Authenticate

Smart card

Citrix Workspace app for Chrome OS supports USB smart card readers with StoreFront. You can use smart cards for the following purposes:

  • Smart card sign in authentication to Citrix Workspace app.
  • Smart card-aware published apps to access local smart card devices.
  • Smart cards for signing documents and email. For example, Microsoft Word and Outlook that are launched in ICA sessions.

Supported smart cards (with USB smart card readers) include:

  • Personal Identity Verification (PIV)
  • Common Access Cards (CAC)

Prerequisites

  • StoreFront versions 3.6 or later
  • XenDesktop 7.6 or later
  • XenApp 6.5 or later
  • Citrix Virtual Apps and Desktops 1808 or later
  • Citrix Workspace app 1808 or later

Important:

Device configuration prerequisites

  • Google Smart Card Connector is an app that interacts with the USB smart card readers on the device. The connector app exposes Personal Computer Smart Card (PCSC) Lite APIs to other apps including the Citrix Workspace app.

  • Certificate providers are the middleware apps written by vendors that interact with the smart card connector. The middleware apps access the smart card reader, read certificates, and provide smart card certificates to Chrome OS.

    The middleware apps also implement signing functionality using PIN prompts. For example, CACKey. For more information, see Deploy Smartcards on ChromeOS.

  • When you configure smart card authentication on StoreFront, Citrix Workspace app requests Chrome OS to provide client certificates on the smart card. Chrome OS presents the certificates as received from the providers. PIN prompts indicate authentication.

    Citrix Workspace app has an approved list of allowed operating systems for smart card authentication. StoreFront 3.6 and later approve the Chrome OS as well. For earlier versions of StoreFront, you can use custom script to allow smart card authentication on Chrome OS. Contact Citrix support for custom script.

  • Citrix Workspace app doesn’t control smart card authentication workflow with StoreFront. However, in a few cases StoreFront can request you to close the browser to clear cookies.

    To clear all the cookies and the load Store URL again, click the reload button reload button in Citrix Workspace app for Chrome OS.

    At times, to clear cookies furthermore, you can sign out from the Chrome OS device.

  • When you attempt to launch an app or a desktop session, Citrix Workspace app doesn’t use smart card redirection. Instead, it interacts with the smart card connector app for PC/SC lite APIs.

    PIN prompts required for Windows sign in appear within the session. Here, the Certificate providers have no role. Citrix Workspace app manages the in-session activities like double hop or signing email.

Limitations

  • When you remove the smart card from the Chrome OS device, the smart card certificate is cached. The behavior is a known issue that exists in Google Chrome. Restart the Chrome OS device to clear the cache.
  • When Citrix Workspace app for Chrome OS is repackaged, as an administrator, get the appID approval by Google. Doing so confirms that the smart card connector application passes through.
  • Only one smart card reader is supported at a time.
  • Virtual smart cards and fast smart cards aren’t supported.
  • Smart cards aren’t supported on Citrix Workspace (cloud).

To configure smart card support on your Chrome OS device

  1. Install the smart card connector application. The smart card application is required for Personal Computer Smart Card (PCSC) support on the Chrome OS device. This application reads the smart card using the USB interface. You can install this application from the Chrome website.

  2. Install the middleware application. A middleware application is required as an interface that communicates with the smart card and the other client certificates. For example, Charismathics or CACKey:

    • To install the Charismathics smart card extension or CACKey, see the instructions on the Chrome website.

    • For more information about middleware applications and smart card authentication, see the Google support site.

  3. Configure smart card authentication using:

    • Citrix Gateway
    • StoreFront Management Console

    For information, see Configuring Smart Card Authentication and Configure the Authentication Service in the Citrix Gateway documentation.

SAML authentication

To configure single sign-on:

  1. Set up the third-party Identity provider (IdP) for SAML authentication if it isn’t already configured. For example, ADFS 2.0.

    For more information, see Knowledge Center article CTX133919.

  2. Set up single sign-on with Google Apps using SAML IdP. The configuration enables users to apply third-party identity to use Google apps instead of the Google Enterprise account.

    For more information, see Set up single sign-on for managed Google Accounts using third-party Identity providers on Google support.

  3. Configure Chrome devices to sign in through SAML IdP. The configuration enables users to sign in to Chrome devices using a third-party identity provider.

    For more information, see Configure SAML Single Sign-On for Chrome devices on Google support.

  4. Configure Citrix Gateway to sign in through SAML IdP. The configuration enables users to sign in to Citrix Gateway using a third-party identity provider.

    For more information, see Configuring SAML Authentication.

  5. Configure Citrix Virtual Apps and Desktops for Federated Authentication to allow sign in to Citrix Virtual Apps and Desktops sessions using dynamically generated certificates. You can do the action after the SAML sign in process instead of typing the user name and password combinations.

    For more information, see Federated Authentication Service.

  6. Install and configure SAML SSO for the Chrome app extension on Chrome devices. For more information, see the Google website. This extension retrieves SAML cookies from the browser and provides them to Citrix Workspace. This extension must be configured with the following policy to allow Citrix Workspace to get SAML cookies.

    If you’re repackaging Citrix Workspace app for Chrome OS, change the appId correctly. Also, change the domain to your company’s SAML IdP domain.

    {
        "whitelist" : {
            "Value" : [
                {
                "appId" : "haiffjcadagjlijoggckpgfnoeiflnem",
                "domain" : "saml.yourcompany.com"
                }
            ]
         }
    }
    <!--NeedCopy-->
    
  7. Configure Citrix Workspace to use Citrix Gateway configured for SAML sign in. The configuration enables users to use the Citrix Gateway configured for SAML sign in. For more information on Chrome OS configuration, see Knowledge Center article CTX141844.

Authenticate