Citrix Workspace Authentication: Duo


A user’s primary identity authorizes access to the Workspace. A username and password is not a strong authentication policy.  Passwords are problematic. We know we need to provide multi-factor authentication. And within Citrix Workspace, the options continue to expand. So far, I’ve been able to demonstrate how to integrate the following with Citrix Workspace:

  1. Active Directory with TOTP
  2. Azure Active Directory with Yubikey’s
  3. Okta
  4. Citrix Gateway

Citrix Gateway is an interesting option.  With Citrix Gateway, we have many options for our primary identity. So far, I’ve shown how you can use Gateway with an on-prem TOTP solution as well as extending the deployment to support push authentication. With the RADIUS support within Citrix Gateway, we can use Duo to provide stronger authentication to a user’s primary identity.

This works by means of a Duo proxy server, which is based on RADIUS.

The user will provide Active Directory credentials and the Duo code.

When the user connects to Citrix Workspace, the authentication request is redirected to an on-premises Citrix Gateway authentication virtual server, which is based on the configured OAuth IdP Policy within the Gateway.

Gateway presents the user with the first part of the authentication, which is based on the LDAP policy.  This links Gateway to the organization’s Active Directory domain.

If the Active Directory authentication succeeds, authentication flows to the next factor, which is a RADIUS policy. The RADIUS policy uses a shared secret to communicate with an on-premises Duo proxy server. That proxy server relays the second factor authentication to the organization’s Duo cloud subscription.

What’s interesting about this configuration is the way Duo integrates with Citrix Gateway. Take a look at the latest Tech Insight video to see for yourself.

Daniel (Follow on Twitter @djfeller)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.