HOTP vs Citrix

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

HOTP vs Citrix

Joe Fletcher-2

Hi,

 

Got a client who uses Citrix based virtual desktops. Their environment is such that every day the users log into a new virtual desktop system. This in turn means that every time they log in they get asked for a One time Code since the device cookie is lost with each new virtual desktop. This means the One time Code is an “every time code” and its annoying their users.

 

Is there any way around this, other than setting up the client with a custom auth chain allowing them to bypass HOTP?

 

 

Cheers

 

Joe

 

This email with all information contained herein or attached hereto may contain confidential and/or privileged information intended for the addressee(s) only. If you have received this email in error, please contact the sender and immediately delete this email in its entirety and any attachments thereto.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: HOTP vs Citrix

Paul Figura
Hi Joe,

I see this more of a customer requirements issue more than a technical one. What exactly does the customer want? Given the way most HOTP deployments function, I see no problem with it asking for authentication each time. Maybe the clients want longer session cookies, so they only need to login once per day?

A custom chain could certainly work. You can make one that knows the user is accessing from Citrix, and bypasses the HOTP token entirely.

If you really want to go deep, configure AD Kerberos integration with their Citrix environments, and then the user won't even need to provide credentials if the citrix login is authenticated to a sufficient level.

Again, there are lots of options, but it really depends what your client wants.

Regards,
Paul Figura
Identity & Access Management Architect
Indigo Consulting Canada
Tel: 514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 3/7/2016 6:37 AM, Joe Fletcher wrote:

Hi,

 

Got a client who uses Citrix based virtual desktops. Their environment is such that every day the users log into a new virtual desktop system. This in turn means that every time they log in they get asked for a One time Code since the device cookie is lost with each new virtual desktop. This means the One time Code is an “every time code” and its annoying their users.

 

Is there any way around this, other than setting up the client with a custom auth chain allowing them to bypass HOTP?

 

 

Cheers

 

Joe

 

This email with all information contained herein or attached hereto may contain confidential and/or privileged information intended for the addressee(s) only. If you have received this email in error, please contact the sender and immediately delete this email in its entirety and any attachments thereto.

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam