Citrix Adaptive Authentication service
Adaptive Authentication is a Citrix Cloud service that enables advanced authentication for customers and users logging in to Citrix Workspace. The Adaptive Authentication service verifies the user identity and authorization levels based on factors such as location, device status, and end user context. Using these factors, the Adaptive Authentication service intelligently chooses the appropriate authentication methods and enables access to authorized resources.
In addition, an admin can also enable contextual access for these users to access their applications and desktops. The Adaptive Authentication service can be used by the Citrix Secure Private Access and Citrix DaaS customers.
Advanced authentication capabilities
The Adaptive Authentication service is a Citrix managed and Citrix Cloud hosted ADC that provides all the advanced authentication capabilities such as the following:
Multifactor authentication: Multifactor authentication enhances the security of an application by requiring users to provide multiple proofs of identity to gain access. Customers can configure various combinations of factors in the multifactor authentication mechanism based on the business requirement. For details, see Sample authentication configurations.
Device posture scans: Users can be authenticated based on the device posture. Device posture scan, also known as endpoint analysis scan, checks if the device is compliant. For example, if the device is running the latest OS version, service packs, and registry keys are set. Security compliance involves scans to check if an antivirus is installed or the firewall is turned on and so on. The device posture can also check if the device is managed or unmanaged, corporate owned, or BYOL.
Device Posture service: Device Posture service enforces zero trust principles in your network by checking the end devices for compliance before allowing an end-user to log in. To use the Adaptive Authentication service and Device Posture service together, you can configure the Device Posture service and continue to use the authentication method as Adaptive Authentication (Citrix Cloud > Identity and Access Management). For details about the Device Posture service, see Device Posture.
Note:
If you are configuring device posture with adaptive authentication, do not configure EPA policies on the Adaptive Authentication instances.
Conditional authentication: Based on the user’s parameters, such as network location, device posture, user group, time of the day, conditional authentication can be enabled. You can use one of these parameters or a combination of these parameters for doing conditional authentication.
Example of a device posture-based authentication: You can do a device posture scan to check if the device is a corporate managed or BYOD.
- If the device is a corporate managed device, you can challenge the user with the simple AD (user name and password).
- If the device is a BYOD, you can challenge the user with the AD plus RADIUS authentication.
If you plan to selectively enumerate virtual apps and desktops based on network location, then user management has to be performed for those delivery groups using Citrix Studio policies instead of workspace. When creating a delivery group, in the users setting, either choose Restrict use of this Delivery Group to the following users or Allow any authenticated users to use this Delivery Group. This enables the Access Policy tab under Delivery Group to configure adaptive access.
Contextual access to Citrix DaaS: Adaptive Authentication enables contextual access to Citrix DaaS. Adaptive Authentication surfaces all the policy information about the user to Citrix DaaS. Admins can use this information in their policy configurations to control the users actions that can be performed on Citrix DaaS. User action, for example, can be enabling or disabling clipboard access, and client drive mapping printer redirection.
Contextual access to Secure Private Access and other Citrix Cloud services through Adaptive Authentication is planned in the upcoming releases.
Logon page customization: Adaptive Authentication helps the user to highly customize the Citrix Cloud logon page.
Additional Adaptive Authentication capabilities
The following are the capabilities supported in Citrix Workspace with Adaptive Authentication.
- LDAP (Active Directory) support
- LDAPS (Active Directory) support
- Directory Support for AD, Azure AD, Okta
- RADIUS support (Duo, Symantec)
- AD + token built-in MFA
- SAML 2.0
- OAuth, OIDC support
- Client Certificate authentication
- Device posture assessment (Endpoint analysis)
- Device Posture service
- Integration with third-party authentication providers
- Push notification through the app
- reCAPTCHA support
- Conditional/policy driven authentication
- Authentication policies for smart access (contextual access)
- Logon page customization
- Self service password reset
Upgrade and maintenance of Adaptive Authentication instances
All upgrades and maintenance of Adaptive Authentication instances are managed by the Citrix Cloud team. It is recommended that you do not upgrade or downgrade the Adaptive Authentication instances to random RTM builds. You can schedule upgrades according to your customer traffic. Schedule upgrade of your Adaptive Authentication instances. The Citrix Cloud team then upgrades your instances accordingly.
