"Active Directory logon permits two techniques: username/password and smart card. The StoreFront and User Credential Service accept an SSO assertion based on the identity provider and convert that into a network virtual smart card logon for active directory." For more information check the SAML Authentication Technology Preview for XenApp and XenDesktop - https://www.citrix.com/blogs/2016/03/03/saml-authentication-technology-preview-for-xenapp-and-xendesktop/.
Old architecture (used in XenApp 6.5)
https://technet.microsoft.com/en-us/library/dn169014%28v=ws.10%29.aspx
New architecture (Windows 10 / Server 2016)
https://technet.microsoft.com/en-us/itpro/windows/whats-new/security
Search for “Virtualization-based security”
This started in Server 2012 R2 and is fully implemented in Windows 10 and will be in Server 2016. To meet the need for federated authentication, we are building solution to use network virtual smart cards rather than Kerberos. Windows will view the logon as a smart card authentication; the Citrix Federated Authentication Service holds the cards and use of the cards is enabled based upon NetScaler/StoreFront authentication, where SAML already exists.
Windows SAM architecture changes in newer versions of Windows operating systems prevent the technique that Citrix used to implement KCD on XenApp 6.5. The SAM in the newer operating systems runs in a mini VM, separate from the main Windows OS. Inserting the KCD hooks into the SAM on the new OSes would insert the hook into the separate machine, where they could not perform the work to log the user onto the machine.https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-8/install-configure/install-prepare.html