For Citrix NetScaler versions 10.5+, the No Certificate Redirect function is not supported if Subject:CN is selected from the User Name Field dropdown in the Certificate Authentication AAA section (resolved in NetScaler 11.0+ versions)
To access NetScaler with a SecureAuth IdP-issued certificate, end-users must go to the SecureAuth IdP certificate enrollment realm (SecureAuth IdP Configuration Steps below) first to enroll for a certificate, and then go into NetScaler where it is validated
Versions pre-10.5 support the No Certificate Redirect, so end-users can initiate the login process at Citrix and be redirected to SecureAuth IdP if no certificate is present
Use this guide to enable Multi-Factor Authentication access to Citrix Receiver AGEE.
SecureAuth IdP is a Variable Authentication Solution (VAS) that conducts multi-factor enrollment to create an X.509 client certificate that is specific to the user (tied to the data store user profile) and to the device.
The user will be prompted for the client certificate to access Citrix Receiver; and with the presentation of the certificate, a successful second factor authentication is accomplished.
1. Have a Citrix Receiver AGEE and access to the management console
2. Download the SecureAuth CA Public Certificates zip bundle
3. Create a New Realm for the Citrix Receiver integration in the SecureAuth IdP Web Admin
4. Configure the following tabs in the Web Admin before configuring the Post Authentication tab: