- This topic has 4 replies, 3 voices, and was last updated 4 years, 10 months ago by
.
-
Posts
-
My organization is moving to retire our EOL RSA two-factor authentication for externally connected 3040 ThinOS devices in favor of Microsoft Azure MFA. Azure MFA is a SAML based authentication which requires a browser for pass through as the native Citrix receiver has no way of providing a web page to sign on to Azure. The user then gets a prompt (or phone call or text) from the Microsoft Authenticator App to approve the connection. ThinOS needs a lightweight browser to get to a normal Netscaler / Storefront logon page where an .ica file can be downloaded. After the .ica file is downloaded the client normally has an association with the file type (ThinOS does not have file association types) and knows to open those files with the native receiver to launch and the .ica file contains all the necessary connection settings.
I’ve brought this up the chain to our Dell reps as a feature set for ThinOS 9, currently slated for December 2019. The Citrix side of our organization recently got Azure MFA working for iOS and native Citrix receiver working by following these write ups:
https://discussions.citrix.com/topic/398621-workspace-app-saml-support/
https://www.carlstalhood.com/citrix-federated-authentication-service-saml/
The issue with ThinOS is we always get a Dell “modified” version of Citrix receiver (in the case of the write ups we need Citrix Workspace 1903 or 1904 for this to work) that doesn’t support all the features of the full native client.
I thought I would reach out to the community and see who is road mapped for using Microsoft Azure MFA whom also use ThinOS devices and what your plans are? Maybe if there are enough of us running ThinOS converting to Azure MFA that require this type of enhancement to ThinOS we can get it pushed up the developement ladder for ThinOS 9. I’d much prefer sticking with the over 300 externally deployed teleworker ThinOS devices instead of switching to a 3040 Thin Linux device (which does work with Azure MFA, I’ve tested already). I don’t like the Thin Linux presentation and configuration in WMS 1.3 vs ThinOS.
Thanks for taking the time to read and respond.
EDIT: I’ve talked with a Dell SE that recommended I come to this forum because he has a customer that they helped get Azure MFA working with ThinOS.
And that Dell SE didn’t tell you, how they helped the other customer?
CG
Not yet, waiting to schedule time with the SE, Citrix Team, and our Azure MFA SME. I will certainly report back my findings. The document he wanted me to check out from here was Configuring-DUO-with-Citrix-NetScaler-for-ThinOS-Multifactor-Authentication due to similar configuration to Azure MFA and NetScaler settings. It sounded like most of what we need to change is in the Azure console, but speaking with the Citrix folks they think the customer who has this working may have Azure MFA on-prem and not Cloud only due to the on-prem offering some different authentication choices.
I will report back if we get this working or not and document our steps.
Hi! I don’t have anything substantial to add here for you, but will say that my company is in the same situation trying to migrate to Azure MFA and was also told that they would try and get it roadmapped for ThinOS 9.
I tested the DUO configuration and was unsuccessful in getting it to work with Azure MFA. I do not think it is possible to get it working in ThinOS in current state.
I received an update at the beginning of this month that my SR was unable to get a commitment one way or the other on adding it to the roadmap yet.
As a follow up, this would be possible if we had a Network Policy Server (NPS) on-prem, we don’t we are using Azure Cloud. This works when MFA is setup at the Azure subscription level but not at an individual App level. Our Active Directory team whats MFA at the App level so they can support applications that won’t need MFA.
In this Citrix article here it describes how to configure SAML with ADFS on the Netscaler which is how we’re configured, but instead of IDP being ADFS its the Azure Cloud version of ADFS which has a call back to ADFS for some apps.
In our current state this will not work. It works in a browser based configuration of Thin Linux 3040’s which we are reviewing but doesn’t help with our external WTOS devices already deployed externally.
- You must be logged in to reply to this topic.