Authentication
Authentication methods
Normally users either authenticate directly to StoreFront, or to a Citrix Gateway in front of StoreFront. Depending on your requirements, there are several authentication methods available.
| Method | Detail |
|---|---|
| Username and password | Users enter their Active Directory username and password. |
| Domain pass-through | Windows devices single sign-on using the account they used to log in to Windows. |
| Smart card | Users swipe a smart card and enter a PIN. This uses the certificate stored on the smart card to authenticate the user. |
| SAML | Delegate authentication to third party identity providers using SAML. |
| HTTP Basic | Allows third party integrations to authenticate users using their Active Directory username and password. See the Post Credentials API in the Web API developer documentation. HTTP Basic does not provide a user interface for users to authenticate. |
| Pass-through from Citrix Gateway | Allow users to authenticate at a Citrix Gateway. |
Alternatively, when creating a new store, you can disable authentication and instead allow anonymous access to the stores. See Create store.
Select authentication methods
For each store you can choose one or more authentication methods that are available when logging in to the store through Citrix Workspace app.
- Select the Store node in the left pane of the Citrix StoreFront management console and, in the Actions pane, click Manage Authentication Methods.
- Specify the access methods that you want to enable for your users.
Modifying the authentication methods for a store also updates the authentication methods used when accessing the store through a web browser. To change authentication methods when logging on through a web browser see Authentication Methods.
Select authentication methods using PowerShell
To configure authentication using PowerShell:
-
Call Get-STFAuthenticationService to get the authentication service for a store or a virtual directory and to view its current configuration.
-
On the authentication service, enable or disable the required authentication protocols. To get a list of available protocols, run Get-STFAuthenticationServiceProtocol. To enable the protocols, run Enable-STFAuthenticationServiceProtocol with a list of protocols to enable. To disable the protocols, run Disable-STFAuthenticationServiceProtocol with the list of protocols to disable.
Authentication method settings
Some authentication methods have additional settings. Select the Settings drop down list to see available options. For more information see the page for that authentication method.
Shared authentication service settings
You can configure one store to share the authentication service of another store, enabling single sign-on between them.
- Open Manage Authentication Methods.
- From the Advanced drop-down menu, select Shared authentication service settings.
- Click the Use shared authentication service check box and select a store from the Store name drop-down menu.
Note:
There is no functional difference between a shared and dedicated authentication service. An authentication service shared by more than two stores is treated as a shared authentication service and any configuration changes affect the access to all the stores using the shared authentication service.
Install or uninstall authentication methods
You can customize existing methods or create your own authentication methods using the Authentication SDK.
If you have installed a new custom authentication method on the server then you must also install it for each existing store where you wish to use it. From the Manage authentication methods screen select Advanced then Install or uninstall authentication methods.
Single sign-on to VDAs
Some authentication methods include the ability to SSO to VDAs, see each individual authentication method for more details. Otherwise single sign-on can be achieved using Federated Authentication Service.