Citrix SSO for iOS/macOS devices

The legacy Citrix VPN client was built using Apple’s private VPN APIs that is now deprecated. VPN support in Citrix SSO is rewritten from the ground up using Apple’s public Network Extension framework.

Following are some of the major features introduced with Citrix SSO app:

  • Password tokens: A password token is a 6-digit code which is an alternative to Secondary Password Services such as VIP, OKTA, and so on. This code uses the Time-based One Time Password (T-OTP) protocol to generate the OTP code similar to services such as Google Authenticator, Microsoft Authenticator and so on. Users are prompted for two passwords during authentication to Citrix Gateway for a given Active Directory user. The second factor is a changing six-digit code that users copy from a registered third-party service such as Google or Microsoft Authenticator into the desktop browser. Users must first register for T-OTP on the Citrix ADC appliance. For registration steps, refer https://support.citrix.com/article/CTX228454. On the app, users can add the OTP feature by scanning the QR Code generated on Citrix ADC or manually entering the TOTP secret. OTP Tokens once added show up on the Password Tokens segment on the user interface.

To improve the experience, adding an OTP prompts the user to create a VPN profile automatically. Users can take advantage of this VPN profile to connect to VPN directly from their iOS devices.

Citrix SSO app can be used to scan the QR code while registering for Native OTP support. Citrix Gateway Push notification functionality is available only to the Citrix SSO app users.

  • Push notification: Citrix Gateway sends push notification on your registered mobile device for a simplified two-factor authentication experience. Instead of opening the Citrix SSO app to type in the second factor OTP on the Citrix ADC logon page, you can validate your identity by providing your Device PIN/Touch ID/ Face ID for the registered device.

Once you register your device for Push notification, you can also use the device for Native OTP support using the Citrix SSO app. Registration for Push Notifications is transparent to the user. When users register TOTP, device is also registered for Push Notifications if Citrix ADC supports it.

Citrix SSO for iOS/macOS devices