Smart access using Adaptive Authentication

Citrix Cloud customers can provide smart access (adaptive access) to the Citrix DaaS resources (virtual apps and desktops) using Adaptive Authentication as an IdP to Citrix Workspace.

The Smart Access feature allows the Adaptive Authentication service to surface all the policy information about the user to Citrix Workspace or Citrix DaaS. The Adaptive Authentication service can provide device posture (EPA), network location (inside or outside the corporate network, geo-location), user attribute like user groups, time of day or a combination of these parameters as part of the policy information. The Citrix DaaS administrator can then use this policy information to configure contextual access to the virtual apps and desktops. The virtual apps and desktops can either be enumerated or not based on earlier parameters (access policy). Some user actions such as clipboard access, printer redirection, client drive, or USB mapping can also be controlled.

Example use cases:

  1. Administrator can configure the group of apps to be displayed or accessed only from specific network locations like the corporate network.
  2. Administrator can configure the group of apps to be displayed or accessed only from corporate managed devices. For example, EPA scans can check whether the device is a corporate managed or BYOD. Based on the EPA scan result, the relevant apps can be enumerated for the user.


  • Adaptive Authentication as an IdP must be configured for Citrix Workspace. For details, see Adaptive Authentication service.


  • Adaptive Authentication service with Citrix DaaS is up and running.

Understanding the flow of events for smart access

  1. User logs in to Citrix Workspace.
  2. User gets redirected to the Adaptive Authentication service configured as an IdP.
  3. Adaptive Authentication service performs an EPA check along with other checks.
  4. Adaptive Authentication service configured as an IdP does the authentication.
  5. Adaptive Authentication service pushes the tags to the Citrix Graph service. User is redirected to the Citrix Workspace landing page.
  6. Citrix Workspace fetches the policy information for this user session, matches the filter, and evaluates the apps or desktops that must be enumerated.
  7. Admin configures the access policy on Citrix DaaS to restrict the ICA access for users.

Configuration scenario - App enumeration based on device posture scans

Step 1 - Configure smart access policies on the Citrix Adaptive Authentication instance:

In the following sample configuration, a different set of applications is enumerated based on domain-joined or non-domain joined logon.

  1. Navigate to Security > AAA-Application Traffic > Policies > Authentication> Advanced Policies> Smart Access > Profiles.

  2. On the Profiles tab, click Add to create a profile named Domainjoined-SmartAccessProfile with the tag as DomainJoined. Similarly create another policy named, NonDomainJoined-SmartAccessProfile with the tag as NonDomainJoined.


  3. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies > Smart Access > Policies.

  4. On the Configure Authentication Smart Access Policy page, Click Add to create a policy named Domainjoined-SmartAccessPol.

  5. On the Configure Authentication Smart Access Policy page, under Action, select the previously created DomainJoined-SmartAccessProfile and click Add.


  6. In Expression, type the following expression, and then click OK.

  7. Similarly create another policy named, NonDomainJoined-SmartAccessPol (in Action, select profile NonDomainJoined-SmartAccessProfile).


  8. Bind the smart access policy to the authentication virtual server.

    1. Navigate to Security > AAA-Application Traffic > Virtual Servers.
    2. Select the authentication virtual server and click Edit.
    3. In Advanced Authentication Policies, click Smart Access Policy, select the policy, and then click Add Binding.
    4. Click Close.


Step 2 - Citrix DaaS configuration:

  1. Click Manage on the Citrix DaaS tile.

  2. Navigate to Delivery groups and click Edit Delivery Group.

  3. Right-click the delivery group and select Edit to configure when the apps of that delivery group must be enumerated and allowed to launch.
  4. Click Access Policy and add the required tags. Farm must be always set to Workspace and the filter must have any of the tags that you created, based on the earlier configuration.
  5. Repeat the previous steps to add more tags. When multiple tags are used, if at least one of the tags is present, the Delivery Group is available to the customer.

For details, see Manage delivery groups.


  • Ensure that the tags are entered in upper case only.
  • If an administrator removes the configuration of a specific tag on the Adaptive Authentication service, then the tag must be removed from the Web Studio and the Delivery groups as well. Administrator must not reuse the deleted tag names. Admins must always use new tag names.

Upon successful configuration, the Domain-Joined logon enumerates the following apps.


Upon successful configuration, the Non-Domain-Joined logon enumerates the following apps.


Step 3 - Add an access policy for the smart access tags:

  1. Under Manage, navigate to Policies, and create a policy.
  2. Select the appropriate ICA policy control.
  3. In Assign Policy To, select “access control.”


  1. Assign the smart access tag (in upper case) in access condition.



- What if no tags are pushed:

Additional changes for high availability setup:

Sometime there might be a delayed file synchronization in a high availability setup. As a result, the keys created when Citrix ADM registration happened is not read on time.

We are looking for the following three files on the secondary.

/var/mastools/conf/agent.conf /var/mastools/trust/.ssh/private.pem /var/mastools/trust/.ssh/public.pem

To address the file-sync issue, perform the following steps to rerun the ‘set cloud’ command on the secondary.

> shell cat /var/mastools/conf/agent.conf
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
</mps_agent> Done
> set cloud param -CustomerID customer_id -InstanceID instance_id -Deployment Production
Smart access using Adaptive Authentication