Veridium and Citrix FAS integration
The goal of the integration with Citrix FAS is to use Citrix Virtual SmartCard allowing double hop scenario.
The integration is done on Veridium RA level. Veridium RA has a option newly not to talk directly to Microsoft CA, but integrate Citrix FAS service. Citrix FAS is than enrolling certificate into a Citrix Virtual SmartCard and citrix is availabe in the session for secondary authentications.
Initial Logon / Reconnect scenario:
Unlock scenario (using Veridium RA connected to Citrix FAS):
Setup details:
Follow Citrix FAS installation guide to set up FAS: Federated Authentication Service | Secure.
Enable FAS using a powershell script for your authentication store.Install Veridium RA version 3.2.4 or newer. Provide standard configuration and open C:\Program Files\VeridiumID\RAEPServer\RaWebApp\Web.Config file. Modify the web.config the following way:
<add key="fasCertificateIssuer" value="true" />
<add key="fasCustomPickAssembly" value="" />
<add key="fasCustomPickType" value="" />
<add key="fasCustomPickMethod" value="" />
<add key="fasCertificateRule" value="default" />
Make sure that initial logon/disconnect reconnect works and also double hop scenario works.
Try to lock VDI and unlock it using Crednetial Provider. Following event will be visible on Veridium RA:
{
"Module": "VeridiumRA",
"Method": "POST:api/BopsCertificate",
"UPN": ";MSKSP",
"EVENT_SOURCE": "VeridiumRA",
"ThreadID": 25,
"Messages": [
{
"variable": "Info",
"value": "ValidateTokenRequest - Check Identity token format JSON"
},
{
"variable": "Info",
"value": "ValidateTokenRequest - Identity token format is JWT"
},
{
"variable": "upnValidated",
"value": "milos@dev.local"
},
{
"variable": "Info",
"value": "Picked FAS server dev-dc2.dev.local"
},
{
"variable": "Info",
"value": "Receiving user handler AKs4m1NhCLZTsnMFfnFKGieMD5yp0Qu"
}
],
"TimeProfile": [],
"InputParameters": [
{
"variable": "request.bopsUpn",
"value": ";MSKSP"
},
{
"variable": "request.bopsToken",
"value": "eyJ...3Xhg"
}
],
"Return": {
"ReturnCode": 0,
"NativeReturnCode": 0,
"Text": "Info",
"Description": "Certificate for user milos@dev.local successfully enrolled",
"Details": ""
},
"ActivityStartTime": "2023-01-04T14:54:57.2140738+02:00",
"ActivityEndTime": "2023-01-04T14:55:00.0040078+02:00",
"Duration": 2789
}
Check that double hop scenario is also working after Credential Provider unlock.