CloudPortal Services Manager (CPSM) provides the ability to customize authentication.

There are many use cases for customizing the authentication process such as:

1)      Two-factor authentication – which require the presentation of two authentication factors such as a pin + Active Directory password or an RSA token + Active Directory password.

2)      Billing integration – allowing a service provider or reseller to deny users from logging on to CPSM if their account balance is overdue.

This blog will primarily focus on creating a two-factor authentication solution.  The sample can be modified to create a billing integration solution.


The sample authentication provider code is displayed below.  Add the following references to your project:

C:\inetpub\Cortex Management\CortexDotNet\bin\

  • Citrix.Csm.Sdk.V1.dll
  • EMS.Cortex.dll
  • EMS.Cortex.UserCustomerObjects.dll

Sample Code:

    public class AuthenticationProvider : EMS.Cortex.AuthenticationProvider
        private const int TokenLength = 4;
        private const int MinimumPasswordLength = 3;

        public AuthenticationProvider(int LocationID) : base(LocationID)

        public override void Authenticate(string Username, EMS.Cortex.SecureString Password)
            if (string.IsNullOrWhiteSpace(Username))
                throw new AuthenticationException("A username must be specified");
            if (string.IsNullOrWhiteSpace(Password.Value))
                throw new AuthenticationException("A password must be specified");
            if (Password.Value.Length < (TokenLength + MinimumPasswordLength))
                throw new AuthenticationException("A token and password combination must be specified");
            // Extract the token and password from the password string
            var UserToken = Password.Value.Substring(0, TokenLength);
            var Psw = Password.Value.Substring(TokenLength, Password.Value.Length - TokenLength);
            var SecurePassword = new EMS.Cortex.SecureString(Psw);

            // Verify that the token is valid
            if (!IsTokenValid(Username, UserToken))
                throw new AuthenticationException("An invalid account combination was specified");
            // Authenticate against the standard AD authentication provider
            base.Authenticate(Username, SecurePassword);

        private bool IsTokenValid(string Username, string Token)
            // TODO: Call the token service to validate the token
            return Token == "1234";

Note that the PIN is defaulted to “1234” in this sample.

Compile the solution and deploy it to the web server.  The default folder is:

C:\inetpub\Cortex Management\CortexDotNet\bin

Register the custom authentication provider

Perform the following steps to register the authentication provider:

  • Login to CPSM as a service provider administrator user
  • Verify that the logged in user have the “Service Schema Administrator” secure role
    • Edit the logged in user’s account
    • Expand “Account Settings”
    • Expand “Advanced Options”
    • Check the “Configure a custom role collection” option
    • Check the “Service Schema Administrator” option
    • Log out and log in again for the role permissions to take effect
  • Navigate to the customer services screen (Menu > Customer Services)
  • Use the customer search feature on the left to find and apply the authentication provider to a specific customer
  • Configure the authentication provider
    • Expand the “Customer Portal Settings” service
    • Expand “Service Settings”
    • Expand “Providers”
    • Check the “Authentication” option
    • Specify the name of your authentication provider dll (such as: TwoFactorAuthentication.dll)
    • Specify the full qualified class name of your authentication provider (such as: TwoFactorAuthentication.AuthenticationProvider)
  • Apply the changes
  • Provision

The custom authentication provider can be applied to all resellers and customers by specifying the custom authentication provider on the “reseller service > customer portal settings > service properties > providers” screen.

Customize the Login Screen

Perform the following steps to customize the login screen text:

  1. Login to CPSM as a service provider administrator user
  2. Navigate to the “Menu > Configuration > Content Management > Content Translation” screen
    1. On the left “Content Section” drop-down-list menu, select “Login/login”
    2. Check the “Show Translated Items” option
    3. Find and edit the default message call “Password”
    4. Change it to “Pin + Password”
    5. Click on Update
    6. Log out

The updated login screen with the “PIN + Password” text is displayed below:

Edit > Undo

Run the following SQL script to delete the custom authentication provider registration just in case you are unable to log on to the system:


DELETE V FROM PropertyValues V

INNER JOIN Properties P ON P.PropertyID = V.PropertyID

WHERE P.Name = 'AuthenticationProvider'