I have one primary key to let me into my house. Once I’m inside my house, I can see many resources that I might want to use like a bed, bathroom, safe, TV and a freezer. However, some of these resources are secured with a different key. I might have a code to access NetFlix. There might be a lock on the bathroom door. There is a lock on the safe. There is even a key to access the freezer (gotta protect those bratwurst). The keys I need once I’m in my house are secondary. They provide me access to secondary resources, the first being my house.
Our computing environment is the same. With Citrix Workspace, I have a primary identity. That primary identity could be Active Directory, Azure Active Directory, Okta, RADIUS, DUO, or just about anything else. But that primary identity simply provides me access to my workspace.
Within the workspace, I have many additional resources I can access, include SaaS apps, web apps, virtual apps, virtual desktops and microapps. Almost all of these will have secondary identities that are different from the primary identity used to authenticate into Citrix Workspace.
For example, if I use Okta as my primary identity for Citrix Workspace, how can i access a Windows-based virtual app or desktop if it requires an Active Directory-based identity?
You can’t. As of now, Windows requires an Active Directory account. But we can make it so users will not be required to know the Active Directory account, nor will they be required to enter in the credential information during logon because we can use a virtual smart card.
Virtual smart cards? This just got serious.
Basically, virtual smart cards are certificates. We can use certificates to authenticate against Active Directory. So let’s automate this process of creating/assigning certificates for users.
The Federated Authentication Service, creates a certificate for an Active Directory user. That certificate is then used to authenticate the user to a Windows-based virtual app or desktop.
Because these certificates are associated with an Active Directory account, we need to link an Active Directory account with an account in our primary identity provider, which is done by synchronizing the user’s UPN.
Take a look at the flow diagram for the Federated Authentication Service, as it helps to show the interactions between the components.
I know, this sounds very complex. But would you believe the setup of this is quite easy? Take a look at the latest Tech Insight video demonstrating the Federated Authentication Service within Citrix Cloud.
Daniel (Follow on Twitter @djfeller)