Table of Contents
Overview
There’s a new feature in Citrix DaaS called Conditional Authentication (which is currently in private tech preview where you can sign up for here) which helps to give different authentication methods based on filter mechanisms to solve the current existing limitations for Cloud Workspace authentication.
Conditions will initially include:
- Domain and UPN
- Group membership
- Workspace URL
Configuration
As soon as the TP is enabled for your DaaS Tenant, you’re getting a new Button where you’re able to add more IdP’s:
Choose the needed IdP’s and provide a name – you can add more than one from the same IdP type (Example four different Entra ID Tenants):
After adding all your needed IdP’s you have to create a Profile. A Profile contains the Conditional Authentication Policies, but only one Profile can be active as Workspace Authentication. You can create a dev, test and prod Profile and switch between these Profiles for testing purposes.
Next, you can create multiple policies with different conditions:
After the configuration of the required policies in the profile, you can enable Conditional Authentication for usage as Workspace Authentication. You can now choose between your created Profiles:
This is what my current usage of Conditional Authentication for my Lab looks like. Just a simple decision on UPN-Suffix to redirect to the matching Entra ID Tenant:
Current Limitations
Update – the following Limitations are now fixed – see below.
No Read-Only Username placing after Group Filtering
What I’ve encountered after testing the Group Extraction first, followed by Password only (For Example an Emergency-NoMFA AD group filtering) is, the previously entered Username / UPN is not placed in the next factor as read-only, so after that:
I’m getting this:
Where I’m able to put ANY user I want to get a Password-Only authentication, which is currently a lack of Security.
No Auto-Fill of UPN to external IdP’s
Next thing is UPN-Filtering first, so starting again with that:
and getting this as next factor (Entra ID OIDC was linked) – a great user experience would be to send the UPN so Entra ID can auto-fill the previously inserted UPN at the Conditional Authentication Logonpage:
Solutions
The good thing – both findings will be fixed soon. This is confirmed by the Product Management. The following settings will be available:
AD / AD+OTP -> Pre-populate and enforce UPN
Entra ID (OIDC) / Okta -> Give admin a setting to pre-populate the UPN (no enforcement possible)
Google Identity -> Engineering is checking the pre-populate of the UPN, not confirmed yet
SAML -> Not feasable
Update 12.08.24 previous listed Limitations are fixed
The listed Limitations are now fixed since the feature is public preview.
When you go to Manage settings inside your Conditional Auth Profile:
You can configure auto-fill per auth-method – Active Directory and Active Directory + Token are enabled by default, SAML 2.0 isn’t supported:
Did a quick test with Group membership Filter, which results in Active Directory only – now my UPN is auto-filled and read-only, so the previous mentioned lack of security is gone:
Same is for Entra ID, now my UPN is send to Entra ID for auto-fill:
Summary
Conditional Authentication can eliminate the need of previously required intelligent IdP / Auth decision mechanisms like Adaptive Authentication or Citrix Gateway (which is both NetScaler with nFactor). It provides more flexibility for complex auth-designs with an inbuilt solution.
It also allows a single Workspace URL to be used for multiple customers – a great setup for a CSP with Multi-Tenant DaaS.
Another great blog post Julian! Thanks!
Nice one đź‘Ťđź‘Ť thanks for this.
I would even say huge benefit for single tenant, as well.
Thanks Julian, for the great post. As you mentioned, the “Login Auto Fill” capability is now available within the Conditional Authentication public preview.
Thanks for the Reminder, Daniel! I’ve updated the post with the new settings.