Authenticate

Smart card

Citrix Workspace app for Chrome provides support for USB smart card readers with StoreFront. You can use smart cards for the following purposes:

  • Smart card logon authentication to Citrix Workspace app for Chrome.
  • Smart card-aware published apps to access local smart card devices.
  • Applications such as Microsoft Word and Outlook that are launched in ICA sessions can access smart cards for signing documents and email.

Supported smart cards include:

  • PIV cards
  • common access cards

Prerequisites:

  • StoreFront versions 3.6 or later

Important:

For smart card authentication to StoreFront 3.5 or earlier, users require a custom script to enable smart card authentication. Contact Citrix Support for details.

  • XenDesktop 7.6 or later
  • XenApp 6.5 or later

To configure smart card support on your Chrome device:

  1. Install the smart card connector application. Note that the smart card application is required for PCSC support on the Chrome device. This application reads the smart card using the USB interface. You can install this application from the Chrome website.

  2. Install the middleware application. Note that a middleware application (for example, Charismathics, or CACKey) is required because it serves as an interface that communicates with the smart card and other client certificates.

    • To install the Charismathics smart card extention or CACKey, see the instructions on the Chrome website.

    • For more information about middleware applications and smart card authentication, see the Google support site.

  3. Configure smart card authentication using Citrix Gateway. For more details, see Configuring Smart Card Authentication in Citrix Gateway documentation.

Limitations:

  • The smart card certificate is cached even after the smart card is removed from the Chrome device. This is a known issue that exists in Google Chrome. Restart the Chrome device to clear the cache.
  • When Citrix Workspace app for Chrome is repackaged, administrators should get the appID whitelisted by Google to ensure that the smart card connector application passes through.
  • Only one smart card reader is supported at a time.

SAML authentication

To configure Single Sign-on:

  1. Set up the third-party Identity provider (IdP) for SAML authentication if it is not already configured (for example, ADFS 2.0). For more information, see Knowledge Center article CTX133919.
  2. Setup Single Sign-on with Google Apps using SAML IdP; this enables users to leverage third-party identity to use Google apps instead of the Google Enterprise account. For more information, see Set up Single Sign-On (SSO) for Google Apps accounts using third-party identity providers on Google support.
  3. Configure Chrome devices to log on via SAML IdP.This enables users to log on to Chrome devices using a third-party identity provider. For more information, see Configure SAML Single Sign-On for Chrome devices on Google support.
  4. Configure Citrix Gateway to log on via SAML IdP. This enables users to log on to Citrix Gateway using a third-party identity provider. For more information, see Configuring SAML Authentication.
  5. Configure Citrix Virtual Apps and Desktops for Federated Authentication to allow logons to Citrix Virtual Apps and Desktops sessions using dynamically generated certificates after the SAML logon process instead of typing username/password combinations. For more information, see Federated Authentication Service.
  6. Install and configure SAML SSO for Chrome app extension on Chrome devices. For more information, see the Google website. This extension retrieves SAML cookies from the browser and provides them to Citrix Workspace. This extension must be configured with the following policy to allow Citrix Workspace to get SAML cookies.

    {
        "whitelist" : {
            "Value" : [
                {
                "appId" : "haiffjcadagjlijoggckpgfnoeiflnem",
                "domain" : "saml.yourcompany.com"
                }
            ]
         }
    }
    

    If you are repackaging Citrix Workspace app for Chrome, change the appId accordingly. In addition, change the domain to your company’s SAML IdP domain.

  7. Configure Citrix Workspace to use Citrix Gateway configured for SAML logon. This enables users to use the Citrix Gateway configured for SAML logon. For more information on Chrome configuration, see Knowledge Center article CTX141844.

Authenticate