nFactor support for Citrix SSO on iOS and macOS
Multi-factor (nFactor) authentication enhances the security of an application by requiring users to provide multiple proofs of identify to gain access. Admins can configure different authentication factors that include client cert, LDAP, RADIUS, OAuth, SAML, and so on. These authentication factors can be configured in any order based on the organization’s needs.
Citrix SSO supports the following authentication protocols:
nFactor – nFactor protocol is used when an authentication virtual server is bound to the VPN virtual server on the gateway. Because the order of the authentication factors is dynamic, the client uses a browser instance that is rendered within the app’s context to present the authentication GUI.
Classic – Classic protocol is the default fall-back protocol used if classic authentication policies are configured on the VPN virtual server on the gateway. Classic protocol is the fall-back protocol if nFactor fails for specific authentication methods such as NAC.
Citrix identity platform – The Citrix identity platform protocol is used when authenticating to CloudGateway or gateway service and requires MDM enrollment with Citrix Cloud.
The following table summarizes the various authentication methods supported by each protocol.
|Authentication method||nFactor||Classic||Citrix IdP|
|Client Cert||Supported||Supported||Not supported|
|RADIUS||Supported||Not supported||Not supported|
|SAML||Supported||Not supported||Not supported|
|OAuth||Supported||Not supported||Not supported|
|TACACS||Supported||Not supported||Not supported|
|WebAuth||Supported||Not supported||Not supported|
|Negotiate||Supported||Not supported||Not supported|
|NAC||Not supported||Supported||Not supported|
|StoreFront||Not supported||Not supported||Not supported|
|ADAL||Not supported||Not supported||Not supported|
|DS-AUTH||Not supported||Not supported||Supported|
For details about configuring nFactor, see Configuring nFactor authentication.
To use the nFactor protocol with Citrix SSO, the recommended Citrix Gateway on-premises version is 12.1.50.xx and later.
Mobile specific authentication policies such as NAC (network access control) require the client to send a signed device identifier as part of the authentication with Citrix Gateway. The signed device identifier is a rotatable secret key that uniquely identifies a mobile device which is enrolled in an MDM environment. This key is embedded in a VPN profile that is managed by an MDM server. It might not be possible to inject this key into the WebView context. If NAC is enabled on an MDM VPN profile, Citrix SSO automatically falls back to the classic authentication protocol.
You cannot configure NAC check with Intune for macOS as Intune does not provide an option to enable NAC for macOS unlike for iOS.