Citrix Integration

Introduction

The Acceptto Solution for Citrix provides Cognitive Continuous AuthenticationTM to protect access to your Citrix NetScaler and StoreFront, and the resources protected by these systems. It also provides valuable insight into user behavior and threat landscape using our Risk Engine, while reducing authentication friction for legitimate users and increasing the attack effort for threat actors.

Prerequisites
  1. Installation of the Acceptto Appliance to provision the users to eGuardian®.
  2. The user population must be provisioned as It’sMeTM users.
  3. A user with Administrative rights to configure Citrix NetScaler or Citrix StoreFront.
High Level Integration Steps
  1. Install the Acceptto Appliance in your environment.
  2. Invite all the Citrix users to create a It’sMeTM account.
  3. Users download and install the It’sMeTM application and associate their mobile device with their eGuardian® accounts.
  4. Depending on your security needs and Citrix system requiring protection select one of the following options:
    1. Once all the users have a eGuardian account,configure the Citrix NetScaler to authenticate to the Acceptto Appliance using RADIUS.
    2. Once all the users have a eGuardian account, configure the Citrix StoreFront to authenticate to the Acceptto Appliance using RADIUS or SAML.
User Experience Login to NetScaler using RADIUS
  1. The user logs on to the system using their Active Directory credentials.
  2. citrix login form
  3. The user receives a push notification on the It’sMe mobile application.
  4. It'sMe transaction
  5. The user approves the notification and receives a log entry showing the transaction.
  6. It'sMe dashboard
  7. The user is allowed access to the NetScaler resources.
  8. Citrix Netscaler dashboard

NetScaler and Acceptto RADIUS Architecture

Citrix flow chart
  1. The Provisioning gateway component gathers the Active Directory users.
  2. Users are provisioned in eGuardian.
  3. eGuardian sends invitations to users for enrollment purposes.
  4. The users provide information to complete the enrollment.
  5. When a user attempts to access a protected resource behind the NetScaler, the user is prompted for their username and password.
  6. NetScaler sends the credentials to the Acceptto Appliance RADIUS server.
  7. The Acceptto Appliance RADIUS server verifies the credentials against Active Directory.
  8. Active Directory accepts or rejects the credentials.
  9. If the credentials are valid, the RADIUS server sends an authentication request to eGuardian.
  10. eGuardian evaluates the request and if necessary sends a push notification to the user.
  11. The user approves the notification and is given access to the protected resources.
User Experience login to NetScaler using SAML
  1. The user accesses the NetScaler login page and is redirected to the Acceptto SAML IdP Service.
  2. QR code on Acceptto SAML
  3. The user scans the QR code and a message is shown asking the user to approve the login.
  4. Transaction timer countdown
  5. The user is allowed access to the NetScaler resources.
  6. Citrix Netscaler dashboard

NetScaler and Acceptto SAML IdP Architecture

Citrix flow chart
  1. The Provisioning gateway component gathers the Active Directory users.
  2. Users are provisioned in eGuardian.
  3. eGuardian sends invitations to users for enrollment purposes.
  4. The users provide information to complete the enrollment.
  5. The user attempts to access a protected resource and is redirected.
  6. The Citrix NetScaler redirects the user to the SAML IdP Service.
  7. The user scans a QR code.
  8. The SAML IdP Service sends an authentication request to the eGuardian Server.
  9. eGuardian evaluates the request and if necessary sends a push notification to the user.
  10. The user approves the notification and is given access to the protected resources.
User Experience Login to Storefront using Password and QR code
  1. The user logs on to the system using their Active Directory credentials.
  2. Citrix Storefront login form
  3. The user receives a push notification on the It’sME mobile application.
  4. It'sMe transaction
  5. The user approves the notification and receives a log entry showing the transaction.
  6. It'sMe dashboard
  7. The user is prompted to scan a QR code via the Acceptto It’sME mobile application.
  8. Citrix Storefront QR code
  9. The user is granted access to the StoreFront protected resources.
  10. Citrix Storefront dashboard

StoreFront password and QR login Architecture

Citrix flow chart
  1. The Provisioning gateway component gathers the Active Directory users.
  2. Users are provisioned in eGuardian.
  3. eGuardian sends invitations to users for enrollment purposes.
  4. The users provide information to complete the enrollment.
  5. User tries to access a protected resource and is prompted for their Active Directory credentials.
  6. The credentials are validated against Active Directory.
  7. StoreFront sends an authentication request to eGuardian and presents the user with a page with a QR code.
  8. The user scans the QR code and a push notification is sent to the IT’sME mobile application, the user approves the notification.
  9. eGuardian sends the authentication information to StoreFront and the user is granted access to the protected resources.
User Experience login to Storefront using the Acceptto SAML IdP Service
  1. The user opens the StoreFront login page and is redirected to a page asking the user to scan a QR code.
  2. QR code
  3. The user scans the QR code and a push notification is sent to the It’sME mobile application.
  4. It'sMe transaction
  5. The user approves the notification and receives a log entry showing the transaction.
  6. It'sMe dashboard
  7. The user is granted access to the StoreFront protected resources.
  8. Citrix Storefront dashboard

StoreFront Acceptto SAML IdP Service Architecture

Citrix flowchart
  1. The Provisioning gateway component gathers the Active Directory users.
  2. Users are provisioned in eGuardian.
  3. eGuardian sends invitations to users for enrollment purposes.
  4. The users provide information to complete the enrollment.
  5. The user attempts to access a protected resource and is redirected.
  6. The Citrix StoreFront redirects the user to the SAML IdP Service.
  7. The user scans a QR code.
  8. The SAML IdP Service sends an authentication request to the eGuardian Server.
  9. eGuardian evaluates the request and if necessary sends a push notification to the user.
  10. The user approves the notification and is given access to the protected resources.
Support

If you require assistance, please email us at support@acceptto.com


Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.