Important:
- The Citrix Cloud team periodically checks the communication to the instances. If there is a disconnect, the Adaptive Authentication support team might reach out to you to regain management of instances. If the instance management issue is not fixed, the Adaptive Authentication team cannot manage the upgrades. This might result in you running a vulnerable version.
- It is recommended that you enable email notifications to receive emails about entitlement expiry and disk space usage details. For details, see Notifications.
- Because Adaptive Authentication instance upgrades are managed by Citrix, customers must ensure that there is enough space (a minimum of 7 GB) in the VAR directory for the upgrade. For details on how to free the space on the VAR directory, see How to free space on the VAR directory.
- Do not change the high availability status from ENABLED to STAY PRIMARY or STAY SECONDARY. The high availability status must be ENABLED for Adaptive Authentication.
- Do not change the password for the user (authadmin) on the Adaptive Authentication instances. The Adaptive Authentication team cannot manage the upgrades if the password is changed.
Shared security responsibilities
Actions needed from customers
Following are some of the actions from the customers as part of security best practices.
-
Credentials for accessing the Adaptive Authentication UI: The customer is responsible for creating and maintaining the credentials for accessing the Adaptive Authentication UI. If the customer is working with Citrix Support to resolve an issue, the customer might need to share these credentials with support personnel.
-
Multifactor authentication: As a best practice, customers must configure multifactor authentication policies to prevent unauthorized access to the resources.
-
Authentication Credentials: Customers must configure their authentication credentials as per the general security and password standards.
-
Remote CLI access security: Citrix provides remote CLI access for customers. However, customers are responsible for maintaining the security of the instance during runtime.
-
SSL private keys: As the NetScaler is under customer control, Citrix does not have any access to the file system. Customers must ensure that they safeguard the certificates and keys that they are hosting on the NetScaler instance.
-
Data backup: Back up the configuration, certificates, keys, portal customizations, and any other file system modifications.
-
Disk images of the NetScaler instances: Maintain and manage the NetScaler disk space and disk clean-up. For details, see Disk space management for instances.
-
For a sample load balanced LDAPS configuration, see Sample load balanced LDAPS configuration.
Actions needed from both the customer and Citrix
-
Disaster recovery: In supported Azure regions, the NetScaler high availability instances are provisioned in separate availability zones to safeguard against data loss. In the event of Azure data loss, Citrix recovers as many resources in the Citrix-managed Azure subscription as possible.
In the event of the loss of an entire Azure region, the customer is responsible for rebuilding their customer-managed virtual network in a new region and creating a new VNet peering.
-
Secure access via the public management IP address:
Secure the access to the management interfaces by assigned public IP addresses and allow outbound connectivity to the Internet.
Limitations
- Certificate bundle is only supported for certificates of type PEM. For other bundle types, it is recommended to install the root and intermediate certificates and linking them to the server certificate.
- Load balancing with a RADIUS server is not supported.
- RADIUS authentication is impacted for a few minutes if the connector serving the RADIUS request goes down. The user must reauthenticate in this case.
-
DNS tunneling is not supported. Static records must be added on NetScaler for the FQDNs used in authentication policies/profiles (LDAP/RADIUS) for authentication servers in the customer’s on-premises data center.
For details on adding DNS static records, see Create address records for a domain name.
- Test Network connectivity in the LDAP profile might show an incorrect result as “Server is reachable” even if the connectivity to the LDAP server is not established. Error messages such as “port is not open”, or “server is not LDAP” might be displayed to indicate the failure. In this scenario, it is recommended that you collect the traces and troubleshoot further.
- For EPA scans to work on macOS, you must bind the default ECC curves to the authentication and authorization virtual server by selecting the ECC Curve option as ALL.
Service quality
Adaptive Authentication is a high availability (active-standby) service.