{"id":3767,"date":"2020-06-10T16:31:49","date_gmt":"2020-06-10T16:31:49","guid":{"rendered":"http:\/\/axendatacentre.com\/blog\/?p=3767"},"modified":"2020-09-09T16:02:30","modified_gmt":"2020-09-09T16:02:30","slug":"azure-ad-saml-sign-in-with-virtual-smartcard-to-citrix-virtual-apps-desktops","status":"publish","type":"post","link":"http:\/\/axendatacentre.com\/blog\/2020\/06\/10\/azure-ad-saml-sign-in-with-virtual-smartcard-to-citrix-virtual-apps-desktops\/","title":{"rendered":"Azure AD SAML Sign-in with Virtual Smartcard to Citrix Virtual Apps & Desktops"},"content":{"rendered":"\n

Consider this an evergreen post as of 10\/06\/2020<\/span><\/em><\/strong><\/p>\n\n\n\n

Introduction
<\/strong>The purpose of this blog post to aim for a consistent modern authentication experience for employees when consuming Citrix Virtual Apps & Desktops (CVAD) + CVAD Service regardless of where the (CVAD) workloads are running, either in *Azure, *AWS, *GCP or *On-Premises. The primary priority is that the employees identity is owned and managed by a cloud identity platform e.g Azure Active Directory (AAD) and the employees identity within each resource location* for CVAD usage maps to AD shadow accounts. These AD shadow accounts represent the employee as a UPN e.g human.name@domain, with a RANDOM long complex password that the employee doesn’t need to ever know and all IT is required to do beyond creating a AD shadow account is then assign the right vs. relevant security privileges and access to CVAD including Policies meeting local, geo of industry compliance and governance while maintaining a great employee experience.

The second priority is that the employees device can frictionlessly access CVAD resources using either a Forward Proxy, SD-WAN Overlay Network or ICA Proxy. I do recognise that many organisations are still required to make use of a VPN style strategy at the current moment and therefore this solution can also work for those devices as well repurposing the existing Citrix Gateway to also support a Full VPN beyond ICA Proxy or you can use other well established and trusted VPN solution providers.

Leveraging a Bring Your Own<\/span><\/em> “either Enterprise vs. Personal” Identity<\/span><\/em> (ByoI<\/span><\/em>) is a concept I ponded way back in 2017 and now feels like the right time to pick that up concept again during the current Workplace transformation happening all around the world due to world wide COVID-19 pandemic. Using a ByoI strategy as high level vision you can efficiently deploy CVAD to any *Azure, *AWS, *GCP region or *On-Premises with less friction and you don’t need to be worry about “Password Syncing” just replicate the employee’s UPN + AD Security Privileges + CVAD Access & Policies where its required. It has the added benefit if you want do mix and match public cloud workloads to avoid lock-in amongst other topics, you’ll be providing a common and consistent login interface + experience irrespective of where the workload is sat.

It another brilliant benefit is the on-boarding of 3rd Parties (3P’s) using ByoI concept with a business check at the edge, the 3P brings there owned Identity and in the current world we live in I don’t think that is bad thing it could even strength that employees individual security as there identity will be bound to a smartphone which knows more about your individuals habits and you that you know yourself. If we can unlock a co-shared responsibility identity model between the individual + organisation we can truly aim for a passwordless workspace that only uses virtual smartcards or tokens.

Finally the on-boarding of M&A employees can be faster as you can generate them a few days after commercial signing with a new brand identity that resides in Azure AD (or Google, OKTA e.t.c) whilst they continue accessing existing workplace apps + data with current AD credentials, IT + HR + Business can choose when to layer in the “NEW” Workspace Platform for Work from group perspective into the existing Workspace with less friction and complexity. Yes this final topic is complex when we think about merging different Business IT and IT Systems together, a CVAD strategy with FAS bridges the GAP reducing friction and complexity for IT to sun rise a new Workspace stack for that newly acquired organisation while sunsetting the exciting Workspace stack and those new M&A employees get to on-board beyond the Workspace into there new organisations people, its culture, vision and values and avoids the IP drain that often can easily happen. <\/p>\n\n\n\n

The Employee Experience<\/strong><\/p>\n\n\n\n

#AzureAD<\/a> #SAML<\/a> Sign-in with a Virtual Smartcard for @citrix<\/a> Virtual Apps & Desktops enabling a consistent SSO experience when running workloads in #Azure<\/a> #AWS<\/a> #GCP<\/a> On-Premises or in all of them. pic.twitter.com\/38FDBLgNfJ<\/a><\/p>\u2014 Lyndon-Jon Martin \ud83d\udc68\ud83c\udffb\u200d\ud83d\udcbb (@lyndonjonmartin) June 10, 2020<\/a><\/blockquote>