Product Documentation

User Authentication and Identity Verification

May 09, 2015
Two types of authentication exist in Single Sign-on:
  • Primary authentication, which occurs when users type their primary user names, passwords, and, optionally, domain name when logging on to Microsoft Windows to access their corporate or enterprise network. The existing Windows security subsystem is responsible for managing network authentication.
  • Secondary authentication, which occurs when you configure Single Sign-on to submit credentials that allow users to access protected Single Sign-on enabled resources. These resources can include an enterprise application, a Web application, a protected field in an application, an IP address, a URL, and so on.

After a successful network authentication, Single Sign-on obtains the primary password from the Windows logon and, along with other variables, uses this information to create the encryption key that protects user credentials. The plug-in software uses this key to retrieve and decrypt the credentials as applications or resources request them.

Important: If a user’s password is compromised, reset the user's password twice, rather than once, to ensure that the compromised password is removed from the previous password feature. Users need to log on with each of the new passwords so that the plug-in software can capture the changes.

When Must Users Confirm Their Identities?

Each time users log on to your environment, they confirm their identity by typing their user name and password or by using a smart card or other authentication device that uniquely identifies who they are.

However, several events require a second layer of authentication to verify that the user initiating the change is the user authorized to do so:

Event Description
An administrator changes a user's primary password When administrators change users’ primary passwords, users will then be further prompted to confirm their identities to ensure the authorized user is logged on.
Users reset their primary password using Account Self-Service When users reset their primary password using Account Self-Service, they are prompted to further confirm their identity. Do not use the Prompt user to enter the previous password authentication option if enabling the self-service features.
Users unlock their domain account using Account Self-Service When users unlock their account using the self-service features, they are prompted to further confirm their identity.
Users change their authentication types For example, when users switch from smart card authentication to password-based authentication, they are prompted to further confirm their identity.
Password change on a client device not running Single Sign-on Users who change their primary password on a client device not running the plug-in software are prompted to confirm their identity the next time they log on to a client device running the plug-in software.

Your users can confirm their identity using one or more of the options you can specify to meet your organization’s requirements.

Overview of Identity Verification Methods

Single Sign-on includes two identity verification methods to help ensure that the user is authorized to use Single Sign-on:

  • Previous password
  • Security questions

You can also choose to bypass identity verification by using the automatic key management feature.

You can allow users to choose the identity verification method (previous passwords or security questions) they prefer to use when authenticating. This option is available as part of Secondary Data Protection property in the user configuration.

Previous Password

With this method, users verify their identities by typing their previous primary password.

Caution: When previous password is the only method available to your users, users who forget their previous primary password are locked out of the system. Their user data must be deleted from the central store and from all client devices on which it is stored, and they must reenter their credentials for all of their applications.

Security Questions

When users change their primary passwords, you can confirm your users’ identities by prompting them to answer security questions in the form of a questionnaire you create. This questionnaire appears the first time your users launch the plug-in software. Users answer the required number of security questions and are prompted to reenter this information at specific password change events.

The questions in your questionnaire should be of a nature that ensures the person answering the question is the only person who knows or could easily provide the answer. You can use the default questions Single Sign-on provides or create your own.

Bypassing Identity Verification

Important: Automatic key management is not as secure as other key recovery mechanisms such as security questions and previous password.

If you want Single Sign-on to bypass identity verification and retrieve user encryption keys automatically, you can specify the Secondary Data Protection option Do not prompt users; restore primary data protection automatically over the network.

This method, known as automatic key management, is available when you install the Key Management Module and you create a user configuration with this option selected.

With this method, users log on to the network and have immediate access to applications managed by Single Sign-on. There are no questions to answer. When users change their primary passwords, the plug-in software detects these password changes and recovers the users’ encryption keys using the Single Sign-on Service.

Automatic key management provides users with the easiest and fastest access to their applications. However, it does not protect against access by an unauthorized user because there is no user secret to protect the user’s network password. To help prevent this potential problem, implement automatic key management in combination with the Self-Service Module. This module requires question-based authentication to allow your users to confirm their identity when resetting their primary passwords or unlocking their domain accounts.

If Users Switch among Multiple Primary Authentication Methods

In Single Sign-on, users can switch among multiple primary authentication methods. Single Sign-on protects user passwords with a unique copy of the security key as a reauthentication method to efficiently unlock the user’s data each time the user switches between authentication methods, without the user having to verify identity.

The option to select multiple primary authentication methods is available as part of the Data Protection Methods page in the user configuration.

Consider the following user scenario:

  • A call center supervisor logs on to a computer using primary credentials (Windows user name and password). Single Sign-on Plug-in software is installed on the computer and allows the supervisor to use Single Sign-on (SSO) enabled applications.
  • The supervisor occasionally uses a smart card with PIN to log on to a shared computer on the call center floor and launch another published application through XenApp. This computer uses Hot Desktop to enable fast user switching among different accounts.

In Citrix Password Manager Versions 4.0 and 4.1, the call center supervisor is required to verify identify before using the SSO-enabled applications when changing primary authentication methods. In this use case, the supervisor used two primary authentication methods: first a user name and password, then a smart card with PIN. Password Manager Versions 4.0 and 4.1 treat the change of authentication method as requiring security key recovery and possibly required the supervisor to verify identity.

Users are required to register or enroll each new authentication method the first time they use or switch to the method. However, later switches do not require a registration or enrollment (that is, a key recovery is not subsequently required).