After testing, researching, and support tickets, I have come up with the following summary of SSO capabilities and limitations. Is this correct. 1. SSO requires "core" Web Rewrite using the Content Intermediation Engine a. Uses a Web Resource profile. b. Uses a "special" Web Resource profile that uses the Citrix Transparent Service Proxy (CTS) that supports "Form-Post", also known as "Remote SSO". Note: CTS is an Active-X control, so ONLY SUPPORTS IE. All other browsers require WSAM, JSAM, Pulse, or NC. c. Website needs to send a 401 Authentication Required to trigger Kerberos, NTLM, or Basic Auth. 1. Kerberos and NTLM requires Windows server with Integrate Authentication enabled. d. Website needs a "Form" tag to do a Remote SSO. e. Not sure about the Java Citrix Proxy or JSAM. Haven't tested. f. Haven't spent much time on MS Terminals Services. Is there a proxy similar to CTS, and does it operate similarly? 2. Pass Through Proxy does not support SSO. a. The value of PTP is no special client needed. 3. WSAM does not support SSO a. This works very well in 8.2 with Chrome and FF using new Pulse App Loader (PAL) 4. Pulse and Network Connect do not support SSO. 5. SAML and Cert Authentication complicate SSO since no password is captured at PCS Authentication. a. Kerberos Constrained Delegation SSO can help here to get a ticket for the user by using a service account. b. Can also prompt for a password by doing a secondary login using LDAP or AD and using a password manager like LastPass. 1. Pass the username from the SAML NameID, or CN from Cert. Be sure to send the proper AD username in the attribute.
... View more