Adaptive Authentication service 编辑

Citrix Cloud customers can use Citrix Workspace to provide Adaptive Authentication to Citrix DaaS. Adaptive Authentication is a Citrix Cloud service that enables advanced authentication for customers and users logging in to Citrix Workspace. Adaptive Authentication service is a Citrix managed and Citrix Cloud hosted ADC that provides all the advanced authentication capabilities such as the following:

Multifactor authentication: Multifactor authentication enhances the security of an application by requiring users to provide multiple proofs of identity to gain access. Customers can configure various combinations of factors in the multifactor authentication mechanism based on the business requirement. For details, see Sample authentication configurations.

Device posture scans: Users can be authenticated based on the device posture. Device posture scan, also known as endpoint analysis scan, checks if the device is compliant. For example, if the device is running the latest OS version, service packs, and registry keys are set. Security compliance involves scans to check if an antivirus is installed or the firewall is turned on and so on. The device posture can also check if the device is managed or unmanaged, corporate owned, or BYOL.

Conditional authentication: Based on the user’s parameters, such as network location, device posture, user group, time of the day, conditional authentication can be enabled. You can use one of these parameters or a combination of these parameters for doing conditional authentication. Example of a device posture-based authentication: You can do a device posture scan to check if the device is a corporate managed or BYOD. If the device is a corporate managed device, you can challenge the user with the simple AD (user name and password). If the device is a BYOD, you can challenge the user with the AD plus RADIUS authentication.

If you plan to selectively enumerate virtual apps and desktops based on network location, then user management has to be performed for those delivery groups using Citrix Studio policies instead of workspace. When creating a delivery group, in the users setting, either choose Restrict use of this Delivery Group to the following users or Allow any authenticated users to use this Delivery Group. This enables the Access Policy tab under Delivery Group to configure adaptive access.

Contextual access to Citrix DaaS: Adaptive Authentication enables contextual access to Citrix DaaS. Adaptive Authentication surfaces all the policy information about the user to Citrix DaaS. Admins can use this information in their policy configurations to control the users actions that can be performed on Citrix DaaS. User action, for example, can be enabling or disabling clipboard access, and client drive mapping printer redirection.

Contextual access to Secure Internet Access and other Citrix Cloud services through Adaptive Authentication is planned in the upcoming releases.

Logon page customization: Adaptive Authentication helps the user to highly customize the Citrix Cloud logon page.

Adaptive Authentication capabilities

The following are the capabilities supported in Citrix Workspace with Adaptive Authentication.

• LDAP (Active Directory)
• Directory Support for AD, Azure AD, Okta
• RADIUS support (Duo, Symantec)
• AD + token built-in MFA
• SAML 2.0
• OAuth, OIDC support
• Client Certificate authentication
• Device posture assessment (Endpoint analysis)
• Integration with third-party authentication providers
• Push notification through the app
• reCAPTCHA
• Conditional/policy driven authentication
• Authentication policies for SmartAccess (Contextual access)
• Logon page customization
• Self service password reset

Prerequisites

• Reserve an FQDN for your Adaptive Authentication instance. For example, aauth.xyz.com, assuming xyz.com is your company domain. This FQDN is referred as the Adaptive Authentication service FQDN in this document and is used when provisioning the instance. Map the FQDN with the IdP virtual server public IP address. This IP address is obtained after provisioning in the Upload Certificate step.

• Procure a certificate for aauth.xyz.com. Certificates must contain the SAN attribute. Else the certificates are not accepted.

• Adaptive Authentication UI does not support uploading of certificate bundles. To link an intermediate certificate, see Configure intermediate certificates.

• Choose your connectivity type for the on-premises AD/RADIUS connectivity. The following two options are available. If you do not want data center reachability, use the connector connectivity type.

  • Citrix Cloud Connector - For details, see Citrix Cloud Connector.
  • Azure VNet peering - For details, see Set up connectivity to on-premises authentication servers using Azure VNet peering.
• Configure network time protocol (NTP) server to avoid time skews. For details, see How to synchronize system clock with servers on the network.

