Citrix recently released some updated code for Presentation Server 4.0 that lets Web Interface authenticate users via Active Directory Federation Services (ADFS).
ADFS is a new feature included in the R2 release of Windows Server 2003. (Read a white paper from Microsoft about ADFS.) In a nutshell, ADFS lets an administrator share users’ identity information outside of their organization. Multiple organizations become part of a “federated system” with each organization having its own back-end security and identity technologies. The federated language standards describe an XML-based standard the two systems can use to communicate with each other.
Since this sounds kind of confusing, let’s work through a real-world example. Imagine that you’re starting a consulting project with us, The Brian Madden Company. If you need access to our servers and data, then we would have to give you a user account in our “brianmadden” AD domain. Of course since you also have your own user account in your own domain, you’re dealing with two accounts. This might not be so bad, except that the chances are high that the two domains have different security policies (password complexity, expiration dates, etc.). This means that you’ll have to manage multiple accounts with multiple passwords.
In a federated identity management system, there would be a way for us (The Brian Madden Company) to add your own account from your own domain to our brianmadden domain. This would mean that you would be able to use your own account to access brianmadden domain resources. In a way this is similar to setting up a Windows domain trust relationship, except that it operates at the individual account level and doesn’t have the same security problems / requirements of setting up a domain trust. Federation is more like an open single sign on solution that works across the Internet and between systems from different vendors.
How does Citrix fit into this?
Using pure Windows, ADFS can only be used to provide federated access to web applications. However, Citrix Presentation Server lets you extend this to any Windows application via ICA. To do this, you need two components from Citrix:
- Hotfix PSE400R01W2K3051 for your Presentation Server(s). This hotfix requires the Hotfix Rollup Package 1 (HRP1) for PS4.)
- A special version of Web Interface that has ADFS support. This is available for free from MyCitrix. It’s a unique version of WI that does not support other, non-ADFS authentication methods. The next release of WI will have ADFS authentication integrated into the full WI package.
ADFS support was originally on the roadmap for the “Ohio” release of Presentation Server (estimated 4Q 2006), but Citrix made this code available today for people who need it ASAP. They’ve also created a dedicated WI+ADFS support forum on citrix.com.