Storebrowse Classic Password Insertion for StoreFront [Citrix Receiver ...

Storebrowse Classic Password Insertion for StoreFront [Citrix Receiver for Linux 13.4]

Table of Contents

Introduction ............................................................................................................................................ 2 Configuration .......................................................................................................................................... 2 Operations with Credential Insertion ..................................................................................................... 2 Domain credential comparison rules...................................................................................................... 3

Examples ............................................................................................................................................. 3 Examples ................................................................................................................................................. 3

Basic usage flow .................................................................................................................................. 3 User restore flow ................................................................................................................................ 4

1

Introduction

This documents describes the way storebrowse is intended to be used when taking advantage of the new SSO capabilities available in Citrix Receiver for Linux.

Configuration

To enable domain credentials insertion, enable the HTTP Basic authentication method in the StoreFront console:

Operations with Credential Insertion

Storebrowse allows credentials to be provided for authenticating to a StoreFront server using the same -U/-D/-P switches used for presenting username, and domain and password, respectively, to a PNA store. The set of credentials used with StoreFront servers is stored into Authentication Manager's (AM) Single Sign-On (SSO) cache because AM is in charge of the authentication process when connecting to StoreFront sites. The credentials stored in the SSO container are shared among storebrowse calls as long as they are not removed from the cache or as long as AM is running (that is, terminating AM would also clear the credential cache). This means that after a set of credentials is inserted in SSO, it can be omitted in any subsequent usage of storebrowse that requires that same set of credentials. However, specifying the same credentials during subsequent storebrowse calls does not result in an overflow in the credential container because subsequent insertion attempts are ignored as per the rules enforced when comparing credentials (for reference, see the following section about credential comparison rules). For examples on how to use the -U/-D/-P switches to provide SSO credentials, see the Linux OEM Reference Guide.

2

Domain credential comparison rules

Storebrowse allows only domain credentials to be presented. The command line is not considered secure enough to provide smart card PINs.

After a set of credentials is inserted, the SSO implementation in AM allows for a second set of credentials to be inserted on top of the first one, provided that the second set is different. That means that at most two separate sets of credentials can be stored at the same time (that is, only a single level of restore is supported). The credentials are cached in SSO in a stack fashion, with only the topmost set of credentials accessible for authentication.

When inserting a set of credentials into SSO, it is compared to those already available in the container (if any).

If the comparison is positive, the new credentials are ignored and not cached. If the comparison is negative, the new credentials are stored on top of the currently stored credentials (if the second slot is empty).

The rule enforced to compare domain credentials is as follows: two sets of domain credentials are considered matching if username and domain are equal (the password is ignored in the comparison).

Examples

-U usernameA -D domainA -P passwordA == -U usernameA -D domainA -P passwordA Credentials match: all three fields match.

-U usernameA -D domainA -P passwordA != -U usernameB -D domainA -P passwordA Credentials do not match: the username different.

-U usernameA -D domainA -P passwordA != -U usernameA -D domainB -P passwordA Credentials do not match: the domain different.

-U usernameA -D domainA -P passwordA == -U usernameA -D domainA -P passwordB Credentials match: only the password is different.

Examples

The following examples illustrate how to use the Receiver's SSO capabilities with storebrowse.

Basic usage flow

A store is added, its apps/desktops enumerated, an app/desktop is launched, then the store is removed. The credentials are cached at the beginning of the flow and then reused for all subsequent operations. Some operations are performed passing the same credentials again to demonstrate that it does not affect the status of the SSO cache.

1. No stores, no credentials cached 2. List stores

command: storebrowse -l output: none, no stores listed 3. Add a store and provide credentials command: storebrowse -U username -D domain -P password -a storefrontURL output: none, the operation succeeded 4. List stores

3

command: storebrowse -l output: fullstorefrontURL 5. Enumerate the apps/desktops passing the same credentials as before command: storebrowse -U username -D domain -P password -E fullstorefrontURL output: list of apps/desktops (the given credentials are ignored, the SSO cached credentials are used) 6. Enumerate the apps/desktops without specifying credentials command: storebrowse -E fullstorefrontURL output: list of apps/desktops (the SSO cached credentials are used) 7. Launch an app/desktop passing the same credentials as before command: storebrowse -U username -D domain -P password -L appordesktopname

fullstorefrontURL

output: the app/desktop launches (the given credentials are ignored, the SSO cached credentials are used) 8. Launch an app/desktop without specifying credentials command: storebrowse -L appordesktopname fullstorefrontURL output: the app/desktop launches (the SSO cached credentials are used) 9. Remove the store command: storebrowse -d fullstorefrontURL output: none, the operation succeeded 10. Remove the cached credentials from the SSO cache command: storebrowse -K output: none, the operation succeeded 11. List stores command: storebrowse -l output: none, no stores listed 12. The system is back to its starting state

User restore flow

A user is logged on, his/her apps/desktops are enumerated, one of the apps/desktops is launched. Then another user is logged on in addition to the previous one, the new user's apps/desktops are enumerated, one of the new user's apps/desktops is launched.

The second user is logged off.

The first user's apps/desktops are enumerated again, one of the first user's apps/desktops is launched again.

The first user is then logged off.

1. No stores, no credentials cached 2. List stores

command: storebrowse -l output: none, no stores listed 3. StoreFront A is added for User A, User A's credentials are cached command: storebrowse -U usernameA -D domainA -P passwordA -a storefrontURLA output: none, the operation succeeded 4. List stores

4

command: storebrowse -l output: fullstorefrontURLA 5. Enumerate User A's apps/desktops without specifying credentials command: storebrowse -E fullstorefrontURLA output: list of apps/desktops (the SSO cached credentials are used) 6. Launch a User A's app/desktop without specifying credentials command: storebrowse -L appordesktopnameA fullstorefrontURLA output: the app/desktop launches (the SSO cached credentials are used) 7. User B logs on in addition to User A, StoreFront B is added for User B, User B's credentials are cached on top of User A's command: storebrowse -U usernameB -D domainB -P passwordB -a storefrontURLB output: none, the operation succeeded 8. List stores command: storebrowse -l output: fullstorefrontURLA fullstorefrontURLB 9. Enumerate User B's apps/desktops without specifying credentials command: storebrowse -E fullstorefrontURLB output: list of apps/desktops (the latest/topmost SSO cached credentials are used) 10. Launch a User B's app/desktop without specifying credentials command: storebrowse -L appordesktopnameB fullstorefrontURLB output: the app/desktop launches (the latest/topmost SSO cached credentials are used) 11. User B logs off, their store is removed command: storebrowse -d fullstorefrontURLB output: none, the operation succeeded 12. Remove the cached credentials for User B from the SSO cache command: storebrowse -K output: none, the operation succeeded (the latest/topmost credentials are removed from the SSO cache) 13. List stores command: storebrowse -l output: fullstorefrontURLA 14. Enumerate User A's apps/desktops without specifying credentials command: storebrowse -E fullstorefrontURLA output: list of apps/desktops (the previous SSO cached credentials are used) 15. Launch a User A's app/desktop without specifying credentials command: storebrowse -L appordesktopnameA fullstorefrontURLA output: the app/desktop launches (the previous SSO cached credentials are used) 16. User A logs off, the configured store is removed command: storebrowse -d fullstorefrontURLA output: none, the operation succeeded 17. Remove the cached credentials for User A from the SSO cache command: storebrowse -K output: none, the operation succeeded (the previous credentials are removed from the SSO cache, now empty) 18. List stores command: storebrowse -l output: none, no stores listed 19. The system is back to its starting state

5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download