Authenticate

Smart card

To configure smart card support in Citrix Workspace app for Linux, you must configure StoreFront server through the StoreFront console to allow smart card authentication. Enable the required protocol from the StoreFront console.

Note:

Smart cards are not supported with the Citrix Virtual Apps Services site for Web Interface configurations (formerly known as Program Neighborhood Agent), or with the “legacy PNAgent” site that can be provided by a StoreFront server.

Citrix Workspace app for Linux supports smart card readers that are compatible with PCSC-Lite and smart cards with PKCS#11 drivers for the appropriate Linux platform. By default, Citrix Workspace app for Linux now locates opensc-pkcs11.so in one of the standard locations. To ensure that Citrix Workspace app for Linux finds either opensc-pkcs11.so in a non-standard location or another PKCS#11 driver, store the location in a configuration file using the following steps:

  1. Locate the configuration file: $ICAROOT/config/AuthManConfig.xml
  2. Locate the line <key>PKCS11module</key> and add the driver location to the <value> element immediately following the line.

    Note:

    If you enter a file name for the driver location, Citrix Workspace app navigates to that file in the $ICAROOT/PKCS#11 directory. Alternatively, you can use an absolute path beginning with “/.”

To configure the behavior of Citrix Workspace app for Linux when a smart card is removed, update SmartCardRemovalAction in the configuration file using the following steps:

  1. Locate the configuration file: $ICAROOT/config/AuthManConfig.xml
  2. Locate the line <key>SmartCardRemovalAction</key> and add ‘noaction’ or ‘forcelogoff’ to the <value> element immediately following the line.

The default behavior is ‘noaction’. No action is taken to clear credentials stored and tokens generated with regards to the smart card on the removal on the smart card. The ‘forcelogoff’ action clears all credentials and tokens within StoreFront on the removal of the smart card.

Enabling smart card support

Citrix Workspace app for Linux supports various smart card readers. If smart card support is enabled for both the server and Citrix Workspace app, you can use smart cards for the following purposes:

  • Smart card logon authentication. Use smart cards to authenticate users to Citrix Virtual Apps servers.
  • Smart card application support. Enable smart card-aware published applications to access local smart card devices.

Smart card data is security sensitive and should be transmitted over a secure authenticated channel, such as TLS.

Smart card support has the following prerequisites:

  • Your smart card readers and published applications must be PC/SC industry standard compliant.
  • Install the appropriate driver for your smart card.
  • Install the PC/SC Lite package.
  • Install and run the pcscd Daemon, which provides middleware to access the smart card using PC/SC.
  • On a 64-bit system, both 64-bit and 32-bit versions of the “libpscslite1” package must be present.

Important:

If you are using the SunRay terminal with SunRay server software Version 2.0 or later, install the PC/SC SRCOM bypass package, available for download from

http://www.sun.com/.

For more information about configuring smart card support on your servers, see the Citrix Virtual Apps and Desktops documentation.

V3 authentication protocol

“V3” authentication indicates the third major definition of a logon protocol to Citrix Gateway that is supported by Citrix Workspace App for Linux.

V3 is the standard logon protocol for Citrix Gateway in combination with the “N-Factor” authentication policy framework that makes authentication steps and the associated credential collection forms completely configurable. Native Citrix Workspace App can support this protocol by building on the Forms logon support already implemented for StoreFront. The web logon page for Citrix Gateway and Traffic Manager virtual servers also consume this protocol using code shared with Citrix Workspace App for Linux.

For more information, see SAML Authentication and Knowledge Center article NetScaler Authentication.