Autologon / SSO to Azure AD Authentication logon prompt (ThinOS 9)

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #53053
    Avatardavid.drum
    Participant
    • Total Post: 69
    • Back Stage Pass
    • ★★★★

    Hi,

    The business I work for desperately needs the feature to allow Wyse clients to auto log (using the “default user” option) on to their applications while connecting to public Citrix Gateway Service / Citrix Workspace (MyCompany@cloud.com) using Azure AD Authentication.

    We have lots of clients (dashboards and presentation screens) in the branches which don’t have access to our internal network so they need to auto-connect to their resources over the internet using the public MyCompany@cloud.com URL which uses Azure AD Authentication.

    Obviously, the issue is that the credentials specified in the “default user” option in WMS are not passed to the Aure AD Auth. logon prompt and clients get stuck there.

    Spinning up Citrix Gateway (Netscaler) only for these specific clients seems to be an overkill and expensive solution which my company does not accept.

    I have already requested this enhancement via Wyse Support but I have not been provided any timescale for its implementation and my concern is that lack of such important features causing Wyse to lose businesses like mine – I now have to find another solution for these clients.

    Does anyone know where exactly the above functionality is on the roadmap of ThinOS 9?

    Regards,

     

    Azure AD logon prompt

    #53069
    Avatarbrian1020
    Participant
    • Total Post: 107
    • Legend in Own LunchBox
    • ★★★★★

    I have Azure AD SAML authentication working in WTOS9. I think your roadblock is going to be the approval of the authorization. I hit approve on the MFA app and it goes through launching the full workspace.

    From a 2FA perspective doesn’t an auto logon defeat the purpose of a secure 2FA?

    Am I misunderstanding your objective?

    #53070
    Avatardavid.drum
    Participant
    • Total Post: 69
    • Back Stage Pass
    • ★★★★

    Hi Brian,

    Good point about the MFA app and approval.

    I need to the auto-login to Azure AD Auth. working in remote but secure/whitelisted locations where the service Active Directory accounts used by the Wyse clients are NOT prompted for a second factor or approval. This can be done with Azure Conditional Access.

    Can you think about any workaround for this without using Netscaler?
    My issue is that authentication in Citrix Cloud/Workspace can only be set globally for all users, so I don’t see a way to exclude some service AD account from Azure AD authentication and use them without MFA (after locking them down..).

    Regards,

    #53072
    Avatarbrian1020
    Participant
    • Total Post: 107
    • Legend in Own LunchBox
    • ★★★★★

    I don’t have enough experience with Microsoft 2FA SAML auth to know how to do that.

    Also there is no option to populate the email address in WMS nor do I think that even would be an option in WMS I would think that would be your AD folks.

    Spitballing thoughts, maybe you can make a specific Store in Storefront and the URL could populate the email needed but I think that would need to be worked out with your Azure AD team if that’s even possible.

    #53073
    Avatardavid.drum
    Participant
    • Total Post: 69
    • Back Stage Pass
    • ★★★★

    hmm I don’t see any way of achieving this with our on-prem StoreFront servers as they are not available for clients not on our network.

    Even if we exposed them to the internet, we would still probably need a solution to proxy ICA/HDX traffic, which means Netscaler/Citrix Gateway.

    Maybe @ConfGen could think of a workaround here since you are a Netscaler person?

     

     

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.