you can use a custom script to allow smart card authentication on ChromeOS. Contact Citrix support for custom script.

  • Citrix Workspace app doesn’t control the smart card authentication workflow with StoreFront. However, in a few cases StoreFront can request you to close the browser to clear cookies.

    To clear all the cookies and load the Store URL again, click the reload button in Citrix Workspace app for ChromeOS.

    At times, to clear cookies furthermore, you can sign out from the ChromeOS device.

  • When you try to launch an app or a desktop session, Citrix Workspace app doesn’t use smart card redirection. Instead, it interacts with the smart card connector app for PC/SC lite APIs.

    PIN prompts required for Windows sign-in appear within the session. Here, the Certificate providers have no role. Citrix Workspace app manages the in-session activities like double hop or signing email.

Smart Card limitations

  • When you remove the smart card from the ChromeOS device, the smart card certificate is cached. The behavior is a known issue that exists in Google Chrome. Restart the ChromeOS device to clear the cache.
  • When Citrix Workspace app for ChromeOS is repackaged, as an administrator, get the appID approval by Google. Doing so confirms that the smart card connector application passes through.
  • Only one smart card reader is supported at a time.
  • Virtual smart cards and fast-smart cards aren’t supported.
  • Smart cards aren’t supported on Citrix Workspace (cloud).

To configure smart card support on your ChromeOS device

  1. Install the smart card connector application. The smart card application is required for Personal Computer Smart Card (PCSC) support on the ChromeOS device. This application reads the smart card using the USB interface. You can install this application from the Chrome website.

  2. Install the middleware application. A middleware application is required as an interface that communicates with the smart card and the other client certificates. For example, Charismathics or CACKey:

    • To install the Charismathics smart card extension or CACKey, see the instructions on the Chrome website.

    • For more information about middleware applications and smart card authentication, see the Google support site.

  3. Configure smart card authentication using:

    • Citrix Gateway
    • StoreFront Management Console

    For information, see Configuring Smart Card Authentication and Configure the Authentication Service in the Citrix Gateway documentation.

SAML authentication

To configure a single sign-on:

  1. Set up the third-party Identity provider (IdP) for SAML authentication if it isn’t already configured. For example, ADFS 2.0.

    For more information, see Knowledge Center article CTX133919.

  2. Set up single sign-on with Google Apps using SAML IdP. The configuration enables users to apply a third-party identity to use Google apps instead of the Google Enterprise account.

    For more information, see Set-up single sign-on for managed Google Accounts using third-party Identity providers on Google support.

  3. Configure Chrome devices to sign in through SAML IdP. The configuration enables users to sign in to Chrome devices using a third-party identity provider.

    For more information, see Configure SAML Single Sign-On for Chrome devices on Google support.

  4. Configure Citrix Gateway to sign in through SAML IdP. The configuration enables users to sign in to Citrix Gateway using a third-party identity provider.

    For more information, see Configuring SAML Authentication.

  5. Configure Citrix Virtual Apps and Desktops for Federated Authentication to sign in to Citrix Virtual Apps and Desktops sessions using dynamically generated certificates. You can do the action after the SAML sign-in instead of typing the user name and password combinations.

    For more information, see Federated Authentication Service.

    To achieve SSO for virtual apps and desktops, you must deploy a Federated Authentication Service (FAS).


    Without FAS, you’re prompted for the Active Directory user name and password. For more information, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.

  6. Install and configure SAML SSO for the Chrome app extension on Chrome devices. For more information, see the Google website. This extension retrieves SAML cookies from the browser and provides them to Citrix Workspace. This extension must be configured with the following policy to allow Citrix Workspace to get SAML cookies.

    If you’re repackaging Citrix Workspace app for ChromeOS, change the appId correctly. Also, change the domain to your company’s SAML IdP domain.

        "whitelist" : {
            "Value" : [
                "appId" : "haiffjcadagjlijoggckpgfnoeiflnem",
                "domain" : ""
  7. Configure Citrix Workspace to use the Citrix Gateway configured for SAML sign-in. The configuration enables users to use the Citrix Gateway configured for SAML sign-in. For more information on ChromeOS configuration, see Knowledge Center article CTX141844.