Jump to content
Welcome to our new Citrix community!

Tech Brief: Seamless Authentication Options on Citrix Workspace app

  • Contributed By: Prashant Yadav, Santosh Gummunur Chiranjeevi Special Thanks To: Steve Beals, Manju Annie Oommen

Overview

Citrix Workspace app (CWA) provides users a personalized interface that enables instant access to virtual applications, desktops, SaaS, and web apps. Users get seamless and secure access to all the apps needed to stay productive, including features like embedded browsing and single sign-on.

CWA provides several authentication options administrators can enable in line with the identity provider enabled in your organization across on-premises and cloud environments.

Force Login Prompt

Force Login Prompt is a feature that allows administrators to configure CWA to prompt users for their login credentials each time they access the application, even if they have previously logged in and have a valid session. The IDP stores user credentials via persistent cookies to enable single sign-on (SSO) and provide a seamless user experience. However, there can be scenarios where administrators want to force users to enter their login credentials each time they access Citrix resources, such as when the user is accessing sensitive data or applications or when there are security concerns.

The Force Login Prompt setting is enabled by default. This setting allows administrators to force Citrix Workspace login to override the IdP timeout. If the setting is disabled, the IdP timeout is honored. It is important to note that enabling this feature can impact user productivity and increase the frequency of login-related issues. Therefore, use this setting judiciously and only in scenarios necessary for security or compliance purposes.

The Force Login Prompt setting must be disabled when:

  • Administrators want to provide users accessing the CWA over the web (including HTML5 clients) with longer-lived login. For example, if administrators have set Azure Active Directory (AAD) to have a 14-day default timeout, login again in the browser does not occur.
  • CWA would auto log in for AAD-joined client devices. Otherwise, CWA forces prompt a login even though SSO is enabled.
Type CWA OS IdP Support
Force Login Prompt All CWA Versions All Yes (Enabled by Default)

Persistent Login to Citrix Workspace app

Persistent Login is a feature of CWA that allows users to remain logged in even after they close disconnect from their virtual desktop or application session. This means that users do not have to enter their credentials each time they access Citrix, providing a more streamlined and convenient experience.

Persistent Login creates a long-lived authentication token that can be set anywhere from 2 to 365 days and stored on the user's device. This token is encrypted and can be configured to expire after a set period or when the user logs out of Citrix. When the user returns to CWA, the app checks for the token and, if found, logs the user back in automatically.

Persistent Login is compatible with various authentication methods, including Active Directory, LDAP, and SAML. This feature helps improve user productivity by eliminating the need for users to enter their credentials repeatedly while also maintaining the environment's security by requiring authentication when the token expires, or the user logs out. For any newly configured store, it is enabled by default with a value of 30 days.

Note

As of this writing, the authentication timeout option is available for CWA client apps. Browser access is not supported. It is recommended to use the inactivity timer if frequent authentication is a use case for your environment.

Behavior on Cloud stores

Type CWA OS IdP Support
Long-Lived Token for Workspace App (Pre-launch + Cloud Store) Windows, Mac, Linux, Android, iOS All Yes
ChromeOS, Browser + native CWA, Browser + HTML5 All No

Note

The Persistent Login feature is currently not supported for on-premises stores.

Persistent Login to VDI sessions

The Persistent Login to VDI sessions option enables users to single sign-on (SSO) to VDI sessions using a long-lived password instead of entering their credentials each time they access their VDI environment. This eliminates the need for users to enter their credentials multiple times and simplifies the authentication process. This is set to a value the same as persistent login to CWA between 2 and 365 days.

Key factors to be noted:

Type CWA OS IdP VDA Joined To Support
Long-Lived Passwords for SSO to VDI sessions Windows, Mac, Android, iOS, Linux AD, AD+OTP, Gateway, Remaining require FAS AD/Hybrid AD Yes

Inactivity Timer for Citrix Workspace app

The Inactivity Timer for Citrix Workspace app - Authentication Timeouts option enables administrators to enforce an authentication check in the event of inactivity on the application by end users. This option is used to ensure secure access to resources by legitimate users using their devices or shared devices. The inactivity timeout can be set at anything less than 24 hours.

