Citrix Access Gateway and Safeword

We are using Web Interface 5.  I have it working with Safeword tokens and authenticating internally to our network.  We installed a Citrix Access Gateway, Standard Edition.  When users access the Web Interface, they have to enter their id and password on the first screen, then they get the Web interface login screen and have to enter their id and password along with the token passcode.  I'd like to eliminate the first step.  I want users to just enter their id, password and passcode once.  I have tried to setup a realm with two source authentication, but no luck.  Any one get this working?
Who is Participating?
There's a java script you have to apply onto your WI server.

just follow the directions. It worked for me - had EXACTLY the same problem

You can disable the CAG portal logon and redirect straight to the Web Interface where they will only need to enter logon details once. do the following:
1. On the Access Policy Manager tab, under User Groups, right-click a group (or just the default group) and click Properties.
2. On the Gateway Portal tab, click Redirect to Web Interface.
3. In Path, type the path of the server that is hosting the Web Interface.
4. In Web Server, type the IP address or FQDN of the server that is hosting the Web Interface.
5. To secure the connection, click Use a secure connection. Click OK.

You'll then need to disable the portal logon
1. Click the Global Cluster Policies tab.
2. Under Advanced Options, clear Enable logon page authentication.
3. Click Submit.

I've pulled this out of the CAG user guide as I can't currently access my CAG to get the details and I can't remember off the top of my head. If this is wrong or you can't find it, let me know and I'll try to get on my CAG later today to verify exactly where the settings are. I suspect you already have the WI redirection so it's just the disabling of the CAG portal that needs to be done.
GordJonesAuthor Commented:
Thanks for the feedback.  I did have the path set correctly for the Web Interface.  I unchecked the Enable logon page authentication, but no luck.  How do you have your realm setup?  I've read some different options, like having a 2 source realm.  Right now, I have 1 realm authenticating with LDAP.  
Ahh, change your single (default) realm so there is No Authentication. That will allow the redirect to the WI without first asking users for logon credentials.

The only other thing you could do, is configure passthru authentication for the WI. See the following document:

You may need to configure dual source authentication on the CAG so that LDAP and Safeword authentication can be used.
GordJonesAuthor Commented:
Took a look at the document in the link.  Set everything up okay.  But the authorization is still not working on the CAG.  I can get it to work if I have the authentication happening from the WI, but I want to have the CAG authenticate.  Maybe it's not possible?  I have set a 2 source realm, first being ldap,second safeword, but no luck.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.