Citrix Cloud – Bring Your Own Identity

Leave a reply

Over the last year the Citrix Workspace has continuously evolved! One of the major questions for Delivering a secure workspace to different devices is User Authentication! There is just not one way to do it! However with Citrix’s workspace you get an option to be able to integrate various types of authentication that your organization complies with.

Authentication and Authorization have become the 2 most important topics that every organization has had within their IT discussions in the past few years. There is also a misconception that everyone carries that one is safe and secure when they implement a Multi Factor Authentication.

Typically when we talk about Multi Factor Authentication, we talk about following factors:

  • What you know – (Mostly your Domain Password)
  • What you Have – (Some sort of a key other than your Domain Password, Mostly – Certificates, One Time Passwords, Time Based One Time Password, Push Notifications, Verify By Call)
  • What you are – (Typically Bio metrics, Finger Prints, Facial recognition)

Multi Factor Authentication can be achieved in various ways and each of them comes with it’s own advantages and disadvantages, All of the ones discussed below are by keeping Citrix Workspace in mind.

To highlight a few and how they work:

  • Gateway IDP
  • Citrix TOTP (Time-Based One Time Password)
  • Push Authentication
  • Okta Cloud Service

Gateway IDP

  • Traditional Setup of a Netscaler Gateway Integrated with the Citrix Workspace and the Identity Broker Micro Service
  • Can configure any type of authentication just like you would in the on-prem deployment and the control is completely with customer configured Gateway. Workspace’s Identity broker micro service merely processes requests and responses to and from Gateway.
  • What you know: Domain Password
  • What you have: Token / Certificate
  • In this case we could also setup an N-Factor Authentication, meaning depending on how the user is logging on different type of MFA could be adopted, just like the diagram indicates. If a user is logging on from a trusted device, a device certificate maybe used to authorize the logon, If logging on from an untrusted device user maybe authorized logon using a token.

Citrix TOTP (Time-Based One Time Password)

  • A downloadable application on the corporate / personal handheld device, which provides a Time-Synced One Time Password for various Identity Providers and refreshes every 30 seconds with a new One Time Password
  • What you Know: Domain Password
  • What you have: One Time Password
  • What you are: BioMetric Verification on the handheld device
  • Uses a traditional token based authentication for multi factor, however the token generation(OTP) for the user is completely offline and is not shared over internet / telecom providers(sms service).

Push Notification

  • Most user-friendly MFA of all.
  • Uses the same method as the TOTP, but instead of a prompt for an OTP, users will get a notification for allow / deny on their registered application on the handheld device. (Google Authenticator, Citrix SSO )
  • 2 different communication channels for authentication, as the prompt for the allow / deny goes through the Gateway Service (Notification Microservice through Citrix Cloud. Where as the user response goes to the Endpoint Gateway directly. Hence this method is relatively secure as well.
  • Token is stored in the user’s Active Directory Parameter
  • What you know: Domain Password
  • What you Have: Push Notification prompting allow / deny
  • What you are: BioMetrics to access the registered application.

OKTA Cloud Service

  • Uses Okta Cloud Service as the Identity Provider. When user requests a workspace, Workspace inturn calls the Identity Broker Micro service which inturn calls the Okta Identity Provider Service.
  • Based on the type of MFA setup on Okta by the user’s provider or user himself the specific parameters are received back by the identity broker micro service as a response and user is authenticated. But it does not end there. For users to get a fully Single sign on experience, the user’s identity must be proven using the Federated Authentication Micro Service.
  • Multiple Authentication points to be factored. Added security
  • Best way to provide access to third party users / contractors if you do not want them to know their Active Directory username and passwords!
  • What you know: Okta Username and Password
  • What you have: Okta enabled authentication token through various means (OTP, Call, TOTP and such)

Knowledge Source: Citrix WorkSpace MasterClass

This entry was posted in Identity and tagged on by .

About Surendra Dhondale

A EUC Enthusiast! with a goal to make End User Computing fun! leveraging skills learnt over years to provide best solutions/answers for difficult “IT questions”!! EUC | Devops | Citrix | Microsoft Azure | Nutanix | VMware | Design | Solution Architecture | Programming | WVD

Leave a Reply