nFactor support for Citrix Secure Access client on macOS/iOS

Important:

Citrix SSO for iOS is now called Citrix Secure Access. We are updating our documentation and the UI screenshots to reflect this name change.

Multi-factor (nFactor) authentication enhances the security of an application by requiring users to provide multiple proofs of identify to gain access. Admins can configure different authentication factors that include client cert, LDAP, RADIUS, OAuth, SAML, and so on. These authentication factors can be configured in any order based on the organization’s needs.

Citrix Secure Access client on macOS/iOS supports the following authentication protocols:

  • nFactor – The nFactor protocol is used when an authentication virtual server is bound to the VPN virtual server on the gateway. Because the order of the authentication factors is dynamic, the client uses a browser instance that is rendered within the app’s context to present the authentication GUI.

  • Classic – Classic protocol is the default fall-back protocol used if classic authentication policies are configured on the VPN virtual server on the gateway. Classic protocol is the fall-back protocol if nFactor fails for specific authentication methods such as NAC.

  • Citrix identity platform – The Citrix identity platform protocol is used when authenticating to CloudGateway or Citrix Gateway service and requires MDM enrollment with Citrix Cloud.

The following table summarizes the various authentication methods supported by each protocol.

Authentication method nFactor Classic Citrix IdP
Client Cert Supported Supported Not supported
LDAP Supported Supported Not supported
Local Supported Supported Not supported
RADIUS Supported Not supported Not supported
SAML Supported Not supported Not supported
OAuth Supported Not supported Not supported
TACACS Supported Not supported Not supported
WebAuth Supported Not supported Not supported
Negotiate Supported Not supported Not supported
EPA Supported Supported Not supported
NAC Not supported Supported Not supported
StoreFront Not supported Not supported Not supported
ADAL Not supported Not supported Not supported
DS-AUTH Not supported Not supported Supported

nFactor configuration

For details about configuring nFactor, see Configuring nFactor authentication.

Important:

To use the nFactor protocol with Citrix Secure Access client on macOS/iOS, the recommended NetScaler Gateway on-premises version is 12.1.50.xx and later.

Limitations

  • Mobile specific authentication policies such as NAC (network access control) require the client to send a signed device identifier as part of the authentication with NetScaler Gateway. The signed device identifier is a rotatable secret key that uniquely identifies a mobile device which is enrolled in an MDM environment. This key is embedded in a VPN profile that is managed by an MDM server. It might not be possible to inject this key into the WebView context. If NAC is enabled on an MDM VPN profile, Citrix Secure Access client on macOS/iOS automatically fall back to the classic authentication protocol.

  • You cannot configure NAC check with Intune for macOS as Intune does not provide an option to enable NAC for macOS unlike for iOS.

nFactor support for Citrix Secure Access client on macOS/iOS