Friday, November 30, 2007

ADFS and Citrix allowing SSO

The company I am with currently is an ASP providing JDEdwards applications to other companies. There are currently 2 ways to provide this service: a web version of JDE served over the network, or by publishing the fat client via Citrix. Since we are providing this service to external customers and not part of their company, authentication of users is an issue.

To handle authentication what we have done is created a custom web app that allows a designated administer to create NT accounts for all their users. This scenario requires each user to have 2 sets of credentials: one at their company and another at our company.... This is less than ideal.

In the past there have been various ways to work around this, mostly they required either joining the customer domain (bad idea) or installing custom 3rd party software to perform the SSO. As more customers are asking for this functionality, it is becoming an increased priority for our organization.

In a Windows Server 2008 class we breifly discussed Active Directory Federated Services (ADFS) and how it allows SSO functionality for web sites. This got me thinking... The Citrix gateway that customers log into is a web page, and maybe ADFS could authenticate the users for us. The web app needs to be ADFS capable, maybe some custom code could allow this?

A quick Google search for ADFS and Citrix returns several postings (http://support.citrix.com/article/CTX110118, and https://www.knowledgecenter.citrix.com/article/CTX109702 to name a few). Apparently Citrix has already enabled this functionality to work with Server 2003. ADFS does require a server to be hosted at the customer site (or at least within their domain) and some work may need to be done to create mapped accounts on our side for security and tracking, but its a lot better than the other options.