nFactor support for Citrix SSO on iOS and macOS

Multi-factor (nFactor) authentication enhances the security of an application by requiring users to provide multiple proofs of identify to gain access. Admins can configure different authentication factors that include client cert, LDAP, RADIUS, OAuth, SAML, and so on. These authentication factors can be configured in any order based on organization’s needs.

Citrix SSO supports the following authentication protocols:

  • nFactor – nFactor protocol is used when an authentication virtual server is bound to the VPN virtual server on the gateway. Because the order of the authentication factors is dynamic, the client uses a browser instance that is rendered within the app’s context to present the authentication GUI.

  • Classic – Classic protocol is the default fall-back protocol used if classic authentication policies are configured on the VPN virtual server on the gateway. Classic protocol is the fall-back protocol if nFactor fails for specific authentication methods such as NAC.

  • Citrix identity platform – The Citrix identity platform protocol is used when authenticating to CloudGateway or gateway service and requires MDM enrollment with Citrix Cloud.

The following table summarizes the various authentication methods supported by each protocol.

Authentication method nFactor Classic Citrix IdP
Client Cert Supported Supported Not supported
LDAP Supported Supported Not supported
Local Supported Supported Not supported
RADIUS Supported Not supported Not supported
SAML Supported Not supported Not supported
OAuth Supported Not supported Not supported
TACACS Supported Not supported Not supported
WebAuth Supported Not supported Not supported
Negotiate Supported Not supported Not supported
EPA Supported Supported Not supported
NAC Not supported Supported Not supported
StoreFront Not supported Not supported Not supported
ADAL Not supported Not supported Not supported
DS-AUTH Not supported Not supported Supported

nFactor configuration

For details about configuring nFactor, see Configuring nFactor authentication.

Important: To use the nFactor protocol with Citrix SSO, the recommended Citrix Gateway on premises version is 12.1.50.xx and later.

Limitations

  • nFactor protocol is disabled, by default. Customers who want to use nFactor must explicitly request Citrix support and provide their VPN virtual server FQDN.

  • Mobile specific authentication policies such as NAC (network access control) require the client to send a signed device identifier as part of the authentication with Citrix Gateway. The signed device identifier is a rotatable secret key that uniquely identifies a mobile device which is enrolled in an MDM environment. This key is embedded in a VPN profile that is managed by an MDM server. It might not be possible to inject this key into the WebView context. If NAC is enabled on an MDM VPN profile, Citrix SSO automatically falls back to the classic authentication protocol.

nFactor support for Citrix SSO on iOS and macOS