Citrix Adaptive Authentication service

Adaptive Authentication is a Citrix Cloud service that enables advanced authentication for customers and users logging in to Citrix Workspace. The Adaptive Authentication service verifies the user identity and authorization levels based on factors such as location, device status, and end user context. Using these factors, the Adaptive Authentication service intelligently chooses the appropriate authentication methods and enables access to authorized resources.

In addition, an admin can also enable contextual access for these users to access their applications and desktops. The Adaptive Authentication service can be used by the Citrix Secure Private Access and Citrix DaaS customers.

Advanced authentication capabilities

The Adaptive Authentication service is a Citrix managed and Citrix Cloud hosted ADC that provides all the advanced authentication capabilities such as the following:

Multifactor authentication: Multifactor authentication enhances the security of an application by requiring users to provide multiple proofs of identity to gain access. Customers can configure various combinations of factors in the multifactor authentication mechanism based on the business requirement. For details, see Configure authentication policies.

Device posture scans: Users can be authenticated based on the device posture. Device posture scan, also known as endpoint analysis scan, checks if the device is compliant. For example, if the device is running the latest OS version, service packs, and registry keys are set. Security compliance involves scans to check if an antivirus is installed or the firewall is turned on and so on. The device posture can also check if the device is managed or unmanaged, corporate owned, or BYOL.

Device Posture service: Device Posture service enforces zero trust principles in your network by checking the end devices for compliance before allowing an end-user to log in. To use the Adaptive Authentication service and Device Posture service together, you can configure the Device Posture service and continue to use the authentication method as Adaptive Authentication (Citrix Cloud > Identity and Access Management). For details about the Device Posture service, see Device Posture.

Note:

If you are configuring device posture with adaptive authentication, do not configure EPA policies on the Adaptive Authentication instances.

Conditional authentication: Based on the user’s parameters, such as network location, device posture, user group, time of the day, conditional authentication can be enabled. You can use one of these parameters or a combination of these parameters for doing conditional authentication.

Example of a device posture-based authentication: You can do a device posture scan to check if the device is a corporate managed or BYOD.

  • If the device is a corporate managed device, you can challenge the user with the simple AD (user name and password).
  • If the device is a BYOD, you can challenge the user with the AD plus RADIUS authentication.

If you plan to selectively enumerate virtual apps and desktops based on network location, then user management has to be performed for those delivery groups using Citrix Studio policies instead of workspace. When creating a delivery group, in the users setting, either choose Restrict use of this Delivery Group to the following users or Allow any authenticated users to use this Delivery Group. This enables the Access Policy tab under Delivery Group to configure adaptive access.

Contextual access to Citrix DaaS: Adaptive Authentication enables contextual access to Citrix DaaS. Adaptive Authentication surfaces all the policy information about the user to Citrix DaaS. Admins can use this information in their policy configurations to control the users actions that can be performed on Citrix DaaS. User action, for example, can be enabling or disabling clipboard access, and client drive mapping printer redirection.

Contextual access to Secure Private Access and other Citrix Cloud services through Adaptive Authentication is planned in the upcoming releases.

Logon page customization: Adaptive Authentication helps the user to highly customize the Citrix Cloud logon page.

Additional Adaptive Authentication capabilities

The following are the capabilities supported in Citrix Workspace with Adaptive Authentication.

  • LDAP (Active Directory) support
  • LDAPS (Active Directory) support
  • Directory Support for AD, Azure AD, Okta
  • RADIUS support (Duo, Symantec)
  • AD + token built-in MFA
  • SAML 2.0
  • OAuth, OIDC support
  • Client Certificate authentication
  • Device posture assessment (Endpoint analysis)
  • Device Posture service
  • Integration with third-party authentication providers
  • Push notification through the app
  • reCAPTCHA support
  • Conditional/policy driven authentication
  • Authentication policies for smart access (contextual access)
  • Logon page customization
  • Self service password reset

Limitations

  • Certificate bundle is only supported for certificates of type PEM. For other bundle types, it is recommended to install the root and intermediate certificates and linking them to the server certificate.

  • DNS tunneling is not supported. Static records must be added on NetScaler for the FQDNs used in authentication policies/profiles (LDAP/RADIUS) for authentication servers in the customer’s on-premises data center.

    For details on adding DNS static records, see Create address records for a domain name.

  • In the current release, the external ADM agent isn’t allowed and therefore Citrix Analytics (CAS) is not supported.

  • Only a Windows-based cloud connector is supported. Connector appliance isn’t supported.

Service quality

Adaptive Authentication is a high availability (active-standby) service.

Citrix Adaptive Authentication service