Citrix SSO overview

Citrix SSO provides best-in-class application access and data protection solution offered by Citrix Gateway. You can now securely access business critical applications, virtual desktops, and corporate data from anywhere at any time. Citrix SSO is the next gen VPN client for Citrix Gateway built using Apple’s Network Extension framework. It replaces the legacy Citrix VPN client on App Store.

Citrix SSO app provides complete Mobile Device Management (MDM) support on iOS. With an MDM server, an admin can now remotely configure and manage device level VPN profiles and per-app VPN profiles.

What’s new

The legacy Citrix VPN client was built using Apple’s private VPN APIs that have now been deprecated. VPN support in Citrix SSO has been rewritten from the ground up using Apple’s public Network Extension framework.

Following are some of the major features introduced with Citrix SSO app:

Password Tokens: A password token is a 6-digit code which is an alternative to secondary password services such as VIP, OKTA. This code uses the Time-based One Time Password (T-OTP) protocol to generate the OTP code similar to services such as Google Authenticator, Microsoft Authenticator and so on. Users are prompted for two passwords during authentication to Citrix Gateway for a given Active Directory user. The second factor is a changing six-digit code that users copy from a registered third-party service such as Google or Microsoft Authenticator into the desktop browser.

Users need to first register for T-OTP on the Citrix ADC appliance. For registration steps, refer https://support.citrix.com/article/CTX228454. On the app, users can add the OTP feature by scanning the QR code generated on Citrix ADC or manually entering the TOTP secret. OTP tokens once added show up on the Password Tokens segment on the user interface. To improve the experience, adding an OTP prompts the user to create a VPN profile automatically. Users can take advantage of this VPN profile to connect to VPN directly from their iOS devices.

Note:

  • Citrix SSO app can be used to scan the QR code while registering for Native OTP support.
  • Citrix Gateway Push notification functionality is available only to the Citrix SSO app users.
  • The Password Tokens feature is available on Citrix SSO for iOS users only.

Push notification: Citrix Gateway sends push notification on your registered mobile device for a simplified two-factor authentication experience. Instead of opening the Citrix SSO app to type in the second factor OTP on the Citrix ADC logon page, you can validate your identity by providing your device PIN / touch ID/ face ID for the registered device.

Note:

  • Once you register your device for Push notification, you can also use the device for Native OTP support using the Citrix SSO app. Registration for push notifications is transparent to the user. When users register TOTP, device is also registered for Push Notifications if Citrix ADC supports it.
  • The Push notification feature is available on Citrix SSO for iOS users only.

Feature comparison between Citrix VPN and Citrix SSO

IMPORTANT: Citrix VPN cannot be used on iOS 12 and later. To continue to VPN, use the Citrix SSO app.

The following table compares the availability of various features between Citrix VPN and Citrix SSO.

Feature Citrix VPN Citrix SSO
Device level VPN Supported Supported
Per-App VPN (MDM only) Supported Supported
Per-App split tunnel Not supported Supported
MDM configured VPN profiles Supported Supported
On-Demand VPN Supported Supported
Password Tokens (T-OTP based) Not supported Supported
Push Notifications based login (Second Factor from registered Phone) Not supported Supported
Certificate based Authentication Supported Supported
User Name/Password Authentication Supported Supported
Network Access Control Check with Citrix Endpoint Management (formerly XenMobile) Not supported Supported
Network Access Control Check with Microsoft Intune Supported Supported
DTLS support Not supported Supported
Block User Created VPN Profiles Supported Supported
Single Sign On for native apps managed by Citrix Cloud Not supported Supported
Supported OS version iOS 9, 10, 11 (does not work from iOS 12+) iOS 9+

Compatibility with MDM products

Citrix SSO is compatible with most MDM providers such as Citrix Endpoint Management (formerly XenMobile), Microsoft Intune and so on.

Citrix SSO also supports a feature called Network Access Control (NAC). For more information on NAC, click here. With NAC, MDM administrators can enforce end user device compliance before connecting to Citrix ADC. NAC on Citrix SSO requires an MDM server such as Citrix Endpoint Management or Intune and Citrix ADC.

