Configuring the Imprivata Authentication Plugin for Citrix

SAML Authentication for Citrix Introduced

The Imprivata Authentication Plugin for Citrix eliminates the need to send a user name and password between Enterprise Access Management and Citrix when authenticating Enterprise Access Management users. When the Imprivata Authentication Plugin for Citrix is enabled:

  • Enterprise Access Management functions as the Identity Provider — During user authentication, the Imprivata agent requests a SAML artifact from the Imprivata appliance.

  • Citrix functions as the Service Provider — The Imprivata agent uses the SAML artifact to authenticate the user to Citrix. Citrix StoreFront validates the SAML artifact with the Imprivata appliance.

The following sections explain how to install and configure the plugin. For complete details on configuring Imprivata Virtual Desktop Access with Citrix XenDesktop or Citrix XenApp, see Imprivata Virtual Desktop Access.

Before You Begin

Before you begin:

  • The Imprivata Authentication Plugin for Citrix requires a minimum version of Citrix Workspace app and is supported for Windows endpoints and for Linux thin clients with Imprivata ProveID Embedded enabled.

    See Imprivata Enterprise Access Management for SSO Supported Components to confirm that your environment meets the minimum requirements.

  • Using the Imprivata Authentication Plugin for Citrix is limited to:

    • Applications that are automatically launched. When a Citrix store is configured with the plugin, and a user attempts to manually launch an application from this store, authentication fails.

      If your workflow lets users manually launch application, be sure that these applications reside in a separate store that is not enabled for the plugin.

    • Citrix Workspace app

      The plugin is not enforced for applications accessed from a web browser.

  • During installation, the plugin associates itself with the Citrix CustomForms protocol.

    Citrix StoreFront limits the use of this protocol to one authentication method. To verify that another authentication method is not already configured, open the required store in the Citrix StoreFront Console, and go to the Manage authentication methods dialog.

  • Configuring the plugin requires the DNS name of an Imprivata appliance. An IP address is not supported.

NOTE: SAML authentication for Citrix is not supported in offline mode.

How to Install and Configure the Plugin on a Single Server

Complete the following steps to install and configure the Imprivata Authentication Plugin for Citrix to a single server.

How to Install and Configure the Plugin to a Server Group

Complete the following steps to install and configure the Imprivata Authentication Plugin for Citrix to a server group.

Uninstall the Imprivata Authentication Plugin for Citrix

To uninstall the plugin:

  1. Log into the Citrix controller on which the plugin is installed.

  2. Open the Citrix Store Front console.

  3. Go to Stores, right-click the store where the Imprivata Authentication method is enabled, and select Manage Authentication Methods.

  4. Deselect the Imprivata authentication plugin, and then click Advanced.

  5. Click Install or uninstall authentication methods.

    Click to enlarge

  6. Deselect The Imprivata authentication plugin, and click OK.

  7. Restart the Citrix controller.

  8. Uninstall the plugin using the Windows Control Panel Add/Remove Programs utility, and then restart the Citrix controller.