Smartcards are the primary mode of authentication in most of the secure environments like Defense, Financial, Banking and some of the Research organizations. In case of Smartcard the user is not expected to remember his password or token thus the authentication flow should work end to end. For example if we authenticate using Smartcard to the most front ending authentication point, the authentication token needs to be passed to every layer in the infrastructure which expects the token. If the pass through mechanism is not proven then the end to end authentication flow will break resulting into poor end user experience.
This was one of the challenges we were facing with respect to WIonNS deployments. WIonNS did not have the SSO and pass through support for sending the user identity to the backend XenApp/XenDesktop infrastructure. Thus all the use cases where Smartcards were the primary authentication mechanism, WIonNS was not the preferred mode of deployment. Well… that is past and with NetScaler 10 latest GA release we have added Smartcard based SSO support to the WIonNS module. Now users can authenticate with AGEE using client certificates through Smartcard or local cert store. After successful authentication, AGEE will extract the username token from the certificate and send it to WIonNS. If WIonNS is configured to do Smartcard based SSO then it forwards the user token to the XenApp/XenDesktop server. The internal infrastructure will confirm the validity of the user through LDAP delegation and will publish the Apps to the user. Setting up WIonNS for this feature is just a matter of following simple steps:
- WI tar file to be used is “nswi-1.5.tgz”
- Install the nswi-1.5.tgz package through NetScaler GUI
- Use the Web Interface wizard for configuration
- Choose Default Access Method as “Gateway Direct”
- Select respective Access Gateway vserver
- Click Settings and configure Single Sign-on Domain
- Select Access gateway authentication methodas “Smartcard”
For end to end Smartcard related configuration, click on the Smartcard settings which invokes following configuration wizard.
- Specify the CA certificate which should be used for client authentication
- Create the Authentication policy and bind it to the AGEE vserver
- Configure Authentication Type as CERT in the policy
- Create the Authentication action for the Server field
- Ensure that the user name field is defined appropriately
- Configure SSL parameters to enable Client authentication
- Specify whether Client certificate is optional or mandatory
- Provide rest of the configuration parameters on WI wizard
And you are ready to go with functionally available WIonNS deployment with Smartcard support. This simplified configuration experience should help with quick adoption of this feature.
Looking forward to your deployment experiences…