by
Brian Madden
Citrix recently released some updated code for Presentation
Server 4.0 that lets Web Interface authenticate users via Active Directory
Federation Services (ADFS).
ADFS is a new feature included in the R2 release of Windows
Server 2003. (Read a white
paper from Microsoft about ADFS.) In a nutshell, ADFS lets an administrator
share users’ identity information outside of their organization. Multiple
organizations become part of a “federated system” with each organization having
its own back-end security and identity technologies. The federated
language standards describe an XML-based standard the two systems can use
to communicate with each other.
Since this sounds kind of confusing, let’s work through a
real-world example. Imagine that you’re starting a consulting project with us,
The Brian Madden Company. If you need access to our servers and data, then we
would have to give you a user account in our “brianmadden” AD domain. Of course
since you also have your own user account in your own domain, you’re dealing
with two accounts. This might not be so bad, except that the chances are high
that the two domains have different security policies (password complexity,
expiration dates, etc.). This means that you’ll have to manage multiple
accounts with multiple passwords.
In a federated identity management system, there would be a
way for us (The Brian Madden Company) to add your own account from your own
domain to our brianmadden domain. This would mean that you would be able to use
your own account to access brianmadden domain resources. In a way this is
similar to setting up a Windows domain trust relationship, except that it
operates at the individual account level and doesn’t have the same security
problems / requirements of setting up a domain trust. Federation is more like an
open single sign on solution that works across the Internet and between systems
from different vendors.
How does Citrix fit into this?
Using pure Windows, ADFS can only be used to provide
federated access to web applications. However, Citrix Presentation Server lets
you extend this to any Windows application via ICA. To do this, you need two
components from Citrix:
- Hotfix PSE400R01W2K3051 for
your Presentation Server(s). This hotfix requires the Hotfix Rollup Package
1 (HRP1) for PS4.)
- A special version of Web
Interface that has ADFS support. This is available for free from MyCitrix.
It’s a unique version of WI that does not support other, non-ADFS
authentication methods. The next release of WI will have ADFS
authentication integrated into the full WI package.
ADFS support was originally on the roadmap for the “Ohio”
release of Presentation Server (estimated 4Q 2006), but Citrix made this code
available today for people who need it ASAP. They’ve also created a dedicated WI+ADFS support
forum on citrix.com.
(Note: You must be logged in to post a comment.)