Workspace App, Entra ID and Sign-in options

[Kari Ruissalo]

One of our customers is about to deploy FIDO2/Passwordless in to their environment (with Igel OS thinclients), but we're facing a peculiar issue with the full client.

If we configure our Workspace App to a cloud URL and pick the "Sign-in options"

We can see the "Face, fingerprint, PIN or security key" -option:

 

But if we do the same with an on-prem NetScaler Gateway configured as an SP for Entra ID (we've tried both OIDC and SAML),we only see the GitHub -option

We can see that when we configure Citrix Cloud to use Entra ID authentication, an Enterprise Application is added to our Entra ID tenant, but the Multi-tenant App Registration is held by Citrix (?) and therefore we're unable to see inside that. This why we actually tried OIDC the first place, because we suspected it might have something to do with this.

And I know, this is Windows client, but I'd have to assume we should get it working first on this before moving in to Igel OS (we're seeing the same issue there also).

Interestingly this issue doesn't appear if we access the on-prem Gateway using web browser so it's on some level CWA related.

---

Related version info:

Workspace App: 24.2.0.172(2402), Win 11 23H2
Citrix Cloud: Cloud
NetScaler Gateway: 13.1-51.15

 

We also have a support case opened, but so far we haven't gotten anywhere.

[Julian Jakob]

Hi Kari,

just some notes / ideas. Citrix Cloud is a separate Entra ID Enterprise App (with App Registration linked because of OIDC Multi-Tenant, as you already noticed) and your OnPrem NSGW is also an Enterprise App. Are there different conditional access policies linked and are there authentication strenghts policies linked?

Because: With authentication strenghts policies (configured unter the conditional access menue) you are able to define exactly which auth-methods are available. Link an authentication strenghts policy to a conditional access policy. Link that conditional access policy explicitly only to your Citrix Cloud / NSGW enterprise app. This should change / switch the possibilities Entra ID is showing when user's are trying to authenticate to.

Hope this helps

[Kari Ruissalo]

@Julian Jakob, I actually walked through the same though pattern on the CA policies, but it wasn't about that.

Hmmh... Changing this knob in Windows CWA enables the FIDO2 capability for on-prem environments -> https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/authentication.html#using-gpo (tested and verified).

As far as it goes for the thin clients (Igel OS running CWA for Linux), here's the statement from support:

Quote

Modern authentication on CWAL as of today is not supported based on the feedback I received from the product team. I believe it depends on some of the SDKs which are available on Windows but not on Mac/Linux.

 

[Kari Ruissalo]

I really need to study more... found this https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/authentication#support-for-authentication-using-fido2-when-connecting-to-on-premises-stores

Support stated that FIDO2 should work but "it will not have Modern authentication available", whatever does that mean 🤯

[Kari Ruissalo]

We ended up in creating a separate store for the thin clients and using the Chromium browser to handle the authentication & StoreFront view (our default SF Store forces HTML5 due to customer requirements, thus the separate store).

As the majority of endpoints are Windows-based, I figured to identify the Igel OS / Chromium based on the User-Agent header it's sending (User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) and have a higher prio Session Policy that picks the string X11; Linux x86_64 from the User-Agent. This will then redirect the endpoints to a Store enforcing the full WSApp client rather than HTML5.

Going to keep my eye on the modern authentication support for CWAL though.