nFactor support for Citrix Secure Access client on macOS/iOS
Important:
Citrix SSO for iOS is now called Citrix Secure Access. We are updating our documentation and the UI screenshots to reflect this name change.
Multi-factor (nFactor) authentication enhances the security of an application by requiring users to provide multiple proofs of identity to gain access. Admins can configure different authentication factors that include client cert, LDAP, RADIUS, OAuth, SAML, and so on. These authentication factors can be configured in any order based on the organization’s needs.
Citrix Secure Access client on macOS/iOS supports the following authentication protocols:
-
nFactor – The nFactor protocol is used when an authentication virtual server is bound to the VPN virtual server on the gateway. Because the order of the authentication factors is dynamic, the client uses a browser instance (WebView) that is rendered within the app’s context to present the authentication GUI.
-
Classic – Classic protocol is the default fall-back protocol used if classic authentication policies are configured on the VPN virtual server on the gateway. Classic protocol is also used by the client for nFactor authentication if NAC check is required.
-
Citrix identity platform – The Citrix identity platform protocol is used when authenticating to CloudGateway or Citrix Gateway service and requires MDM enrollment with Citrix Cloud.
The following table summarizes the various authentication methods supported by each protocol.
| Authentication method | nFactor | Classic | Citrix IdP |
|---|---|---|---|
| Client Cert | Supported | Supported | Not supported |
| LDAP | Supported | Supported | Not supported |
| Local | Supported | Supported | Not supported |
| RADIUS | Supported | Not supported | Not supported |
| SAML | Supported | Not supported | Not supported |
| OAuth | Supported | Not supported | Not supported |
| TACACS | Supported | Not supported | Not supported |
| WebAuth | Supported | Not supported | Not supported |
| Negotiate | Supported | Not supported | Not supported |
| EPA | Supported | Supported | Not supported |
| NAC | Supported* | Supported | Not supported |
| StoreFront™ | Not supported | Not supported | Not supported |
| ADAL | Not supported | Not supported | Not supported |
| DS-AUTH | Not supported | Not supported | Supported |
Note:
*nFactor authentication with Network Access Control (NAC) check operates under the following conditions:
When an nFactor authentication policy includes a NAC check, the Citrix Secure Access client for iOS uses the classic authentication protocol instead of WebView-based authentication.
Authentication policies requiring credential collection via WebView are not supported. Instead, the Citrix Secure Access client for iOS displays a legacy dialog box to collect user credentials.
For Intune NAC checks, ensure all required authentication factors (such as one or two passwords) are collected in a single step. Configure the login schema policy to prompt for and gather all necessary factors during the initial authentication prompt.
nFactor configuration
For details about configuring nFactor, see Configuring nFactor authentication.
Important:
To use the nFactor protocol with Citrix Secure Access client on macOS/iOS, the recommended NetScaler Gateway on-premises version is 12.1.50.xx and later.
Limitations
-
Mobile specific authentication policies such as NAC (network access control) require the client to send a signed device identifier as part of the authentication with NetScaler Gateway. The signed device identifier is a rotatable secret key that uniquely identifies a mobile device, which is enrolled in an MDM environment. This key is embedded in a VPN profile that is managed by an MDM server. It might not be possible to inject this key into the WebView context. If NAC is enabled in an MDM VPN profile, the Citrix Secure Access client for iOS automatically falls back to the classic authentication protocol.
-
You cannot configure NAC check with Intune for macOS as Intune does not provide an option to enable NAC for macOS unlike for iOS.