Jump to content
Welcome to our new Citrix community!
  • 0

SSON & MFA for Workspace on a Mac?

Andy White1709154166




We will be moving over from XenApp on PCs to XenDesktop on Mac's in the new year and I just need to get an understanding on a couple of areas that you guys may of experienced.


  1. Workspace on PCs in currently using SSON, but I believe SSON on with Workspace has no way of doing this?
  2. External access question - We will have Xendesktop for 2 domains with no Domain trust between them.  The main domain we want to log in using MFA as we are told the ADC's can connect to Azure, unfortunately the other domain is not setup for MFA and will we move this next year sometime.  What options do we have here to present the 2 environments securely to the users externally as 1 will use MFA and the other can't, not sure if we can give the users using 1 url with the MFA and hide the other domains SF behind this and present in the main SF?
  3.   Internal access question - as we will be using the ADC's will internal users be prompted to use MFA every day, I wasn't sure if this can just but used when someone is external?



Link to comment

3 answers to this question

Recommended Posts

  • 0



I respond you only for the questions that I have a possible solution:

2. You can use the SAML authentication and authenticate the users into first domain (with MFA) and only under this access you automatically authenticate the users into the second domain (via SAML).

3. You can create a nFactor configuration in NetScaler for determinate the authentication methods that you want to apply to the users during the internal or external access. Another method is create two NetScaler Gateway (one natted via firewall for external access and the second used for the internal access); you can configure the MFA authentication in the first NG and not in the second; you can create a DNS record internally for resolve the second NG without MFA authentication.



Link to comment
  • 0



here you can find lots of information on how saml works:



You can configure NetScaler for all roles of SAML, for example:

- it is possible to configure saml to allow users to authenticate via NG in AD domain; subsequently the saml automatically authenticates the user in a SaaS portal (for example Sharefile, SalesForce, etc ...);

- it is possible to configure NetScaler with the role of IdP SAML (identity provider) or service provider mode; in the first case the netscaler has the role of authenticator (via LDAP, RADIUS, MFA, etc ...) and in the second case NetScaler acts as a service provider (it receives authentication from IdP and delivers the requested service);


You can configure, for example, the NetScaler on the first domain for authenticate the users via MFA and use the SAML for automatically authenticate these users into a second domain without insert username and password (via SSON).

For example, the Citrix site uses the SAML when you have authenticated into citrix.com portal and in the second time, you open another Citrix portal (for example training.citrix.com). You don't have the necessity to reinsert the username and password.


SAML is the standard for the Services federations.




Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...