A look at the upcoming improvements to Citrix Identity Platform in Citrix Cloud including on-premises Citrix Gateway, Cloud-Enabled Federated Authentication Services (FAS) and Okta. 

Citrix had great sessions at Synergy 2019 about the Citrix Identity Platform (SYN108 – What’s new in Citrix Cloud identity & SYN 127 Bringing Okta to Citrix Workspace). With many customers expecting improvements to the Citrix Workspace solution, I wanted to share my key takeaways from these sessions.

 

What is Citrix Identity Platform?

Citrix Identity Platform is the bridge between Citrix Cloud services (Gateway, CVAD, ShareFile, Citrix Managed Desktops, etc.) and identity providers (IdPs) such as Active Directory, Azure Active Directory (Azure AD), Okta, etc. Any service that is part of Citrix Cloud will support IdPs that have been integrated within the Citrix Identity Platform.

More and more services are being added in Citrix Workplace, and customers want one identity across all of them with SSO support. Instead of each Citrix product having to support every existing individual identity provider, Citrix Cloud services support Citrix Identity Platform tokens, and don’t have to worry about the underlying identity being used by the customers.

The company is not competing with Azure AD, Okta or Google Identity but instead enabling customers to leverage identity providers that they are already invested in.

I highly recommend you to watch the recording of SYN108 from Synergy 2019 about Citrix Cloud Identity Platform improvements.

 

Identity providers currently supported in Citrix Cloud

At this time, Citrix supports Active Directory, Azure AD  with Citrix Workspace.

Identity providers currently supported in Citrix Cloud
Identity providers currently supported in Citrix Cloud

Active Directory

Citrix Workspace provides support of Active Directory located on-premises or in public clouds. By using Active Directory, you can:

  • Leverage your own Active Directory, so you can control auditing, password policies, and easily disable accounts when needed.

Connecting your Active Directory to Citrix Cloud involves installing Citrix Cloud Connectors in your domain either on-premises or in public clouds such as Amazon AWS and Microsoft Azure.

Azure AD

By using Azure AD with Citrix Cloud, you can:

  • Leverage your own Active Directory, so you can control auditing, password policies, and easily disable accounts when needed.
  • Configure multi-factor authentication (using for ex: Azure MFA) for a higher level of security against the possibility of stolen sign-in credentials.
  • Use a branded sign-in page, so your users know they’re signing in at the right place.
  • Use federation to an identity provider of your choice including ADFS, Okta, and Ping, among others.

Azure AD requires an Azure subscription.Also, Azure ADDS but does not require customers to install  a local AD. You may need to install Azure AD Connect if you want to leverage your Active Directory located on-premises.

More information about Azure AD integration with Citrix Cloud here.

Authentication mode supported in Citrix Cloud

At this time, Citrix supports only One Time Password (OTP) authentication mode with Citrix Workspace.

Active Directory + One-time password

Most organizations do not want to (and should not) expose their own Active Directory to the Internet without Multi-Factor Authentication. To resolve this issue, Citrix introduced Time-based One-Time Password (TOTP) authentication, which is Active Directory + One-Time Password without the need to have an infrastructure located on-premises. TOTP is an industry standard that is built upon RFC 6238.

Before the support of TOTP, the only way to have Multi-factor authentication with Citrix Workspace was to use Microsoft Azure AD authentication with Azure MFA or with a federated IdP such as Okta or Ping, among others.

TOTP with Citrix Workspace provides an instant and native MFA solution (less than 5 minutes to configure) at no cost for customers who don’t have the resources to setup a dedicated MFA infrastructure on-premises. No infrastructure is required to setup this simple Multi-Factor authentication in Citrix Workspace and users can register for a token using the self-service on-boarding interface.

Authenticator apps supported by TOTP
Authenticator apps supported by TOTP

This solution is compatible with any Authenticator app that supports the TOTP algorithm such as Microsoft Authenticator, Symantec VIP, Citrix SSO or Google Authenticator.

Connecting your Active Directory to Citrix Cloud involves installing Citrix Cloud Connectors in your domain either on-premises or in public clouds such as Amazon AWS and Microsoft Azure.

Citrix Cloud management console access

To access Citrix Cloud management console, Citrix supports its MyCitrix identity and Microsoft Azure Active Directory.

Identity providers currently supported in Citrix Cloud for Management Console
Identity providers currently supported in Citrix Cloud for Management Console

By default, Citrix Cloud uses the Citrix Identity provider to manage the identity information for all users in your Citrix Cloud account.

 

Why do we need support for more IdPs and authentication modes in Citrix Cloud?

Companies that were born in the cloud most likely began with an Azure Active Directory associated to a service such as Office 365 for example. For them, the current supported IdPs in Citrix Cloud meet their requirements because no legacy identity or custom authentication are involved.

However, most Citrix customers were born in the datacenter and have already invested in existing authentication mechanisms and identities. Active Directory is installed on Windows servers and often associated with a custom Two-factor authentication solution (Ex: Smart Card for internal users and RSA for remote users). When they are looking at Citrix Cloud, they do not want to move away from their current solution but rather leverage what is already working within their organizations.

Also, at this time Citrix Gateway in Citrix Cloud cannot differentiate internal traffic from external traffic in Citrix Workspace (hairpin traffic routing). Therefore customers who need different authentication modes are not satisfied right now with the current options available in Citrix Workspace.

