Tech Brief: Seamless Authentication Options on Citrix Workspace app
Overview
Citrix Workspace app (CWA) provides users a personalized interface that enables instant access to virtual applications, desktops, SaaS, and web apps. Users get seamless and secure access to all the apps needed to stay productive, including features like embedded browsing and single sign-on.
CWA provides several authentication options administrators can enable in line with the identity provider enabled in your organization across on-premises and cloud environments.
Force Login Prompt
Force Login Prompt is a feature that allows administrators to configure CWA to prompt users for their login credentials each time they access the application, even if they have previously logged in and have a valid session. The IDP stores user credentials via persistent cookies to enable single sign-on (SSO) and provide a seamless user experience. However, there can be scenarios where administrators want to force users to enter their login credentials each time they access Citrix resources, such as when the user is accessing sensitive data or applications or when there are security concerns.
The Force Login Prompt setting is enabled by default. This setting allows administrators to force Citrix Workspace login to override the IdP timeout. If the setting is disabled, the IdP timeout is honored. It is important to note that enabling this feature can impact user productivity and increase the frequency of login-related issues. Therefore, use this setting judiciously and only in scenarios necessary for security or compliance purposes.
The Force Login Prompt setting must be disabled when:
- Administrators want to provide users accessing the CWA over the web (including HTML5 clients) with longer-lived login. For example, if administrators have set Azure Active Directory (AAD) to have a 14-day default timeout, login again in the browser does not occur.
- CWA would auto log in for AAD-joined client devices. Otherwise, CWA forces prompt a login even though SSO is enabled.
Type | CWA OS | IdP | Support |
---|---|---|---|
Force Login Prompt | All CWA Versions | All | Yes (Enabled by Default) |
Persistent Login to Citrix Workspace app
Persistent Login is a feature of CWA that allows users to remain logged in even after they close disconnect from their virtual desktop or application session. This means that users do not have to enter their credentials each time they access Citrix, providing a more streamlined and convenient experience.
Persistent Login creates a long-lived authentication token that can be set anywhere from 2 to 365 days and stored on the user’s device. This token is encrypted and can be configured to expire after a set period or when the user logs out of Citrix. When the user returns to CWA, the app checks for the token and, if found, logs the user back in automatically.
Persistent Login is compatible with various authentication methods, including Active Directory, LDAP, and SAML. This feature helps improve user productivity by eliminating the need for users to enter their credentials repeatedly while also maintaining the environment’s security by requiring authentication when the token expires, or the user logs out. For any newly configured store, it is enabled by default with a value of 30 days.
Note
As of this writing, the authentication timeout option is available for CWA client apps. Browser access is not supported. It is recommended to use the inactivity timer if frequent authentication is a use case for your environment.
Behavior on Cloud stores
Type | CWA OS | IdP | Support |
---|---|---|---|
Long-Lived Token for Workspace App (Pre-launch + Cloud Store) | Windows, Mac, Linux, Android, iOS | All | Yes |
ChromeOS, Browser + native CWA, Browser + HTML5 | All | No |
Note
The Persistent Login feature is currently not supported for on-premises stores.
Persistent Login to VDI sessions
The Persistent Login to VDI sessions option enables users to single sign-on (SSO) to VDI sessions using a long-lived password instead of entering their credentials each time they access their VDI environment. This eliminates the need for users to enter their credentials multiple times and simplifies the authentication process. This is set to a value the same as persistent login to CWA between 2 and 365 days.
Key factors to be noted:
- Log in to VDI with SSO can occur only when the IdP is AD, AD+TOTP, or Citrix Gateway.
- In all other cases (AAD, Okta, Google, SAML, and so forth) Citrix Federated Authentication Service (FAS) is required.
Type | CWA OS | IdP | VDA Joined To | Support |
---|---|---|---|---|
Long-Lived Passwords for SSO to VDI sessions | Windows, Mac, Android, iOS, Linux | AD, AD+OTP, Gateway, Remaining require FAS | AD/Hybrid AD | Yes |
Inactivity Timer for Citrix Workspace app
The Inactivity Timer for Citrix Workspace app - Authentication Timeouts option enables administrators to enforce an authentication check in the event of inactivity on the application by end users. This option is used to ensure secure access to resources by legitimate users using their devices or shared devices. The inactivity timeout can be set at anything less than 24 hours.
Key behavior to be noted:
- Inactivity overrides Persistent Login experience.
- In desktops, users are logged out after the inactivity timeout.
- In mobile, users can use biometric authentication after the inactivity timeout but not logged out.
