Storebrowse Classic Password Insertion for StoreFront [Citrix Workspace app for Linux]
This document describes the way storebrowse is intended to be used when taking advantage of the new SSO capabilities available in Citrix Workspace app for Linux.
Configuration
To enable Storebrowse classic password insertion, enable the HTTP Basic authentication method in the StoreFront console:
Operations with credential insertion
Storebrowse allows credentials to be provided for authenticating to a StoreFront server using the same -U/-D/-P switches used for presenting username, and domain and password, respectively, to a PNA store.
The set of credentials used with StoreFront servers is stored into Authentication Manager’s (AM) Single Sign-On (SSO) cache because AM is in charge of the authentication process when connecting to StoreFront sites.
The credentials stored in the SSO container are shared among storebrowse calls as long as they are not removed from the cache or as long as AM is running (that is, terminating AM would also clear the credential cache).
This means that after a set of credentials is inserted in SSO, it can be omitted in any subsequent usage of storebrowse that requires that same set of credentials.
However, specifying the same credentials during subsequent storebrowse calls does not result in an overflow in the credential container because subsequent insertion attempts are ignored as per the rules enforced when comparing credentials (for reference, see the following section about credential comparison rules).
For examples on how to use the -U/-D/-P switches to provide SSO credentials, see the Linux OEM Reference Guide.
Credential comparison rules
Storebrowse allows only domain credentials to be presented. The command line is not considered secure enough to provide smart card PINs.
After a set of credentials is inserted, the SSO implementation in AM allows for a second set of credentials to be inserted on top of the first one, provided that the second set is different. That means that at most two separate sets of credentials can be stored at the same time (that is, only a single level of restore is supported).
The credentials are cached in SSO in a stack fashion, with only the topmost set of credentials accessible for authentication.
When inserting a set of credentials into SSO, it is compared to those already available in the container (if any).
If the comparison is positive, the new credentials are ignored and not cached.If the comparison is negative, the new credentials are stored on top of the currently stored credentials (if the second slot is empty).
The rule enforced to compare domain credentials is as follows: two sets of domain credentials are considered matching if username and domain are equal (the password is ignored in the comparison).
Examples
-
-U usernameA -D domainA -P passwordA == -U usernameA -D domainA -P passwordACredentials match: all three fields match. -
-U usernameA -D domainA -P passwordA != -U usernameB -D domainA -P passwordACredentials do not match: the username different. -
-U usernameA -D domainA -P passwordA != -U usernameA -D domainB -P passwordACredentials do not match: the domain different. -
-U usernameA -D domainA -P passwordA == -U usernameA -D domainA -P passwordBCredentials match: only the password is different.
Examples
The following examples illustrate how to use the Citrix Workspace app’s SSO capabilities with storebrowse.
Basic usage flow
A store is added, its apps/desktops enumerated, an app/desktop is launched, then the store is removed. The credentials are cached at the beginning of the flow and then reused for all subsequent operations. Some operations are performed passing the same credentials again to demonstrate that it does not affect the status of the SSO cache.
| Sl. no. | Activity | Command | Output |
|---|---|---|---|
| 1. | No stores, no credentials cached | NA | NA |
| 2. | List stores | storebrowse -l |
None, no stores listed |
| 3. | Add a store and provide credentials | storebrowse -U username -D domain -P password -a storefrontURL |
None, the operation succeeded |
| 4. | List stores | storebrowse -l |
fullstorefrontURL |
| 5. | Enumerate the apps/desktops passing the same credentials as before | storebrowse -U username -D domain -P password -E fullstorefrontURL |
List of apps/desktops (the given credentials are ignored, the SSO cached credentials are used) |
| 6. | Enumerate the apps/desktops without specifying credentials | storebrowse -E fullstorefrontURL |
List of apps/desktops (the SSO cached credentials are used) |
| 7. | Launch an app/desktop passing the same credentials as before | storebrowse -U username -D domain -P password -L appordesktopname fullstorefrontURL |
The app/desktop launches (the given credentials are ignored, the SSO cached credentials are used) |
| 8. | Launch an app/desktop without specifying credentials | storebrowse -L appordesktopname fullstorefrontURL |
The app/desktop launches (the SSO cached credentials are used) |
| 9. | Remove the store | storebrowse -d fullstorefrontURL |
None, the operation succeeded |
| 10. | Remove the cached credentials from the SSO cache | storebrowse -K |
None, the operation succeeded |
| 11. | List stores | storebrowse -l |
None, no stores listed |
User restore flow
A user is logged on, his/her apps/desktops are enumerated, one of the apps/desktops is launched. Then another user is logged on in addition to the previous one, the new user’s apps/desktops are enumerated, one of the new user’s apps/desktops is launched.
The second user is logged off.
The first user’s apps/desktops are enumerated again, one of the first user’s apps/desktops is launched again.
The first user is then logged off.
| Sl. no. | Activity | Command | Output | |
|---|---|---|---|---|
| 1. | No stores, no credentials cached | NA | NA | |
| 2. | List stores | storebrowse -l |
None, no stores listed | |
| 3. |
|
storebrowse -U usernameA -D domainA -P passwordA -a storefrontURLA |
None, the operation succeeded | |
| 4. | List stores | storebrowse -l |
fullstorefrontURL |
|
| 5. | Enumerate User A’s apps/desktops without specifying credentials | storebrowse -E fullstorefrontURLA |
List of apps/desktops (the SSO cached credentials are used) | |
| 6. | Launch a User A’s app/desktop without specifying credentials | storebrowse -L appordesktopnameA fullstorefrontURLA |
The app/desktop launches (the SSO cached credentials are used) | |
| 7. | User B logs on in addition to User A, StoreFront B is added for User B, User B’s credentials are cached on top of User A’s | storebrowse -U usernameB -D domainB -P passwordB -a storefrontURLB |
None, the operation succeeded | |
| 8. | List stores | storebrowse -l |
fullstorefrontURLA fullstorefrontURLB |
|
| 9. | Enumerate User B’s apps/desktops without specifying credentials | storebrowse -E fullstorefrontURLB |
List of apps/desktops (the latest/topmost SSO cached credentials are used) | |
| 10. | Launch a User B’s app/desktop without specifying credentials | storebrowse -L appordesktopnameB fullstorefrontURLB |
The app/desktop launches (the latest/topmost SSO cached credentials are used) | |
| 11. | User B logs off, their store is removed | storebrowse -d fullstorefrontURLB |
None, the operation succeeded | |
| 12. | Remove the cached credentials for User B from the SSO cache | storebrowse -K |
None, the operation succeeded (the latest/topmost credentials are removed from the SSO cache) | |
| 13. | List stores | storebrowse -l |
fullstorefrontURLA |
|
| 14. | Enumerate User A’s apps/desktops without specifying credentials | storebrowse -E |
fullstorefrontURLA |
List of apps/desktops (the previous SSO cached credentials are used) |
| 15. | Launch a User A’s app/desktop without specifying credentials | storebrowse -L appordesktopnameA fullstorefrontURLA |
The app/desktop launches (the previous SSO cached credentials are used) | |
| 16. | User A logs off, the configured store is removed | storebrowse -d fullstorefrontURLA |
None, the operation succeeded | |
| 17. | Remove the cached credentials for User A from the SSO cache | storebrowse -K |
None, the operation succeeded (the previous credentials are removed from the SSO cache, now empty) | |
| 18. | List stores | storebrowse -l |
None, no stores listed | |
| 19. | The system is back to its starting state | NA | NA |