Configure an MDM managed VPN profile for Citrix SSO

The following section captures step-by-step instructions to configure both device-wide and per-app VPN profiles for Citrix SSO using Citrix Endpoint Management (formerly XenMobile) as an example. Other MDM solutions can use this document as reference when working with Citrix SSO.

Note: This section explains the configuration steps for a basic Device-wide and Per-App VPN profile. Also you can configure On-Demand, Always-On, Proxies by following Citrix Endpoint Management (formerly XenMobile) documentation or Apple’s MDM VPN payload configuration.

Device level VPN profiles

Device level VPN profiles are used to set up a system wide VPN. Traffic from all apps and services is tunneled to Citrix Gateway based on the VPN policies (such as Full-tunnel, Split-tunnel, Reverse Split tunnel) defined in Citrix ADC.

To configure a device level VPN on Citrix Endpoint Management

Perform the following steps to configure a device level VPN on Citrix Endpoint Management.

1. On the Citrix Endpoint Management MDM console, navigate to Configure > Device Policies > Add New Policy.

2. Select iOS on the left Policy Platform pane. Select VPN on the right pane.

3. On the Policy Info page, enter a valid policy name and description and click Next.

4. On the VPN Policy page for iOS, type a valid connection name and choose Custom SSL in Connection Type.

Note: In the MDM VPN payload, connection name corresponds to the UserDefinedName key and VPN Type Key must be set to VPN.

5. In Custom SSL identifier (reverse DNS format), enter com.citrix.NetScalerGateway.ios.app. This is the bundle identifier for the Citrix SSO App on iOS.

Note: In the MDM VPN payload, Custom SSL identifier corresponds to the VPNSubType key.

6. In Provider bundle identifier enter com.citrix.NetScalerGateway.ios.app.vpnplugin. This is the bundle identifier of the network extension contained in the Citrix SSO iOS app binary.

Note: In MDM VPN payload, provider bundle identifier corresponds to the ProviderBundleIdentifier key.

7. In Server name or IP address enter the IP address or FQDN (fully qualified domain name) of the Citrix ADC associated with this Citrix Endpoint Management instance.

The remaining fields in the configuration page are optional. Configurations for these fields can be found in Citrix Endpoint Management (formerly XenMobile) documentation.

8. Click Next.

Localized image

9. Click Save.

Per-App VPN profiles

Per-App VPN profiles are used to set up VPN for a specific application. Traffic from only the specific app is tunneled to Citrix Gateway. The Per-App VPN payload supports all of the keys for Device-wide VPN plus a few additional keys.

To configure a per-App level VPN on Citrix Endpoint Management

Perform the following steps to configure a Per-App VPN:

1. Complete the device level VPN configuration on Citrix Endpoint Management.

2. Turn the Enable Per-App VPN switch ON in the Per-App VPN section.

3. Turn the On-Demand Match App Enabled switch ON if Citrix SSO should be started automatically when the Match App is launched. This is recommended for most Per-App cases.

Note: In the MDM VPN payload, this field corresponds to the key OnDemandMatchAppEnabled.

4. In Provider Type, select Packet Tunnel.

Note: In the MDM VPN payload, this field corresponds to the key Provider Type.

5. Safari Domain configuration is optional. When Safari domain is configured, Citrix SSO starts automatically when users launch Safari and navigate to a URL that matches the one in Domain field. This is not recommended if you want to restrict VPN for a specific app.

Note: In the MDM VPN payload, this field corresponds to the key SafariDomains.

The remaining fields in the configuration page are optional. Configurations for these fields can be found in Citrix Endpoint Management (formerly XenMobile) documentation.

localized image

14. Click Next.

15. Click Save.

To associate this VPN profile to a specific App on the device, you must create an App Inventory policy and a credentials provider policy by following this guide - https://www.citrix.com/blogs/2016/04/19/per-app-vpn-with-xenmobile-and-citrix-vpn/.

