Hello Dimitar
I would like to hear more about option 2.
Our scenario is that store users share a Citrix desktop on a thin client in a store. This thin client might be shared among 3-4 store clerks that work in a hypermarket. The Citrix desktop is associated with a common user i.e. PC123 and users each have their individual AD accounts i.e. USERA and USERB. This works for access to Windows applications as there is no particular requirement to identify individual users. Furthermore the store users would like to avoid to log out of the common Citrix desktop and into a Citrix desktop based on an individual user as this takes a couple of minutes to accomplish. In retail in a hypermarket context, customers are not necessarily that patient, so a couple of minutes to wait each time a new store users needs to access a terminal is not acceptable. This problem could of course be addressed with an upgrade of the Citrix back end to a more modern setup, but unfortunately that upgrade is not going to happen any time soon.
Consequently we are left with the next best alternative, which is to use the browser as a platform for access to various systems. The browser can then redirect to an appropriate system for authentication when required. I believe we would not be able to use option 1 as the Kerberos/SPNEGO setup would need to translate the common user Kerberos ticket issued to PC123 to USERA when that user is at the terminal and USERB when that particular user is at the terminal. Alternatively we could translate a common user on the Windows side to a common user in SAP, but this is not the preferred solution as we then do not have a proper audit trail in SAP of who did what was done at a specific terminal.
If indeed it is possible to have for example two redirect applications similar to the one mentioned in note 1250795 and set it up so that one requests authentication with username/password from the ADFS to which it is redirected and the other accepts that ADFS uses Windows integrated authentication I would be a very happy man...
Best regards,
Anders