Key behavior to be noted:

  • Inactivity overrides Persistent Login experience.
  • In desktops, users are logged out after the inactivity timeout.
  • In mobile, users can use biometric authentication after the inactivity timeout but not logged out.
Type CWA OS Supported On-Premises/Cloud Support
Inactivity Timer Windows, Mac, Linux, Android, iOS, ChromeOS, Browser + native CWA, Browser + HTML5 Cloud Yes
Windows, Mac, Linux, Android, iOS, ChromeOS, Browser + native CWA, Browser + HTML5 On-Premises Yes

Domain pass-through support on Citrix Workspace

Domain pass-through support for Citrix Workspace allows users to access virtual desktops and applications without the need to authenticate explicitly to the Citrix environment. Instead, users can use their Windows domain credentials to authenticate and gain access to their applications and desktops automatically.

When domain pass-through support is enabled, users logged in to their Windows desktop or laptop with their domain credentials can access their Citrix Workspace account and any associated virtual desktops or applications without reentering their credentials. This eliminates the need for users to remember multiple sets of login information and simplifies the authentication process.

Pre-requisites and conditions to be noted:

  • Citrix Workspace must be configured with an IdP that supports Integrated Windows Auth: For example, Citrix Gateway, AAD (with AAD Seamless SSO), Okta, SAML, and so forth
  • This option works best on Windows clients.
  • For Windows, clients can be AD or hybrid AAD joined.
  • Linux thin clients can also be configured with a Kerberos profile.
  • iOS/Mac also has a concept of Kerberos profile. In addition, they also can be enrolled in AAD using Intune, which allows SSO to AAD.
  • For SSO to VDI on non-windows clients. FAS is required.
  • End-to-end login to CWA for Windows with SSO to VDI works if the user logs in to Windows OS using user name and password.
End Point Joined To IdP VDA Joined To SSO to Workspace SSO to VDA
AD On-premises Gateway AD Yes SSONsvr / FAS
AD Adaptive Authentication AD Yes SSONsvr / FAS
AD gateway federated to another IdP (AAD/Okta) AD Yes SSONsvr / FAS
AD Okta AD Yes SSONsvr / FAS
AD/Hybrid Joined AAD(AD with AAD Connect) AD Yes SSONsvr / FAS
AD Any SAML based IdP AD Yes SSONSvr / FAS
AD AD AD No N/A
AD AD + OTP AD No N/A
AD AAD AAD No N/A
AAD AAD without on-premises AD AD Yes FAS
AAD AAD AAD Yes User must enter credentials
Non-Domain Joined IdP that supports passwordless authentication AD No FAS

Notes

Clients need to be reachable to AD for Kerberos to work.

SSONSvr works only with a user name and password on the client. FAS is required if a user uses Windows Hello to log in and expects passwordless login.

Authentication may not be promptless in the cloud if LLT is enabled or if the end-user acceptance policy is configured.

Recommend configuring FAS as it applies to non-windows platforms.

Domain Pass-through Support for StoreFront

Domain pass-through support for Citrix StoreFront allows users to access virtual desktops and applications without the need to authenticate explicitly to the Citrix environment. Instead, users can use their Windows domain credentials to authenticate and gain access to their applications and desktops automatically.

With domain pass-through support enabled, users logged in to their Windows desktop or laptop with their domain credentials can access their Citrix applications and desktops without having to reenter their credentials. This provides a more seamless user experience and helps to reduce the burden on IT support teams who would otherwise have to manage password resets and user authentication issues.

Pre-requisites and conditions to be noted:

  • Configured in Windows.
  • Credential Insertion: healthcare software partners provide a user name and password to CWA to silently authenticate users.
  • This is also applied on Linux and uses a similar credential Insertion SDK. SSO to VDI works the same as point 7 for on-premises stores.
End Point Joined To StoreFront/Gateway VDA Joined To SSO to StoreFront SSO to VDA
AD StoreFront AD Yes SSONsvr
AD/Hybrid joined/Windows Hello for Business StoreFront AD Yes SSONsvr/FAS *
AD Gateway - Advanced Authentication AD Yes SSONSvr
AD Gateway - Basic Authentication Yes SSONSvr

Note

Needs registry to enable SSO

Smart card/Derived Credentials Support

Smart card authentication and derived credential authentication are both methods of authentication into CWA and login to the VDI session that this option supports.