Type | CWA OS Supported | On-Premises/Cloud | Support |
---|---|---|---|
Inactivity Timer | Windows, Mac, Linux, Android, iOS, ChromeOS, Browser + native CWA, Browser + HTML5 | Cloud | Yes |
Windows, Mac, Linux, Android, iOS, ChromeOS, Browser + native CWA, Browser + HTML5 | On-Premises | Yes |
Domain pass-through support on Citrix Workspace
Domain pass-through support for Citrix Workspace allows users to access virtual desktops and applications without the need to authenticate explicitly to the Citrix environment. Instead, users can use their Windows domain credentials to authenticate and gain access to their applications and desktops automatically.
When domain pass-through support is enabled, users logged in to their Windows desktop or laptop with their domain credentials can access their Citrix Workspace account and any associated virtual desktops or applications without reentering their credentials. This eliminates the need for users to remember multiple sets of login information and simplifies the authentication process.
Pre-requisites and conditions to be noted:
- Citrix Workspace must be configured with an IdP that supports Integrated Windows Auth: For example, Citrix Gateway, AAD (with AAD Seamless SSO), Okta, SAML, and so forth
- This option works best on Windows clients.
- For Windows, clients can be AD or hybrid AAD joined.
- Linux thin clients can also be configured with a Kerberos profile.
- iOS/Mac also has a concept of Kerberos profile. In addition, they also can be enrolled in AAD using Intune, which allows SSO to AAD.
- For SSO to VDI on non-windows clients. FAS is required.
- End-to-end login to CWA for Windows with SSO to VDI works if the user logs in to Windows OS using user name and password.
End Point Joined To | IdP | VDA Joined To | SSO to Workspace | SSO to VDA |
---|---|---|---|---|
AD | On-premises Gateway | AD | Yes | SSONsvr / FAS |
AD | Adaptive Authentication | AD | Yes | SSONsvr / FAS |
AD | gateway federated to another IdP (AAD/Okta) | AD | Yes | SSONsvr / FAS |
AD | Okta | AD | Yes | SSONsvr / FAS |
AD/Hybrid Joined | AAD(AD with AAD Connect) | AD | Yes | SSONsvr / FAS |
AD | Any SAML based IdP | AD | Yes | SSONSvr / FAS |
AD | AD | AD | No | N/A |
AD | AD + OTP | AD | No | N/A |
AD | AAD | AAD | No | N/A |
AAD | AAD without on-premises AD | AD | Yes | FAS |
AAD | AAD | AAD | Yes | User must enter credentials |
Non-Domain Joined | IdP that supports passwordless authentication | AD | No | FAS |
Notes
Clients need to be reachable to AD for Kerberos to work.
SSONSvr works only with a user name and password on the client. FAS is required if a user uses Windows Hello to log in and expects passwordless login.
Authentication may not be promptless in the cloud if LLT is enabled or if the end-user acceptance policy is configured.
Recommend configuring FAS as it applies to non-windows platforms.
Domain Pass-through Support for StoreFront
Domain pass-through support for Citrix StoreFront allows users to access virtual desktops and applications without the need to authenticate explicitly to the Citrix environment. Instead, users can use their Windows domain credentials to authenticate and gain access to their applications and desktops automatically.
With domain pass-through support enabled, users logged in to their Windows desktop or laptop with their domain credentials can access their Citrix applications and desktops without having to reenter their credentials. This provides a more seamless user experience and helps to reduce the burden on IT support teams who would otherwise have to manage password resets and user authentication issues.
Pre-requisites and conditions to be noted:
- Configured in Windows.
- Credential Insertion: healthcare software partners provide a user name and password to CWA to silently authenticate users.
- This is also applied on Linux and uses a similar credential Insertion SDK. SSO to VDI works the same as point 7 for on-premises stores.
End Point Joined To | StoreFront/Gateway | VDA Joined To | SSO to StoreFront | SSO to VDA |
---|---|---|---|---|
AD | StoreFront | AD | Yes | SSONsvr |
AD/Hybrid joined/Windows Hello for Business | StoreFront | AD | Yes | SSONsvr/FAS * |
AD | Gateway - Advanced Authentication | AD | Yes | SSONSvr |
AD | Gateway - Basic Authentication | Yes | SSONSvr |
Note
Needs registry to enable SSO
Smart card/Derived Credentials Support
Smart card authentication and derived credential authentication are both methods of authentication into CWA and login to the VDI session that this option supports.
Smart card authentication involves using a physical smart card that contains the user’s digital identity information, such as a public key certificate or private key. When the user inserts the smart card into a card reader, the card reader reads the digital identity information and sends it to CWA for authentication. This method ensures higher security than traditional user name and password authentication, as the smart card cannot be easily duplicated or stolen.
On the other hand, Derived credential authentication is using a mobile device to authenticate a user. When a user logs into CWA on their mobile device, the device generates a derived credential based on their digital identity information. The derived credential is then sent to CWA for authentication rather than the user’s physical smart card. This method offers users a higher level of convenience, as they can authenticate themselves using their mobile devices without carrying a separate smart card.