The lack of support for additional IdPs has been a dealbreaker for many potential Citrix Cloud customers, blocking numerous migrations from on-premises to Citrix Cloud in the past 2 years. It made sense for Citrix to focus to the addition of new IdPs as they explained at Synergy 2018 and again in 2019.

The good news is that it is about to change. In the next part of this article, we are going to discuss the upcoming IdPs that Citrix will release in the next few months.

 

Upcoming IdPs and authentication modes in Citrix Cloud

Citrix Gateway (Active Directory + Gateway AAA)

Available today as a public tech preview in Citrix Cloud.

To support on-premises custom identities found at larger organizations, Citrix introduced Citrix Gateway (Active Directory + Gateway AAA) as an identity provider for Citrix Workspace at Synergy 2019.

Note: this IdP is not a native support for on-premises Radius in Citrix Cloud because it requires to have Citrix ADC appliances located on-premises. We will discuss about native Radius support later in this article. 

On-Premises Gateway AAA with Citrix Workspace - Source SYN108 Citrix
On-Premises Gateway AAA with Citrix Workspace – Source SYN108 Citrix

Support for Citrix Gateway will allow customers to drop transition from on-premises StoreFront to the Workspace platform. And at the same time, they will be allowed to keep the current identity and authentication solution in place within their organizations by leveraging their existing Citrix ADC appliances located on-premises.

The login experience using Citrix Cloud services will be exactly the same as on-premises. When opening Citrix Workspace, users will be redirected to the Citrix Gateway located on-premises for authentication and leverage any method already configured(radius-based 2FA, smart Card, pass-through, conditional access, etc are supported). Once authenticated, users will be redirected back to Citrix Workspace and will be able to launch applications and desktops with SSO from the cloud-hosted web portal.

To achieve this SSO, Citrix Gateway IdP can be configured to pass credentials from the organization to the Cloud via a back-end secure channel or with the Cloud-Enabled Federated Authentication Service.

To enable Citrix Gateway go to https://citrix.cloud.com/identity/authentication and select the new Citrix Gateway IdP. You will be prompted for the local FQDN of the Gateway appliance. And also for the Client ID, secret and Redirect URL that can be found when you create the associated OAuth IDP profile in Citrix ADC console.

You can find more details and the full process to connect an on-premises Citrix Gateway as an identity provider to Citrix Cloud here.

Note: Cloud Connectors are required for this configuration to be able to communicate with the ADC appliance(s) located in the customer-managed perimeter. 

Cloud-Enabled Federated Authentication Services (FAS)

The Federated Authentication Service (FAS) is a feature that was introduced with XenApp and XenDesktop 7.9 in May 2016, but was not available as part of the Citrix Workspace.

According to Citrix documentation, Citrix Federated Authentication Service (FAS) is a privileged component located on-premises or public clouds designed to integrate with Active Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an Active Directory environment as if they had a smart card. More about Citrix Federated Authentication Service here.

When customers are using Workspace with a federated identity provider, they do not get a single sign-on experience when launching apps and desktops. Instead, they are prompted for AD credentials.

Cloud-Enabled FAS with Citrix Workspace - Source SYN108 Citrix
Cloud-Enabled FAS with Citrix Workspace – Source SYN108 Citrix

To support customer-managed Federated Authentication Services and SSO in Citrix Cloud, Citrix has introduced Cloud-Enabled FAS in its control plane to provide VDAs with virtual smart card certificates to secure single sign-on (SSO). This is now available in private tech preview.

Native Okta Identity support in Citrix Cloud

Okta with Citrix Workspace - Source SYN108 Citrix
Okta with Citrix Workspace – Source SYN108 Citrix

Currently in private tech preview is Okta support as an identity provider for Workspace. Okta is an identity management service similar to Microsoft Azure AD.This integration will allow an admin to unify the login experience between their Okta apps and Workspace. They can also leverage Okta features and benefits as Workspace will federate to Okta during login. To enable Okta in Citrix Cloud, you need to create a new application integration in the Okta login console using Open ID Connect.

How does it work? Users will be redirected to Okta logon page for authentication when opening Citrix Workspace. This authentication can leverage Okta MFA with Push notifications if configured in Okta policies.

Here is a great Synergy 2019, Bringing Okta and Citrix together in Workspace, that goes more in depth.

 

The Ultimate authentication: Passwordless with  Single Sign-on

Veridium Logo
Veridium Logo

Citrix also demoed Veridium, a password-free, biometric authentication platform. During the demo they coupled it with Citrix Gateway IdP(with Radius push) and Cloud-Enabled FAS for Single Sign-On. Truly impressive, this is a way to increase security by eliminating password from organizations. With both Cloud-Enabled FAS and Citrix Gateway in Workspace, admins will be able to integrate more vendors/solutions than ever before

 

But wait, there is more to come for Citrix Identity Platform!

Citrix is also planning on releasing support for Google Identity platform, SAML and support for on-premises Radius natively in Citrix Cloud in the future.

There are also a few improvements planned regarding Citrix Cloud control plane authentication. The company plans to introduce OTP with Citrix Identity in the upcoming months.

 

Once Citrix can rollout the IdPs mentioned in this article to make Citrix Workspace more robust, customers with complex requirements will find Citrix Cloud to be more compelling. I am confident that Citrix Cloud can attract much more attention by supporting a wide range of IdPs. There’s lot happening right now with Citrix Identity Platform, stay tuned!