At Citrix Synergy 2016, we announced an update to the StoreFront Authentication SDK that enables you to say YES to more authentication methods and greater flexibility in how you secure access to your apps and desktops.

Breaking Changes

The first StoreFront Authentication was released with v2.6 and included the ability to customize both the end-user and administrator experience. We worked hard to ensure that customizations created with this SDK would continue to work with subsequent versions of StoreFront.

However, StoreFront 3.5 changed the conceptual model of the StoreFront console to be store-centric, which has simplified the experience for the majority of administrators. This required a great of deal of change behind the scenes, including many of the APIs used by the Authentication SDK, and resulted in customizations requiring an update to the SDK.

The new SDK works with StoreFront v3.6 and later, and we will strive to maintain compatibility going forward. There will always be cases where there is a need to radically change things, but we’ll strive to let you know about those well in advance.

The new SDK contains updated versions of all the original samples, plus documentation on how to migrate existing customizations to new versions of StoreFront. It also introduced a new administration PowerShell API, and the existing samples and documentation have been updated to use this new API.

Receiver for Web JavaScript API

The SDK contains new samples and documentation for new features, including a new JavaScript-based API for Receiver for Web. The API allows the following customizations:

  • Control the credential and label types advertised by the client
  • When a new credential or label type is detected in the form presented by the server, the client-side customization controls what is rendered
  • Allow data to be sent to the server without intervention from the user

Customizations will typically contain an Authentication Service customization, and a Receiver for Web plug-in that is the client to the Authentication Service. Indeed this represents the first of what we expect to be a series of client-side authentication SDKs.

Test Forms

The Test Forms sample is typical of such a customization. With just the Authentication Service customization deployed, the sample runs through a series of forms demonstrating the available user interface widgets. However, once the Receiver for Web package is deployed, there are two extra forms that are displayed. The first demonstrates new user interface widgets, in this case some custom css for the label to reveal a “secret” word when hovered on, and a custom credential where the user has to select the middle of three images.


The second example illustrates an “auto-posting” form, where Receiver for Web just returns the User-Agent string which is then displayed in the next form.



We’ve made updates to the JavaScript API, too. The U2F sample involves using a FIDO v1 Universal Second Factor hardware token as a second factor during authentication. Note that it only works in a Google Chrome browser just now, as it relies on a Chrome extension. The extension allows the browser to interact with Human Interaction Devices that meet the FIDO U2F standard through a JavaScript API. An example of a hardware token for U2F is the YubiKey.

The experience is that the user first authenticates with their user name and password and then they are prompted to interact with the token. When the token is activated, it calls a JavaScript function in the browser, which then auto-completes the interaction with the server.


Federated Authentication Service Customization

The Federated Authentication Service is a new component to XenApp and XenDesktop 7.9 that enables the ultimate flexibility in authentication to gain access to Windows apps and desktops by creating and managing smart card certificates on behalf of the user.

The sample extends the base functionality by allowing StoreFront to tell the FAS server to use different certificate templates in different access scenarios, such as internal and external access. The resulting different user certificates could leverage Microsoft’s Authentication Mechanism Assurance to influence what resources the user has access to in their Windows session.

The sample also demonstrates how to inject custom data into the certificate, allowing downstream applications to apply access policies based on this data.

More Information

Further information can be found on the Citrix Developer page, including links to other Citrix authentication SDKs.

Citrix Mobilize Windows Banner 1_728x90-061715