Password-less Authentication (Workspace)
Type | CWA OS | IdP | Pre-launch Support | Post-launch SSO to VDA (pin caching) | Smart Card Usage Within Session |
---|---|---|---|---|---|
Smart Card | Windows | On-premises Gateway/AD/AAD | Yes | No | Yes |
Browser using native CWA | On-premises Gateway/AD/AAD | Yes | No | Yes | |
Browser with HTML5 | On-premises Gateway/AD/AAD | No | No | No | |
Mac | On-premises Gateway/AD/AAD | No | No | Yes | |
Linux | On-premises Gateway/AD/AAD | No | No | Yes | |
ChromeOS | On-premises Gateway/AD/AAD | Yes | No | Yes | |
iOS | On-premises Gateway/AD/AAD | No | No | Yes | |
Android | On-premises Gateway/AD/AAD | No | No | Yes | |
Derived Credentials | iOS | On-premises Gateway/AD/AAD | No | No | Yes ** |
Android | On-premises Gateway/AD/AAD | No | No | No |
Notes
Any IdP that supports smart card authentication via federation can support SSO.
Support for iOS exists with Purebred only.
Pasword-less Authentication (StoreFront)
Authentication Via | OS | Launch Support | StoreFront Login Support | Gateway - Basic Auth | Gateway - Advanced Auth | Smart Card in Session |
---|---|---|---|---|---|---|
Smart Card | Windows | Pre-Launch | Yes | Yes | Yes | Yes |
Browser + native CWA | Pre-Launch | Yes | Yes | Yes | Yes | |
Browser - HTML5 | Pre-Launch | No | Yes | No | No | |
Mac | Pre-Launch | Yes | Yes | Yes | Yes | |
Linux | Pre-Launch | Yes | Yes | No | Yes | |
ChromeOS | Pre-Launch | Yes | Yes | No | Yes | |
iOS | Pre-Launch | Yes | Yes | No | Yes | |
Android | Pre-Launch | Yes | Yes | No | Yes | |
Windows | Post -Launch - SSO to VDA (pin caching) | Yes | Yes | No | Yes | |
Browser + native CWA | Post -Launch - SSO to VDA (pin caching) | No | No | No | Yes | |
Browser - HTML5 | Post -Launch - SSO to VDA (pin caching) | No | No | No | No | |
Mac | Post -Launch - SSO to VDA (pin caching) | Yes | Yes | No | Yes | |
Linux | Post -Launch - SSO to VDA (pin caching) | Yes | Yes | No | Yes | |
ChromeOS | Post -Launch - SSO to VDA (pin caching) | No | No | No | Yes | |
iOS | Post -Launch - SSO to VDA (pin caching) | No | No | No | Yes | |
Android | Post -Launch - SSO to VDA (pin caching) | No | No | No | No | |
Derived Credentials | iOS | Pre-Launch | Yes | Yes | No | Yes |
Android | Pre-Launch | No | No | No | No | |
iOS | Post -Launch - SSO to VDA (pin caching) | No | No | No | Yes | |
Android | Post -Launch - SSO to VDA (pin caching) | No | No | No | No |
FIDO2 support with Workspace/Storefront- Passwordless Auth
FIDO2 is an authentication standard that allows users to securely and conveniently authenticate to online services using public key cryptography. FIDO2 enables passwordless authentication, eliminating users’ need to create and remember passwords and reducing the risk of phishing and other cyber-attack forms.
With CWA FIDO2 support, users can enjoy a passwordless authentication experience that is both secure and convenient. They can lo into their Citrix Workspace account without remembering passwords, making it easier to work securely from anywhere and on any device. FIDO2 support also helps to enhance security posture by reducing the risk of password-related cyber-attacks.
Type | CWA OS | Supported IdPs | Pre-Launch Support | VDA Login with FIDO Security Key | Using FIDO Security Key Within Session |
---|---|---|---|---|---|
FIDO | Windows | Yes | No | Yes | |
Browser using native CWA | Yes | No | Yes | ||
Browser with HTML5 | Yes | No | No | ||
Mac | Any IdP that supports FIDO | No | No | Yes | |
Linux | Any IdP that supports FIDO | No | No | Yes | |
ChromeOS | Any IdP that supports FIDO | Yes | No | No | |
iOS | Any IdP that supports FIDO | No | No | No | |
Android | Any IdP that supports FIDO | No | No | No |
In this article
- Overview
- Force Login Prompt
- Persistent Login to Citrix Workspace app
- Persistent Login to VDI sessions
- Inactivity Timer for Citrix Workspace app
- Domain pass-through support on Citrix Workspace
- Domain Pass-through Support for StoreFront
- Smart card/Derived Credentials Support
- FIDO2 support with Workspace/Storefront- Passwordless Auth