At Citrix Synergy 2016, we announced an update to the StoreFront Authentication SDK that enables you to say YES to more authentication methods and greater flexibility in how you secure access to your apps and desktops.
The first StoreFront Authentication was released with v2.6 and included the ability to customize both the end-user and administrator experience. We worked hard to ensure that customizations created with this SDK would continue to work with subsequent versions of StoreFront.
However, StoreFront 3.5 changed the conceptual model of the StoreFront console to be store-centric, which has simplified the experience for the majority of administrators. This required a great of deal of change behind the scenes, including many of the APIs used by the Authentication SDK, and resulted in customizations requiring an update to the SDK.
The new SDK works with StoreFront v3.6 and later, and we will strive to maintain compatibility going forward. There will always be cases where there is a need to radically change things, but we’ll strive to let you know about those well in advance.
The new SDK contains updated versions of all the original samples, plus documentation on how to migrate existing customizations to new versions of StoreFront. It also introduced a new administration PowerShell API, and the existing samples and documentation have been updated to use this new API.
- Control the credential and label types advertised by the client
- When a new credential or label type is detected in the form presented by the server, the client-side customization controls what is rendered
- Allow data to be sent to the server without intervention from the user
Customizations will typically contain an Authentication Service customization, and a Receiver for Web plug-in that is the client to the Authentication Service. Indeed this represents the first of what we expect to be a series of client-side authentication SDKs.
The Test Forms sample is typical of such a customization. With just the Authentication Service customization deployed, the sample runs through a series of forms demonstrating the available user interface widgets. However, once the Receiver for Web package is deployed, there are two extra forms that are displayed. The first demonstrates new user interface widgets, in this case some custom css for the label to reveal a “secret” word when hovered on, and a custom credential where the user has to select the middle of three images.
The second example illustrates an “auto-posting” form, where Receiver for Web just returns the User-Agent string which is then displayed in the next form.
Federated Authentication Service Customization
The Federated Authentication Service is a new component to XenApp and XenDesktop 7.9 that enables the ultimate flexibility in authentication to gain access to Windows apps and desktops by creating and managing smart card certificates on behalf of the user.
The sample extends the base functionality by allowing StoreFront to tell the FAS server to use different certificate templates in different access scenarios, such as internal and external access. The resulting different user certificates could leverage Microsoft’s Authentication Mechanism Assurance to influence what resources the user has access to in their Windows session.
The sample also demonstrates how to inject custom data into the certificate, allowing downstream applications to apply access policies based on this data.
Further information can be found on the Citrix Developer page, including links to other Citrix authentication SDKs.