Import certificates into Citrix SSO for client authentication

Citrix SSO on iOS supports client certificate authentication with Citrix Gateway. On iOS, certificates can be delivered to the Citrix SSO app in one of following ways:

  • MDM server - This is the preferred approach for MDM customers. Certificates are configured directly on the MDM managed VPN profile. Both VPN profiles and certificates are then pushed to enrolled devices when the device enrolls into the MDM server. Please follow MDM vendor specific documents for this approach.

  • Email - Only approach for non-MDM customers. In this approach, administrators send an email with the User Certificate identity (Certificate and private key) attached as a PCKS#12 file to users. Users need to have their email accounts configured on their iOS device to receive the email with attachment. The file may then be imported to the Citrix SSO app on the iOS. The following section explains the configuration steps for this approach.

Prerequisites

  • User Certificate - A PKCS#12 identity file with a .pfx or .p12 extension for a given user. This file contains both the certificate and the private key.

  • Email account configured on the iOS device.

  • Citrix SSO app installed on the iOS device.

Configuration steps

1. Rename the Extension/MIME type of the User Certificate.

File extensions most commonly used for user certificate are “.pfx,” “.p12,” and so forth. These file extensions are non-standard to the iOS platform unlike formats such as .pdf, .doc. Both “.pfx” and “.p12” are claimed by the iOS System and cannot be claimed by third-party apps such as Citrix SSO. Hence Citrix SSO has defined a new Extension/MIME type called “.citrixsso-pfx” and “.citrixsso-p12”. Administrators must change the Extension/MIME type of the User Certificate, from standard “.pfx” or “.p12” to “.citrixsso-pfx” or “.citrixsso-p12” respectively. To rename the extension, admins can run the following command on Command prompt or terminal.

Windows 10

cd <DIRECTORY_PATH_TO_CERTIFICATE_FILE>
rename <CERTIFICATE_FILE_NAME>.pfx <CERTIFICATE_FILE_NAME>.citrixsso-pfx

macOS

cd <DIRECTORY_PATH_TO_CERTIFICATE_FILE>
mv <CERTIFICATE_FILE_NAME>.pfx <CERTIFICATE_FILE_NAME>.citrixsso-pfx

2. Send the file as an email attachment.

The User Certificate file with the new extension can now be sent as an email attachment to the user.

3. Open Email with Citrix SSO App.

  • On receipt of the email, users must tap on the attachment to reveal the System “OpenIn” menu.

  • Tap Copy to Citrix SSO.

sso-ios-email

4. Install Certificate in Citrix SSO app.

  • The App is now launched and a prompt for the Certificate Passphrase is displayed to the user. User needs to enter the correct passphrase for the certificate to be installed into the app’s keychain.

– Upon successful validation, the certificate is imported.

sso-ios-install

5. Using Certificate based Authentication with VPN.

  • To use the certificate for VPN authentication, users first need to create a VPN Configuration/Profile on Citrix SSO. Navigate to the VPN Connections view and tap on Add VPN Configuration.

  • On the configuration view of the VPN profile, user can select the imported Certificate in the Certificates configuration section.

sso-ios-certificate1

  • Tap Save to import the certificate. The cerficiate is imported successfully.

sso-ios-certificate2

6. Managing Certificates. Certificates imported into Citrix SSO may be managed by the user by navigating to App Settings > Certificates.

Configuring split tunnel in Per-App VPN

MDM customers can configure split tunnel in Per-App VPN for Citrix SSO. To do this, the following key/value pair must be added to the vendor configuration section of the VPN profile created on MDM server.

-  Key = "PerAppSplitTunnel"
-  Value = "true or 1 or yes"

The key is case sensitive and should be an exact match while value is not case sensitive.

Note: The user interface to configure vendor configuration is not standard across MDM vendors. You must contact the MDM vendor to find the vendor configuration section on your MDM user console.

