I have been working with a colleague of mine (Saman Salehian) who has been working on a project with a Citrix Netscaler. One of the hopes of this project is to offer Citrix applications externally. A problem was posed to me about restricting users to only access non-critical, non-patient facing applications (eg, Outlook, intranet site, etc.) if they logged in with their domain credentials, but if users were using a two factor authentication method to show all applications.
Citrix has 3 articles (one, two three) that I’ve been able to find about executing on this. The problem with these articles is that they are now outdated. Citrix has a much more flexible and (In My Humble Opinion) better way to hide/show applications. And that is through the Receiver Extension APIs. Through a single store, I’ll be able to show and hide applications dynamically.
The two API calls that are relevant are:
excludeApp(app)
Exclude an application completely from all UI, even if it would normally be included.
includeApp(app)
Include an application, even if it would normally be excluded. For example a platform might exclude applications intended for a different platform.
The architecture of this solution looks like this:
It’s pretty damn simple. Look that a specific cookie has a specific value and if it does NOT have that value, exclude the app(s) from being shown.
So the role of the Netscaler here is when the user logs on, it will write a cookie based on the authentication. Our Storefront script will check for the value of that cookie. If the cookie contains our known value then we iterate through all applications and look for some unique text we’ve set in the application description field (this works with both XenApp 6.5 and 7.X) and hide those applications. For my example, I’ve added ” 2FA” to the application description field for the applications I want excluded from single-factor authentication. Note: I’ve required a ‘space’ before the characters 2FA.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
//get cookies function function getCookie(name) { var results = document.cookie.match('(^|;) ?' + name + '=([^;]*)'); return results ? unescape(results[2]) : null; } var logonmethod = getCookie("logonmethod"); if (logonmethod == "1FA") { CTXS.Extensions.excludeApp = function(app) { //do a javascript search for our text. //if the text is found then the value of ‘findme’ will be > 1. If it’s not found then it will be -1. var findme = app.description.search(" 2FA"); if (findme != -1) { CTXS.trace("hiding app from 1FA:" + app.description); return true; } }; } |
And that’s it! A deliciously simple addition to \custom\script.js.
Hi Trentent,
Thank you for posting this as this may be the answer I have been looking for when it comes to dynamically hiding applications for our external users. I have modified your script slightly and I am now able to hide applications using the set keyword but it only seems to be working for the website, not the native receiver app. Should this work in the app as well?
Thanks,
Timon
Hi Timon,
We only use this feature for our 2FA users, so for external users via the web-only. I have not had an opportunity to test it with native receiver, but I do not believe it would work as it requires a cookie to be set which would only happen with a web browser. There maybe another way to check for whether the connection is an access gateway connection that you could pick up on with native receiver, but I have not had to do that work.
Thank you for taking the time to reply. I was coming to the same conclusion that the native app doesn’t handle cookies in the same way although looking at the documentation it does appear to make some use of cookies for authentication. I will raise a support call with Citrix for confirmation and I will respond back here if I find anything that works.
This was so close to a perfect solution!
hi trentent, what i must use for code, when i only want hide applications when i come over the netscaler, is there a way without keywords also? regards frank