28 Mar 2019 Mobile Device Management and Single Sign On with Citrix and Node.js
We’d all agree that mobile devices have become an essential part of our lives: we can’t stop talking about them, about how the future of development is now or about their amazing BI visualization possibilities. Nowadays, companies might have hundreds or even thousands of mobile devices distributed among their employees, and the best way to handle this is with a good Mobile Device Management (MDM) tool, which allows you to do exceptional things with your devices, like control who has the device, see if they are all updated to prevent security issues, install applications remotely or even wipe them completely in the event of loss. Can you imagine this in your business?
|
MDM tools are generally developed by third parties and both iOS and Android devices have implemented MDM compatibility deep in their operating systems; such is the integration that you can even have a custom private store for your company apps. This adds great value, meaning that you can deliver apps to your company devices whilst making sure they are not public.
Citrix, for example, is a widely trusted company providing multiple software products and services, focusing on both security and networking. One of these tools is an MDM platform, Endpoint Management (formerly XenMobile), offering the ability to create a private app store, secured with a Citrix user and password, and at the same time acting as a server that manages all available options. You will need an app called Secure Hub to be able to install these private apps on your devices. And if you have multiple apps, it’s handy not to have to log in every time you open an app – that’s why Single Sign On (SSO) is important. First let’s look at the Citrix environment options, and secondly how to log in to Citrix once and then be able to use the other installed and secured company apps without having to re-enter your credentials.
1. Environment
There are two different approaches to setting up an MDM environment with Citrix: cloud or on-premise. Remember that whichever approach you use, you’ll need Secure Hub, a mobile app from Citrix that enables your mobile device to use all your Citrix services; it can be installed via App Store or Google Play, the Endpoint Management service, and Citrix Gateway (formerly NetScaler Gateway). Gateway provides secure VPN access to the Citrix apps.
|
Companies often use Microsoft’s Active Directory to authenticate and authorize users. In Figure 1 you can see an example of the two approaches using AD:
Figure 1: Two approaches for a Citrix MDM solution.
2. Implementation
To enable SSO you need to have a conversation with Citrix Gateway:
You tell Citrix “Hello, I already logged in before and I want to enter again.”
And Citrix responds “Oh, I see, here’s the key you used.”
It looks easy! But let’s run through at a more detailed explanation.
In the next example, we developed both an iOS app and a Node.js API; we also configured a Citrix Cloud environment. We made a build of the iOS app and followed the steps to deploy it into our Citrix Secure Hub app store. We have an iPad with Secure Hub from Citrix, where we logged in, and also installed the iOS app we developed and deployed. The iOS app makes HTTP requests to the Node.js API, and because we are using Citrix Secure Hub, there is an active VPN connection.
This is important, because just by using Secure Hub, our device is going to be using the VPN, already adding a layer of security: all connections from your private apps are being tunnelled and checked by Citrix Gateway.
In Figure 2 we can observe this scenario in more detail. On the left there is an iOS app (.ipa file), wrapped in a .mdx file that has already been deployed to Secure Hub. This wrapping is a process that Citrix needs in order to publish the app to Secure Hub.
When you log in with your Citrix credentials in Secure Hub, a VPN is created, and Gateway behaves as an interceptor for all the network traffic that goes in or out of the app – that’s why Citrix Gateway is placed in the middle in the diagram. The API is on the right, a Node.js app where the iOS app makes the requests.
Figure 2: SSO diagram when using Secure Hub.
Now let’s study the details of the diagram. Note that some steps are marked on the diagram:
- Step 1: The first time the user opens a Citrix app, the user is prompted to enter his/her credentials.
- Step 2: The app makes a /get request to the API.
- Step 3: The API sees that there is no authorization header, so it responds with a 401 (unauthorized) asking for credentials. To do this, the response includes a WWW-Authenticate: Basic
- Step 4: Gateway intercepts and understands this response as a challenge, an attempt to log in using SSO.
- Step 5: Gateway checks if the user is logged in Citrix, which is true because of step 1.
- Step 6: Gateway sends the credentials back to the API with an Authorization header.
- Step 7: The API processes the credentials, validates them (with AD or LDAP for example) and sends back a 200 (ok) response to the iOS app.
Note that the Authorization header is encoded using base64 with the pattern “Basic username:password”. In Figure 2, for example, we’ve got Authorization: Basic Y3A6bWFrZWRhdGFjb3VudA== where Y3A6bWFrZWRhdGFjb3VudA== is cp:makedatacount encoded using base64.
This authorization flow and encoding follows an RFC specification, so it is a widely accepted method that Citrix Gateway understands. You can find more information on the MDN web page.
Conclusion
As you can see, doing a Single Sign On is not a difficult task, but you need to know your tools. A good MDM solution adds value to your business security, control and ease of use.
At ClearPeaks we can offer you the best experience available by developing a customised BI web or mobile app that integrates seamlessly with the services you already have, know and trust.
If you have any queries or comments, do not hesitate to contact us! We would love to speak with you and find the best way to help your company grow thanks to our wide range of services and expertise.