The following is a sample screenshot of the configuration (vendor specific settings) in Citrix Endpoint Management.

split-tunnel-per-app-CEM

The following is a sample screenshot of the configuration (vendor specific settings) in Microsoft Intune.

split-tunnel-per-app-Intune

Disabling user created VPN profiles

MDM customers can prevent users from manually creating VPN profiles from within the Citrix SSO App. To do this, the following key/value pair must be added to the vendor configuration section of the VPN profile created on MDM server.

-  Key = "disableUserProfiles"
-  Value = "true or 1 or yes"

The key is case sensitive and should be an exact match while value is not case sensitive.

Note: The user interface to configure vendor configuration is not standard across MDM vendors. You must contact the MDM vendor to find the vendor configuration section on your MDM user console.

The following is a sample screenshot of the configuration (vendor specific settings) in Citrix Endpoint Management.

disable-VPN-CEM

The following is a sample screenshot of the configuration (vendor specific settings) in Microsoft Intune.

disable_VPN_Intune

Known issues

Issue description: Tunneling for FQDN addresses that contain a “.local” domain in Per-App VPN or On-Demand VPN configurations. There is a bug in Apple’s Network Extension framework which stops FQDN addresses containing .local in the domain part (for example, http://wwww.abc.local) from being tunneled over the system’s TUN interface. The traffic for this address is sent out via the device’s physical interface instead. The issue is observed only with Per-App VPN or On-Demand VPN configs and is not seen with system-wide VPN configurations. Citrix has filed a radar bug report with Apple, and Apple had noted that according to RFC-6762: https://tools.ietf.org/html/rfc6762, .local is a multicast DNS (mDNS) query and is hence not a bug. However, Apple has not closed the bug yet and it is not clear if the issue will be addressed in future iOS releases.

Workaround: Assign a non .local domain name for such addresses as the workaround.

Limitations

  • FQDN based split tunneling is not fully supported yet.
  • End point Analysis (EPA) is not supported on iOS.
  • Split tunneling based on ports/protocols is not supported.

FAQs

This section captures the frequently asked questions on the Citrix SSO app.

How is Citrix SSO app different from Citrix VPN app? Citrix SSO is the next generation SSL VPN client for Citrix ADC. The App uses Apple’s Network Extension framework to create and manage VPN connections on iOS and macOS devices. Citrix VPN is the legacy VPN client that made use of Apple’s private VPN APIs which is now deprecated. Support for Citrix VPN will be removed from the App Store in the months to come.

What is NE? The Network Extension (NE) framework from Apple is a modern library which contains APIs that can be used to customize and extend the core networking features of iOS and macOS. Network Extension with support for SSL VPN is available on devices running iOS 9+ and macOS 10.11+.

For which versions of Citrix ADC is the Citrix SSO compatible? VPN features in Citrix SSO are supported on Citrix ADC versions 10.5 and above. The TOTP is available on Citrix ADC version 12.0 and above. Push Notification on Citrix ADC has not been publicly announced yet. The App requires iOS 9+ and macOS 10.11+ versions.

How does Cert-based authentication for non-MDM customers work? Customers who previously distributed Certificates via Email or Browser to perform Client Certificate Authentication in Citrix VPN should note this change when using Citrix SSO. This is mostly true for non-MDM customers who do not use an MDM Server to distribute User Certificates. Please refer, “Importing Certificates into Citrix SSO via Email” to be able to distribute Certificates.

What is Network Access Control (NAC)? How do I configure NAC with Citrix SSO and Citrix Gateway? Microsoft Intune and Citrix Endpoint Management (formerly XenMobile) MDM customers can take advantage of Network Access Control (NAC) feature in Citrix SSO. With NAC, administrators can secure their enterprise internal network by adding an extra layer of authentication for mobile devices that are managed by an MDM server. Administrators can enforce a device compliancy check at the time of authentication in Citrix SSO.

To use NAC with Citrix SSO, you must enable it on both Citrix Gateway and the MDM server.

  • To enable NAC on Citrix ADC refer this link.
  • If MDM vendor is Intune refer this link.
  • If MDM vendor is Citrix Endpoint Management (formerly XenMobile) refer this link.

Note: The minimum supported Citrix SSO version is 1.1.6 and above.