Authenticate

Starting from Citrix Workspace app 2012, you can view the authentication dialog inside Citrix Workspace app and store details on the sign-in screen. This provides better experiences.

Authentication tokens are encrypted and stored so that you don’t need to reenter credentials when your system or session restarts.

Note:

This authentication enhancement is available only in cloud deployments.

Prerequisite:

Install the libsecret library.

This feature is disabled by default.

To enable this enhancement:

  1. Locate the configuration file: $ICAROOT/config/AuthManConfig.xml.
  2. Set the value of AuthManLiteEnabled to true.

Authentication enhancement for Storebrowse

Note:

Starting with version 2205, this feature is generally available for Citrix Workspace app.

Starting with version 2203, the authentication dialog is present inside Citrix Workspace app and the store details are displayed on the logon screen for a better user experience. The authentication tokens are encrypted and stored so that you don’t need to reenter credentials when your system or session restarts.

The authentication enhancement supports storebrowse for the following operations:

  • Storebrowse -E: Lists the available resources.
  • Storebrowse -L: Launches a connection to a published resource.
  • Storebrowse -S: Lists the subscribed resources.
  • Storebrowse -T: Terminates all sessions of the specified store.
  • Storebrowse -Wr: Reconnects the disconnected yet active sessions of the specified store. The [r] option reconnects all the disconnected sessions.
  • storebrowse -WR: Reconnects the disconnected yet active sessions of the specified store. The [R] option reconnects all the active and disconnected sessions.
  • Storebrowse -s: Subscribes the specified resource from a given store.
  • Storebrowse -u: Unsubscribes the specified resource from a given store.
  • Storebrowse -q: Launches an application using the direct URL. This command works only for StoreFront stores.

Note:

  • You can continue to use the remaining storebrowse commands as used earlier (using AuthMangerDaemon).
  • The authentication enhancement is applicable for cloud deployments only.
  • With this enhancement, the persistent login feature is supported.

Authentication enhancement for Storebrowse configuration

By default, the authentication enhancement feature is disabled.

If the gnome-keyring isn’t available, the token is stored in the selfservice process memory.

To enforce storage of the token in memory, disable gnome-keyring, using the following steps:

  1. Navigate to /opt/Citrix/ICAClient/config/AuthmanConfig.xml.
  2. Add the following entry:

    <GnomeKeyringDisabled>true</GnomeKeyringDisabled>
    <!--NeedCopy-->
    

Smart card

To configure smart card support in Citrix Workspace app for Linux, you must configure StoreFront server through the StoreFront console.

Citrix Workspace app supports smart card readers that are compatible with PCSC-Lite and PKCS#11 drivers appropriately. By default, Citrix Workspace app now locates opensc-pkcs11.so in one of the standard locations.

Citrix Workspace app can find opensc-pkcs11.so in a non-standard location or another PKCS\#11 driver. You can store the respective location using the following procedure:

  1. Locate the configuration file: $ICAROOT/config/AuthManConfig.xml.
  2. Locate the line <key>PKCS11module</key> and add the driver location to the <value> element immediately following the line.

    Note:

    If you enter a file name for the driver location, Citrix Workspace app navigates to that file in the $ICAROOT/PKCS\ #11 directory. You can also use an absolute path beginning with “/”.

After you remove a smart card, configure the behavior of Citrix Workspace app by updating the SmartCardRemovalAction using the following steps:

  1. Locate the configuration file: $ICAROOT/config/AuthManConfig.xml
  2. Locate the line <key>SmartCardRemovalAction</key> and add noaction or forcelogoff to the <value> element immediately following the line.

The default behavior is noaction. No action is taken to clear stored credentials and generated tokens on removal of the smart card.

The forcelogoff action clears all credentials and tokens within StoreFront on removal of the smart card.

Enabling smart card support

Citrix Workspace app supports various smart card readers if smart card is enabled on both server and Citrix Workspace app.

You can use smart cards for the following purposes:

  • Smart card logon authentication - Authenticates you to Citrix Virtual Apps and Desktops or Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) servers.
  • Smart card application support - Enables smart card-aware published applications to access the local smart card devices.

Smart card data is security sensitive and must be transmitted over a secure authenticated channel, such as TLS.

Smart card support has the following prerequisites:

  • Your smart card readers and published applications must be PC/SC industry standard compliant.
  • Install the appropriate driver for your smart card.
  • Install the PC/SC Lite package.
  • Install and run the pcscd Daemon, which provides middleware to access the smart card using PC/SC.
  • On a 64-bit system, both 64-bit and 32-bit versions of the “libpscslite1” package must be present.

For more information about configuring smart card support on servers, see Smart cards in the Citrix Virtual Apps and Desktops documentation.

Enhancement on smart card support

Note:

This feature is generally available for Citrix Workspace app.

Starting with Version 2112, Citrix Workspace app supports the Plug and Play functionality for smart card reader.

When you insert a smart card, the smart card reader detects the smart card in the server and client.

You can plug-and-play different cards at the same time, and all of these cards are detected.

Prerequisites:

Install the libpcscd library on the Linux client.

Note:

This library might be installed by default in the recent versions of most Linux distributions. However, you might need to install the libpcscd library in earlier versions of some Linux distributions, such as Ubuntu 1604.

To disable this enhancement:

  1. Navigate to the <ICAROOT>/config/module.ini folder.
  2. Go to the SmartCard section.
  3. Set the DriverName= VDSCARD.DLL.

Support for multi-factor (nFactor) authentication

Multifactor authentication enhances the security of an application by requiring users to provide extra proofs of identify to gain access.

Multifactor authentication makes authentication steps and the associated credential collection forms configurable by the administrator.

Native Citrix Workspace app supports this protocol by building on the Forms sign in support already implemented for StoreFront. The web sign-in pages for Citrix Gateway and Traffic Manager virtual servers also consume this protocol.

For more information, see SAML authentication and Multi-Factor (nFactor) authentication in the Citrix ADC documentation.

Authenticate