Kari Ruissalo Posted April 25 Share Posted April 25 One of our customers is about to deploy FIDO2/Passwordless in to their environment (with Igel OS thinclients), but we're facing a peculiar issue with the full client. If we configure our Workspace App to a cloud URL and pick the "Sign-in options" We can see the "Face, fingerprint, PIN or security key" -option: But if we do the same with an on-prem NetScaler Gateway configured as an SP for Entra ID (we've tried both OIDC and SAML),we only see the GitHub -option We can see that when we configure Citrix Cloud to use Entra ID authentication, an Enterprise Application is added to our Entra ID tenant, but the Multi-tenant App Registration is held by Citrix (?) and therefore we're unable to see inside that. This why we actually tried OIDC the first place, because we suspected it might have something to do with this. And I know, this is Windows client, but I'd have to assume we should get it working first on this before moving in to Igel OS (we're seeing the same issue there also). Interestingly this issue doesn't appear if we access the on-prem Gateway using web browser so it's on some level CWA related. --- Related version info: Workspace App: 24.2.0.172(2402), Win 11 23H2 Citrix Cloud: Cloud NetScaler Gateway: 13.1-51.15 We also have a support case opened, but so far we haven't gotten anywhere. Link to comment Share on other sites More sharing options...
Julian Jakob Posted April 25 Share Posted April 25 Hi Kari, just some notes / ideas. Citrix Cloud is a separate Entra ID Enterprise App (with App Registration linked because of OIDC Multi-Tenant, as you already noticed) and your OnPrem NSGW is also an Enterprise App. Are there different conditional access policies linked and are there authentication strenghts policies linked? Because: With authentication strenghts policies (configured unter the conditional access menue) you are able to define exactly which auth-methods are available. Link an authentication strenghts policy to a conditional access policy. Link that conditional access policy explicitly only to your Citrix Cloud / NSGW enterprise app. This should change / switch the possibilities Entra ID is showing when user's are trying to authenticate to. Hope this helps 1 Link to comment Share on other sites More sharing options...
Kari Ruissalo Posted April 25 Author Share Posted April 25 @Julian Jakob, I actually walked through the same though pattern on the CA policies, but it wasn't about that. Hmmh... Changing this knob in Windows CWA enables the FIDO2 capability for on-prem environments -> https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/authentication.html#using-gpo (tested and verified). As far as it goes for the thin clients (Igel OS running CWA for Linux), here's the statement from support: Quote Modern authentication on CWAL as of today is not supported based on the feedback I received from the product team. I believe it depends on some of the SDKs which are available on Windows but not on Mac/Linux. Link to comment Share on other sites More sharing options...
Kari Ruissalo Posted April 25 Author Share Posted April 25 I really need to study more... found this https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/authentication#support-for-authentication-using-fido2-when-connecting-to-on-premises-stores Support stated that FIDO2 should work but "it will not have Modern authentication available", whatever does that mean 🤯 Link to comment Share on other sites More sharing options...
Kari Ruissalo Posted May 2 Author Share Posted May 2 We ended up in creating a separate store for the thin clients and using the Chromium browser to handle the authentication & StoreFront view (our default SF Store forces HTML5 due to customer requirements, thus the separate store). As the majority of endpoints are Windows-based, I figured to identify the Igel OS / Chromium based on the User-Agent header it's sending (User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) and have a higher prio Session Policy that picks the string X11; Linux x86_64 from the User-Agent. This will then redirect the endpoints to a Store enforcing the full WSApp client rather than HTML5. Going to keep my eye on the modern authentication support for CWAL though. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now