A user’s primary identity authorizes access to the Workspace. A username and password is not a strong authentication policy. Passwords are problematic. We know we need to provide multi-factor authentication. And within Citrix Workspace, the options continue to expand. So far, I’ve been able to demonstrate how to integrate the following with Citrix Workspace:
Citrix Gateway is an interesting option. With Citrix Gateway, we have many options for our primary identity. So far, I’ve shown how you can use Gateway with an on-prem TOTP solution as well as extending the deployment to support push authentication. With the RADIUS support within Citrix Gateway, we can use Duo to provide stronger authentication to a user’s primary identity.
This works by means of a Duo proxy server, which is based on RADIUS.
The user will provide Active Directory credentials and the Duo code.
When the user connects to Citrix Workspace, the authentication request is redirected to an on-premises Citrix Gateway authentication virtual server, which is based on the configured OAuth IdP Policy within the Gateway.
Gateway presents the user with the first part of the authentication, which is based on the LDAP policy. This links Gateway to the organization’s Active Directory domain.
If the Active Directory authentication succeeds, authentication flows to the next factor, which is a RADIUS policy. The RADIUS policy uses a shared secret to communicate with an on-premises Duo proxy server. That proxy server relays the second factor authentication to the organization’s Duo cloud subscription.
What’s interesting about this configuration is the way Duo integrates with Citrix Gateway. Take a look at the latest Tech Insight video to see for yourself.
Daniel (Follow on Twitter @djfeller)
