If you create and distribute RSA SecurID software tokens to end users, they need enter only their PIN, rather than PIN and token code, to authenticate.

Setup Requirements

You can use Compressed Token Format (CTF) or dynamic seed provisioning, which is also called CT-KIP (Cryptographic Token Key Initialization Protocol), to set up an easy-to-use RSA authentication system. With this system, you generate a URL to send to end users. To install the token, end users paste this URL directly into Horizon Client on their client devices. The dialog box for pasting this URL appears when end users connect to Connection Server with Horizon Client.

Horizon Client also supports file-based provisioning. When a file-based software token is issued to a user, the authentication server generates an XML-format token file, which is called an SDTID file for its .sdtid extension. Horizon Client can import the SDTID file directly. Users can also launch Horizon Client by tapping the SDTID file in a file browser.

After the software token is installed, end users enter a PIN to authenticate. With external RSA tokens, end users must enter a PIN and the token code generated by a hardware or software authentication token.

The following URL prefixes are supported if end users will be copying and pasting the URL into Horizon Client when Horizon Client is connected to an RSA-enabled Connection Server instance:

  • viewclient-securid://

End users can install the token by tapping the URL. Both prefixes viewclient-securid:// and are supported. Note that not all browsers support hyperlinks that begin with Also some file browsers, such as the File Manager app on the ASUS Transformer Pad, cannot link the SDTID file with Horizon Client.

For information about using dynamic seed provisioning or file-based (CTF) provisioning, see the Web page RSA SecurID Software Token for iPhone Devices at http://www.rsa.com/node.aspx?id=3652 or RSA SecurID Software Token for Android at http://www.rsa.com/node.aspx?id=3832.

Instructions to End Users

When you create a CTFString URL or CT-KIP URL to send to end users, you can generate a URL with or without a password or activation code. You send this URL to end users in an email that must include the following information:

  • Instructions for navigating to the Install Software Token dialog box.

    Tell end users to tap External Token in the Horizon Client dialog box that prompts them for RSA SecurID credentials when they connect to a Connection Server instance.

  • CTFString URL or CT-KIP URL in plain text.

    If the URL has formatting on it, end users will get an error message when they try to use it in Horizon Client.

  • Activation code, if the CT-KIP URL that you create does not already include the activation code.

    End users must enter this activation code in a text field of the dialog box.

  • If the CT-KIP URL includes an activation code, tell end users that they need not enter anything in the Password or Activation Code text box in the Install Software Token dialog box.