cancel
Showing results for 
Search instead for 
Did you mean: 

SSO Requirements Summary

Highlighted
Contributor

SSO Requirements Summary

After testing, researching, and support tickets, I have come up with the following summary of SSO capabilities and limitations. Is this correct.

1. SSO requires "core" Web Rewrite using the Content Intermediation Engine
a. Uses a Web Resource profile.
b. Uses a "special" Web Resource profile that uses the Citrix Transparent Service Proxy (CTS) that supports "Form-Post", also known as "Remote SSO".
Note: CTS is an Active-X control, so ONLY SUPPORTS IE. All other browsers require WSAM, JSAM, Pulse, or NC.
c. Website needs to send a 401 Authentication Required to trigger Kerberos, NTLM, or Basic Auth.
1. Kerberos and NTLM requires Windows server with Integrate Authentication enabled.
d. Website needs a "Form" tag to do a Remote SSO.
e. Not sure about the Java Citrix Proxy or JSAM. Haven't tested.
f. Haven't spent much time on MS Terminals Services. Is there a proxy similar to CTS, and does it operate similarly?

2. Pass Through Proxy does not support SSO.
a. The value of PTP is no special client needed.

3. WSAM does not support SSO
a. This works very well in 8.2 with Chrome and FF using new Pulse App Loader (PAL)

4. Pulse and Network Connect do not support SSO.

5. SAML and Cert Authentication complicate SSO since no password is captured at PCS Authentication.
a. Kerberos Constrained Delegation SSO can help here to get a ticket for the user by using a service account.
b. Can also prompt for a password by doing a secondary login using LDAP or AD and using a password manager like LastPass.
1. Pass the username from the SAML NameID, or CN from Cert. Be sure to send the proper AD username in the attribute.





7 REPLIES 7
Highlighted
Moderator

Re: SSO Requirements Summary

Yes, what you have is mostly correct; see minor comments below (otherwise, looks good).

1. SSO requires "core" Web Rewrite using the Content Intermediation Engine
a. Uses a Web Resource profile.
>>>You do not need to use a resource profile; you can create the SSO policy without it.

b. Uses a "special" Web Resource profile that uses the Citrix Transparent Service Proxy (CTS) that supports "Form-Post", also known as "Remote SSO".
Note: CTS is an Active-X control, so ONLY SUPPORTS IE. All other browsers require WSAM, JSAM, Pulse, or NC.
>>>The Citrix profile does come with predefined elements; however, you can configure it manually if you rather at Users>Resource Policies>Web>SSO>form POST

c. Website needs to send a 401 Authentication Required to trigger Kerberos, NTLM, or Basic Auth.
1. Kerberos and NTLM requires Windows server with Integrate Authentication enabled.
d. Website needs a "Form" tag to do a Remote SSO.
e. Not sure about the Java Citrix Proxy or JSAM. Haven't tested.
>>>JSAM does not have SSO as an option. The Java ICA client should be authenticated at the web page

f. Haven't spent much time on MS Terminals Services. Is there a proxy similar to CTS, and does it operate similarly?
>>>No, it is a different proxy and has a different set of capabilities. It does accept SSO credentials. Some of what you do depends on if you are using HTML5 or the traditional client.

2. Pass Through Proxy does not support SSO.
>>>It should work; however, there may be complications when doing hostname-based passthrough proxy to try and send the credential to the correct location. Port-based is a better option if SSO is needed
a. The value of PTP is no special client needed.

3. WSAM does not support SSO
a. This works very well in 8.2 with Chrome and FF using new Pulse App Loader (PAL)

4. Pulse and Network Connect do not support SSO.

5. SAML and Cert Authentication complicate SSO since no password is captured at PCS Authentication.
a. Kerberos Constrained Delegation SSO can help here to get a ticket for the user by using a service account.
b. Can also prompt for a password by doing a secondary login using LDAP or AD and using a password manager like LastPass.
1. Pass the username from the SAML NameID, or CN from Cert. Be sure to send the proper AD username in the attribute.
Highlighted
Contributor

Re: SSO Requirements Summary

Thanks for the reply.

In some old docs it talked about CTS, which should have been called Citrix Terminal Services Proxy, not Transparent, it says that it will run on Java-capable browsers, but support told me it was Active-X only. Is CTS ActiveX (IE) only?
Highlighted
Moderator

Re: SSO Requirements Summary

You are welcome
CTS is a win32 application that is launched from an ActiveX control with Java fallback; it does not run on non-Windows machines, but should be able to launch from browsers other than IE
Highlighted
Contributor

Re: SSO Requirements Summary

Here's what support said about CTS. After re-reading, I see that she just omitted telling me that CTS "could" work with Java, but PSAL/WSAM is better...

================ Snip ===========
CTS was specifically coded for IE and will work with ActiveX. Its code was never modified for it to work on Chrome with PSAL and hence if you are using CTS, this will not use PSAL.
The flow is ActiveX>>Pulse Secure Citrix setup Client>>Citrix receiver>>APP for IE.
However, in Chrome, PSAL does not launch for CTS.
Highlighted
Contributor

Re: SSO Requirements Summary

If PSAL is loaded, will it NOT allow Java to run CTS? Could that be an issue?
Highlighted
Moderator

Re: SSO Requirements Summary

Here's what support said about CTS. After re-reading, I see that she just omitted telling me that CTS "could" work with Java, but PSAL/WSAM is better...
......
If PSAL is loaded, will it NOT allow Java to run CTS? Could that be an issue?
Highlighted
Moderator

Re: SSO Requirements Summary

Here's what support said about CTS. After re-reading, I see that she just omitted telling me that CTS "could" work with Java, but PSAL/WSAM is better...
>>>The win32 ICA client is more robust than the Java ICA client (historically, at least, in my experience).
......
If PSAL is loaded, will it NOT allow Java to run CTS? Could that be an issue?
>>>>Yes, PSAL does not work with Java clients (it is unable to launch them). The CTS client should launch the win32 CTS client; however, it cannot launch the Java ICA client.