Votes

4

AAF should recognize if user was authenticated by thirdparty before (ThinClient)

by: Kevin S. | over a year ago | Supported Platforms
Cast your vote or comment ...
return to idea list

In our viewpoint AAF should be able to recognize if the user comes from the ThinClient.

For an example:

Scenario1: ThinClient & Citrix &VDI (without AAF)

1. Customer is starting the ThinClient
2. Customer is starting Citrix StoreFront
3. Customer has to authenticate via Username & Windows Password
4. Customer starts the ICA-Session
5. SSO / Magic / Whatever happens
6. User is directly logged on to windows


Scenario2: ThinClient & Citrix &VDI (with AAF)
Following example chains configured:
* LDAP & HOTP
* LDAP & TOTP
* LDAP & Smartphone Push
* LDAP & U2F

1. Customer is starting the ThinClient
2. Customer is starting Citrix StoreFront
3. Customer has to authenticate via Username & Windows Password
4. Authentication successfully
5. Customer starts the ICA-Session
6. SSO / Magic / Whatever happens
7. User is not directly logged on to windows
8. User authenticate again with one of the chains above
* Windows Password & HOTP
* Windows Password & TOTP
* Windows Password & Smartphone Push
* Windows Password & U2F

9. User select a chain
10. User types the Windows Password again
11. User has to present the second factor
12. User is logged on to windows

And that’s the point because of the magic which happens during Step 6, AAF should be able to recognize that the user was authenticatet before by Citrix, Vmware Horizon etc.

After AAF is getting this information, AAF should do this:

1. Customer is starting the ThinClient
2. Customer is starting Citrix StoreFront
3. Customer has to authenticate via Username & Windows Password
4. Authentication successfully
5. Customer starts the ICA-Session
6. SSO / Magic / Whatever happens
7. User is not directly logged on to windows
8. User authenticate again with one of the example chains above
9. User select a chain

10. User must not type the Windows Password again because AAF recognized that the user came from the thin client and was successfully authenticated against citrix, vmware horizon, etc. before
11. User present only the second factor

12. User is logged on to windows

by: Kevin S. | over a year ago | Supported Platforms

Comments

  • One addition:
    In that case "magic" means the diffrent protocols which citrix use to authenticate the TerminalServer. So I mean AAF should be able to recognize the part which will be delivered from citrix to the terminal server. Because of this AAF should only ask the second factor.

    by: Kevin S. | over a year ago

  • https://support.citrix.com/article/CTX214343

    by: Kevin S. | over a year ago

  • We can look into this. If the information is available in the "Citrix Channel" then we should be able to do this. ...Troy

    by: Troy D. | over a year ago