Points to note

• Citrix recommends not to run clear config for any Adaptive Authentication instance or modify any configuration with the prefix AA (example, AAuthAutoConfig) including certificates. This disrupts Adaptive Authentication management and user access is impacted. The only way to recover is through reprovisioning.
• Do not add SNIP or any additional routes on the Adaptive Authentication instance.
• User authentication fails if the customer ID is not in all lowercase. You can convert your ID to all lowercase and set it on the ADC instance by using the command set cloud parameter -customerID <all_lowercase_customerid>.
• The nFactor configuration that is required for the Citrix Workspace or the Citrix Secure Private Access service is the only configuration customers are supposed to create directly on the instances. Currently there are no checks or warnings in the Citrix ADC that prevents admins from making these changes.
• Do not upgrade the Adaptive Authentication instances to random RTM builds. All upgrades are managed by Citrix Cloud.
• Only Windows based cloud connector is supported. Connector appliance is not supported in this release.
• If you are an existing Citrix Cloud customer and have already configured Azure AD (or other authentication methods), to switch to Adaptive Authentication (for example, device posture check), you must configure Adaptive Authentication as your authentication method and configure the authentication policies in the Adaptive Authentication instance. For details, see Connect Citrix Cloud to Azure AD.
• For RADIUS server deployment, add all connector private IP addresses as the RADIUS clients in the RADIUS server.
• Do not add your LDAP or RADIUS servers as a service or a server.
• In the current release, the external ADM agent is not allowed and therefore Citrix Analytics (CAS) is not supported.
• Citrix Application Delivery Management service collects the backup for your Adaptive Authentication instance. To extract the backup from ADM, onboard the ADM service. For details, see Config backup and restore. Citrix does not take the backups explicitly from the Adaptive Authentication service. Customers must take the backup of their configurations from the Application Delivery Management service if necessary.

How to configure the Adaptive Authentication service

Access the Adaptive Authentication user interface

You can access the Adaptive Authentication user interface by one of the following methods.

• Manually type the URL https://adaptive-authentication.cloud.com.

• Log in using your credentials and select a customer.

  After you are successfully authenticated, you are redirected to the Adaptive Authentication user interface.

OR

• Navigate to Citrix Cloud > Identity and Access Management.
• In the Authentication tab, in Adaptive Authentication, click the ellipsis menu and select Manage.

The Adaptive Authentication user interface appears.

The following figure illustrates the steps involved in configuring Adaptive Authentication.

Step 1: Provision Adaptive Authentication

Perform the following steps:

1. On the Adaptive Authentication UI, click Provision.

2. Select the preferred connection for Adaptive Authentication.

   • Citrix Cloud Connector: For this connection type, you must set up a connector in your on-premises network. Citrix recommends that you deploy at least two Citrix Cloud Connectors in your environment to set up connection to the Citrix Gateway hosted on Azure. You must allow your Citrix Cloud Connector to access the domain/URL you have reserved for the Adaptive Authentication instance. For example, allow https://aauth.xyz.com/*.

     For details on Citrix Cloud Connector, see Citrix Cloud Connector.

   • Azure VNet peering - You must set up the connectivity between the servers using Azure’s VNet peering.

     • Ensure that you have an Azure subscription account to set up the connectivity.
     • The customer VNet that is being peered must already have an Azure VPN gateway provisioned. For details, see https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal.

   

   To add a Citrix Cloud Connector as your preferred connection:

   Perform the following steps.

   • Select the Citrix Cloud Connector option, and then select the end user agreement check box.
   • Click Provision. Provisioning might take up to 30 minutes to set up.

   Note:

   For connector connectivity type, make sure that your Adaptive Authentication FQDN is reachable from the connector virtual machine after provisioning.

   To set up Azure VNet peering:

   If you select Azure VNet peering as your connection, you must add a subnet CIDR block that must be used to provision the Adaptive Authentication instance. You must also ensure that the CIDR block does not overlap with your organization’s other network ranges.

   For details, see Set up connectivity to on-premises authentication servers using Azure VNet peering.

3. Set up credentials to access the instances that you have enabled for Adaptive Authentication. You need the management console access for creating policies for authentication, conditional access, and so on.

   1. In the Console access screen, enter the user name and password.
   2. Click Next.

   Note: Users created from the Console access screen are provided with “SuperUser” privileges that have the shell access.

   

4. Add the Adaptive Authentication service FQDN and upload the certificate-key pair. You must enter the Adaptive Authentication service FQDN of your choice for the publicly accessible authentication server.

   1. In the Upload Certificate screen, enter the FQDN that you have reserved for Adaptive Authentication.
   2. Select the certificate type.
   3. Upload the certificate and the key.

   Note:

   • Install your intermediate certificate on the Adaptive Authentication instance and link it with the server certificate.

     1. Log in to the Adaptive Authentication instance.
     2. Navigate to Traffic Management > SSL. For details, see Configure intermediate certificates.
   • Only public certificates are accepted. Certificates signed by private or unknown CAs are not accepted.
   • Certificate configuration must be done using the Adaptive Authentication UI only. Do not change it directly on the instance as this might result in inconsistencies.

