Citrix releases ADFS support for Presentation Server

Citrix recently released some updated code for Presentation Server 4.0 that lets Web Interface authenticate users via Active Directory Federation Services (ADFS).

Citrix recently released some updated code for Presentation Server 4.0 that lets Web Interface authenticate users via Active Directory Federation Services (ADFS).

ADFS is a new feature included in the R2 release of Windows Server 2003. (Read a white paper from Microsoft about ADFS.) In a nutshell, ADFS lets an administrator share users’ identity information outside of their organization. Multiple organizations become part of a “federated system” with each organization having its own back-end security and identity technologies. The federated language standards describe an XML-based standard the two systems can use to communicate with each other.

Since this sounds kind of confusing, let’s work through a real-world example. Imagine that you’re starting a consulting project with us, The Brian Madden Company. If you need access to our servers and data, then we would have to give you a user account in our “brianmadden” AD domain. Of course since you also have your own user account in your own domain, you’re dealing with two accounts. This might not be so bad, except that the chances are high that the two domains have different security policies (password complexity, expiration dates, etc.). This means that you’ll have to manage multiple accounts with multiple passwords.

In a federated identity management system, there would be a way for us (The Brian Madden Company) to add your own account from your own domain to our brianmadden domain. This would mean that you would be able to use your own account to access brianmadden domain resources. In a way this is similar to setting up a Windows domain trust relationship, except that it operates at the individual account level and doesn’t have the same security problems / requirements of setting up a domain trust. Federation is more like an open single sign on solution that works across the Internet and between systems from different vendors.

How does Citrix fit into this?

Using pure Windows, ADFS can only be used to provide federated access to web applications. However, Citrix Presentation Server lets you extend this to any Windows application via ICA. To do this, you need two components from Citrix:

  • Hotfix PSE400R01W2K3051 for your Presentation Server(s). This hotfix requires the Hotfix Rollup Package 1 (HRP1) for PS4.)
  • A special version of Web Interface that has ADFS support. This is available for free from MyCitrix. It’s a unique version of WI that does not support other, non-ADFS authentication methods. The next release of WI will have ADFS authentication integrated into the full WI package.

ADFS support was originally on the roadmap for the “Ohio” release of Presentation Server (estimated 4Q 2006), but Citrix made this code available today for people who need it ASAP. They’ve also created a dedicated WI+ADFS support forum on

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Any idea whether they're going to support other types of federated authentication?  Seems inappropriate to focus exclusively on ADFS.
Well I think the whole idea with federation is that you configure ADFS, and then that can tie into any WS-Federation from any vendor. But since Citrix runs on Windows, you need ADFS on your PS boxes.

I think that will really come from Microsoft, first.  MS has stated that they are working with others to federate via a standard.  When/if that happens, then Citrix just needs to support that also, which should be simple (except for the testing).
Working on a non Windows Citrix WI/ADFS implementation now.  Can't say with whom quite yet but soon.
Both PingIdentity and RSA have SAML 2.0 gateways that work with the same hotfix to CPS, so there is support for non-ADFS federation protocols.
One of the other big benefits of federation technology is a big security win: when an account is deactivated in the home domain, all access to federated resources is terminated immediately without having to wait for the IT departments at the partners to process the change. For high security environments that cross domains or organizations this can be a big deal.