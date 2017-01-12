Organizations that leverage smart cards for authentication have struggled to reduce the number of PIN prompts required to securely log into published applications and desktop for years.

At Synergy last year, Citrix announced the Federated Authentication Service (FAS). The solution allows an external IdP to assert the identity of a user to the NetScaler. StoreFront will use that identity to request a user cert, via FAS, that will authenticate the user to published desktops and applications. Leveraging the internal side of this solution can allow organizations that use smart cards for authentication to achieve single sign-on (SSON) to published applications and desktops.

What is nice about this solution is that the communication between NetScaler and StoreFront is nothing new. The NetScaler is just asserting to StoreFront the identity of the user. This means that the internal side of the solution, StoreFront, FAS, and a MS CA, can function without the external IdP component. If a user can authenticate to the NetScaler or StoreFront via already available methods, i.e. smart card (CAC/PIV), then FAS can be leveraged to create a short term user certificate. A user can leverage this FAS provided user certificate for login to published applications or desktops without an additional PIN entry. Once in the session the physical smart card is still available for all typical uses, i.e. authentication to other services and S/MIME.

What does it look like?

To implement this solution, simply follow all the instructions for the StoreFront, FAS, and CA components, but ignore the IdP configurations on the NetScaler side. Continue to use the authentication methods on the VIP your organization leverages today. This will most likely be a client cert validation with an AD account lookup. The diagram below shows how there is no IdP component involved.

Read the entire article here, Smart Card (CAC/PIV) SSON with FAS

via the fine folks at Citrix Systems, Inc.