   

5. Upload the certificate and the key.

   The Adaptive Authentication instance now is connected to the Identity and Access Management service. The Adaptive Authentication method status is displayed as Connected.

   

6. Set up an IP addresses through which the Adaptive Authentication management console can be accessed.
   1. In the Allowed IP addresses screen, for each instance, enter a public IP address as the management IP address. To restrict the access to the management IP address, you can add multiple IP addresses that are allowed to access the management console.
   2. To add multiple IP addresses, you must click Add, enter the IP address, and then click Done. This must be done for every IP address. If you do not click the Done button, the IP addresses are not added to the database but are only added in the user interface.

   

7. Specify a set of resource locations (connectors) through which AD or RADIUS servers can be reached.

   Admins can choose the connectors through which backend AD and RADIUS servers must be reached. To enable this feature, customers can set up a mapping between their backend AD/RADIUS server subnets such that if the authentication traffic falls under a specific subnet, then that traffic is directed to the specific resource location. However, If a resource location is not mapped to a subnet, then admins can specify to use the wildcard resource location for those subnets.

   Previously, adaptive authentication traffic for on-premises AD/RADIUS was directed to any available resource location using the round robin method. This caused issues for customers with multiple resource location.

   1. On the Adaptive Authentication UI, click Manage Connectivity.
   2. Enter the subnet details and select the respective resource location. Note: If you clear the Use any available resource location for remaining subnets check box, only the traffic directed towards the configured subnets is tunneled.
   3. Click Add, and then click Save Changes.

   Note:

   • Only RFC1918 IP address subnets are allowed.
   • The number of subnet-resource location mapping per customer is limited to 10.
   • Multiple subnets can be mapped to a single resource location.
   • Duplicate entries are not allowed for the same subnet.
   • To update the subnet entry, delete the existing entry and then update.
   • if you rename or remove the resource location, make sure to remove the entry from Adaptive Authentication instance as well.

   

Step 2: Configure Adaptive Authentication policies

After the provisioning, you can access the Adaptive Authentication management IP address directly. However, accessing the instance using the IP address is not trusted and many browsers block the access with warnings. Citrix recommends that you access the Adaptive Authentication management console with FQDN to avoid any security barriers. You must reserve the FQDN for the Adaptive Authentication management console and map it with the primary and secondary management IP address.

For example, if your AA instance IP is 20.1.1.1 and Secondary: 20.2.2.2, then;

• primary.domain.com can be mapped to 20.1.1.1

• secondary.domain.com can be mapped to 20.2.2.2

After accessing the Adaptive Authentication instance, you can then configure the authentication flow use cases as per your requirement. For various use cases, see Sample authentication configurations.

To access the Adaptive authentication management console using the FQDN, see Configure SSL for ADC Admin UI access.

Important:

• In a high availability setup, as part of the synchronization process, the certificates are also synchronized. So ensure that you use the wildcard certificate.
• If you need unique certificate for each node, upload the certificate files and keys in any folder that doesn’t get synchronized (for example, create a separate folder (nosync_cert) in the nsconfig/SSL directory) and then upload the certificate uniquely on each node.
• To enable single sign-on to applications, ensure that you enable the Send Password option in the OAuth IdP profile.

Step 3: Enable Adaptive Authentication for Workspace

After provisioning is complete, you can enable authentication for Workspace by clicking Enable in the Enable Adaptive Authentication for Workspace section.

Note:

With this step, the Adaptive Authentication configuration is completed.

Migrate your authentication method to Adaptive Authentication

Customers already using Adaptive Authentication with authentication method as Citrix Gateway must migrate Adaptive Authentication and then remove the OAuth configuration from the Adaptive Authentication instance.

1. Switch to a different authentication method other than Citrix Gateway.

2. In Citrix Cloud > Identity and Access Management, click the ellipsis button corresponding to Citrix Gateway and then click Disconnect.

   

3. Select I understand the impact on the subscriber experience, and then click Confirm.

   When you click Confirm, the workspace login to end users is impacted and adaptive authentication is not used for authentication until adaptive authentication is enabled again.

4. In the Adaptive Authentication instance management console, remove the OAuth related configuration.

   By using the CLI:

   unbind authentication vs <authvsName> -policy <oauthIdpPolName>
   rm authentication oauthIdpPolicy <oauthIdpPolName>
   rm authentication oauthIdpProfile <oauthIdpProfName>
   <!--NeedCopy-->