Smart card authentication involves using a physical smart card that contains the user's digital identity information, such as a public key certificate or private key. When the user inserts the smart card into a card reader, the card reader reads the digital identity information and sends it to CWA for authentication. This method ensures higher security than traditional user name and password authentication, as the smart card cannot be easily duplicated or stolen.

On the other hand, Derived credential authentication is using a mobile device to authenticate a user. When a user logs into CWA on their mobile device, the device generates a derived credential based on their digital identity information. The derived credential is then sent to CWA for authentication rather than the user's physical smart card. This method offers users a higher level of convenience, as they can authenticate themselves using their mobile devices without carrying a separate smart card.

Password-less Authentication (Workspace)

Type CWA OS IdP Pre-launch Support Post-launch SSO to VDA (pin caching) Smart Card Usage Within Session
Smart Card Windows On-premises Gateway/AD/AAD Yes No Yes
Browser using native CWA On-premises Gateway/AD/AAD Yes No Yes
Browser with HTML5 On-premises Gateway/AD/AAD No No No
Mac On-premises Gateway/AD/AAD No No Yes
Linux On-premises Gateway/AD/AAD No No Yes
ChromeOS On-premises Gateway/AD/AAD Yes No Yes
iOS On-premises Gateway/AD/AAD No No Yes
Android On-premises Gateway/AD/AAD No No Yes
Derived Credentials iOS On-premises Gateway/AD/AAD No No Yes **
Android On-premises Gateway/AD/AAD No No No

Notes

Any IdP that supports smart card authentication via federation can support SSO.

Support for iOS exists with Purebred only.

Pasword-less Authentication (StoreFront)

Authentication Via OS Launch Support StoreFront Login Support Gateway - Basic Auth Gateway - Advanced Auth Smart Card in Session
Smart Card Windows Pre-Launch Yes Yes Yes Yes
Browser + native CWA Pre-Launch Yes Yes Yes Yes
Browser - HTML5 Pre-Launch No Yes No No
Mac Pre-Launch Yes Yes Yes Yes
Linux Pre-Launch Yes Yes No Yes
ChromeOS Pre-Launch Yes Yes No Yes
iOS Pre-Launch Yes Yes No Yes
Android Pre-Launch Yes Yes No Yes
Windows Post -Launch - SSO to VDA (pin caching) Yes Yes No Yes
Browser + native CWA Post -Launch - SSO to VDA (pin caching) No No No Yes
Browser - HTML5 Post -Launch - SSO to VDA (pin caching) No No No No
Mac Post -Launch - SSO to VDA (pin caching) Yes Yes No Yes
Linux Post -Launch - SSO to VDA (pin caching) Yes Yes No Yes
ChromeOS Post -Launch - SSO to VDA (pin caching) No No No Yes
iOS Post -Launch - SSO to VDA (pin caching) No No No Yes
Android Post -Launch - SSO to VDA (pin caching) No No No No
Derived Credentials iOS Pre-Launch Yes Yes No Yes
Android Pre-Launch No No No No
iOS Post -Launch - SSO to VDA (pin caching) No No No Yes
Android Post -Launch - SSO to VDA (pin caching) No No No No

FIDO2 support with Workspace/Storefront- Passwordless Auth

FIDO2 is an authentication standard that allows users to securely and conveniently authenticate to online services using public key cryptography. FIDO2 enables passwordless authentication, eliminating users' need to create and remember passwords and reducing the risk of phishing and other cyber-attack forms.

With CWA FIDO2 support, users can enjoy a passwordless authentication experience that is both secure and convenient. They can lo into their Citrix Workspace account without remembering passwords, making it easier to work securely from anywhere and on any device. FIDO2 support also helps to enhance security posture by reducing the risk of password-related cyber-attacks.

Type CWA OS Supported IdPs Pre-Launch Support VDA Login with FIDO Security Key Using FIDO Security Key Within Session
FIDO Windows Yes No Yes
Browser using native CWA Yes No Yes
Browser with HTML5 Yes No No
Mac Any IdP that supports FIDO No No Yes
Linux Any IdP that supports FIDO No No Yes
ChromeOS Any IdP that supports FIDO Yes No No
iOS Any IdP that supports FIDO No No No
Android Any IdP that supports FIDO No No No

User Feedback


There are no comments to display.



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...