Citrix Cloud

Conditional Authentication (Technical Preview)

Note:

Features in the Technical Preview are available to use in non-production or limited production environments, and to give customers an opportunity to share feedback. Citrix does not accept support cases for features in technical preview but welcomes feedback for improving them. You can provide feedback on this feature by clicking Send us your feedback. Citrix might act on feedback based on its severity, criticality, and importance.

Conditional Authentication is a new security feature to help further enhance your Zero Trust framework. Conditional authentication allows Citrix Cloud admins to direct end users to different IdPs during the Workspace login flow based on policy conditions you set. As such, different end users will have different levels of access verification based on risk factors established by the Administrator.

At the time of writing, four different switching conditions are supported that will direct your end users to different IdP instances based on the policies you define.

Conditional Authentication

Common use cases

  • Mergers and Acquisitions, where a large parent organization contains multiple smaller copanies in the process of merging.
  • Granting Workspace access to third party users and contractors by directing them to a dedicated IdP, OIDC application or SAML application, which is different from what full time employees within your organization are normally authorized to use.
  • Large Organizations with multiple branches or departments that require different authentication mechanisms.

Prerequisites

  • AD Directory synced to your IdP and connected to Citrix Cloud via the Citrix Cloud Connector. Resource assignment in the DaaS Web Studio console requires Active Directory.
  • Two or more Identity providers created in Citrix Cloud Identity and Access Management page

Configuring Conditional Authentication

  1. Click Create conditional authentication profile.

    Create conditional authentication profile

  2. Enter a name for your profile and then click Create authentication policy.

    Create authentication policy

  3. Select the conditions to apply to the policy as needed then click Save.

    Authentication conditions

  4. Navigate to Workspace Configuration and click Authentication to select your identity provider or conditional authentication profile.

    Authentication

Conditional Authentication concepts

Conditional Authentication Profile

A Conditional Authentication Profile consists of several Conditional Authentication Policies that controls how your end users authenticate to Workspace depending on the conditions you define. This profile allows for policy prioritization and reordering, enabling you to specify the sequence in which policies should be evaluated.

Conditional Authentication Policy

A Conditional Authentication Policy is a policy comprising one or more conditions. These conditions, when met using AND logic, guide the end user’s login process to a specific target IdP instance, such as Okta OIDC, SAML, or Gateway IDP connection. Individual policies can be cloned, allowing for modification and renaming as needed.

Each policy consists of the following data:

  • Policy Rules which are one or more conditions that must be met to direct the end user to a particular IdP instance. For example, Workspace URL 1 is used AND user is a member of AD Group1.
  • Policy Result which is the target IdP instance the user is directed to during the logon process. For example, Workspace URL 1 is used AND user is a member of AD Group1 → AAD SAML IDP Instance.
  • Policy Name - which is an admin friendly name used to identify and describe the policy. For example, Workspace URL 1 AND Group1 - AAD SAML.
  • Policy Priority which determines the order in which the policy is evaluated. Priorities are evaluated in descending order. For example: Priority 1 is higher than Priority 2.

Conditional Authentication Pre-Authentication Page

Depending on how your Workspace is configured and the conditions set in your conditional authentication profile, your Workspace users might encounter a pre-authentication page during their login process. This page is essential for capturing the Workspace user’s username format, which is crucial for making decisions based on conditional authentication policies. It ensures that the user’s login flow is directed to the appropriate IdP instance.

Citrix Workspace

Login Auto-Fill

When a pre-authentication page is necessary, we’ve introduced a login auto-fill feature that automatically populates the username field on the login page with the user’s input from the pre-authentication page. This eliminates the need for users to enter their username twice.

The login auto-fill feature is administered and configured by the administrator in the Conditional Authentication Profile settings, as illustrated below:

  1. Click Manage settings in the Conditional Authentication profile page.

    Manage settings

  2. Click Edit

    Edit

  3. Select the IdPs you would like to enable Login auto-fill for.

    Select IDP

Important:

Login auto-fill is only available for IdPs that support it and will be enabled and enforced by default for AD & AD+TOTP (see screenshot above for the default settings).

Certain IdPs expect a specific login format and some can support more than one type of username format. For example, Google CIoud Identity requires users to login with their email address (user.name@domain.com), which may sometimes be different from their UPN (username@domain.com). If the Workspace end user enters a down-level logon name (domain\username) in the pre-authentication page, the down-level logon name will be pre-populated within the IdP login page username field and cause an error when the user attempts to logon. Administrators should consider the IdP switching policy condition that is most appropriate and which username formats a particular IdP is expecting to receive during the logon process before configuring the login auto-fill feature.

Policy Condition Types

Workspace URL

Within Workspace Configuration > Access, each Workspace URL can be linked to a distinct IdP instance. Furthermore, multiple Workspace URLs can be associated with the same policy, directing your end users to the same IdP instance.

Note:

If a profile exclusively consists of policies with Workspace URL conditions, users will skip the pre-authentication page and be directly redirected to the IdP. However, if the profile includes any policy with conditions other than Workspace URL, the pre-authentication page will be presented to the end user, regardless of whether the matching policy is of Workspace URL type.

Workspace URL

AD user group membership

AD user group membership allows you to designate an IdP instance for a specific group of Active Directory users based on their group membership.

UPN Suffix or Domain Down-Level Logon Name are two mutually exclusive policy conditions. These determine the required username format that your end users must enter into the pre authentication page. You cannot use both of these conditions within the same policy.

UPN suffix

UPN Suffix: Configure an IdP instance for one or more UPN suffixes, such as username1@domain.com or username2@domain.net.

Domain Down-Level Logon Name: Assign an IdP instance to one or more domain names, like DOMAIN1\username1 or DOMAIN1.COM\username1.

When one of the two mutually exclusive conditions is selected, the dropdown menu option for the other condition is disabled to prevent it from being added to the same policy.

Policy Rules

Known issues and limitations

  • Conditional Authentication currents supports all previously listed IdPs but only supports AD directory. This limitation will be removed in future releases. As such, resource assignment to users in Studio needs to be done through AD.

    Select users

  • Assigning a negative priority to a policy does not function as intended. This issue will be resolved in future updates.
  • At present, Conditional Authentication does not support custom domains. This feature is scheduled for inclusion in future updates.
Conditional Authentication (Technical Preview)