You can configure x509 certificate authentication in Unified Access Gateway to allow clients to authenticate with certificates on their desktop or mobile devices or to use a smart card adapter for authentication.
Certificate-based authentication is based on what the user has (the private key or smart card), and what the person knows (the password to the private key or the smart card PIN). Smart card authentication provides two-factor authentication by verifying both what the person has (the smart card) and what the person knows (the PIN). End users can use smart cards for logging in to a remote Horizon desktop operating system and to access smart-card enabled applications, such as an email application that uses the certificate for signing emails to prove the identity of the sender.
With this feature, smart card certificate authentication is performed against the Unified Access Gateway service. Unified Access Gateway uses a SAML assertion to communicate information about the end user's X.509 certificate and the smart card PIN to the Horizon server.
You can configure certificate revocation checking to prevent users who have their user certificates revoked from authenticating. Certificates are often revoked when a user leaves an organization, loses a smart card, or moves from one department to another. Certificate revocation checking with certificate revocation lists (CRLs) and with the Online Certificate Status Protocol (OCSP) is supported. A CRL is a list of revoked certificates published by the CA that issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of a certificate.