Duration 43:46
16+
Play
Video

Citrix Synergy TV - SYN131 - Geek's guide to the workspace (part 2): beyond Pa$$w0rds...

Daniel Feller
Lead Workspace Architect at Citrix
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 22 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN131 - Geek's guide to the workspace (part 2): beyond Pa$$w0rds...
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
394
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

About the talk

Topic: IT

One hundred and seventy-seven and counting. That is how many different identities I have. Each identity has a password. Are they secure passwords? Probably not. Passwords, by nature, are insecure. Securing authentication is not easy because there are so many approaches available. In this session, we will look into many of these options, understand how they work and how they differ, and see how we can incorporate them into our primary Citrix Workspace identity.Note: This session will be live-streamed during the event and available for on-demand viewing post-event on Citrix Synergy TV.

Share

So it's kind of interesting the the restaurants in Virtual desktop take out the sessions happening next door. That's when I used to always do now. I 00:06 know how all the other co-presenters at Cinergy felt when I was pretending that session cuz everyone's over there. So for those of you who Skip that 00:15 section to come here, thank you for joining us for part two of the geek's guide. How many were in part 1? Alright, alright, so 00:22 beyond passwords, you know, we love password. So why would you go beyond it and but there's a lot of reasons why there's a lot of technology that 00:31

we're going to we're going to walk you through some of these things and how you can integrate this into work space. But so far what we've done with 00:40 this whole Geeks guy thing is we built the foundation in the last session that all you were there. We built workspace integrated all the different 00:48 Services just at a very high level. We didn't do a lot of special configurations. That's what all these sessions are going to be. So in this section, 00:55 we're going to focus specifically on identity and how we can provide different forms of identity into a workplace environment. So 01:03

identity is basically who you are and if you think about things, you know, you end up with a lot of identities in the world. If you think about how 01:12 many different accounts you've created you have a lot of unique identities. So if I look at my day and how I sign in you start to see where 01:22 you get a lot of issues with having X. So first thing I do is I go to my home office desk. That is my front yard 01:32 about a week ago. No place like this is a keep your beer cold Martin your your home office a little different, right? Yeah my whole life, 01:42

but we also had some pictures of the time when we don't work outside like the picture you over here. So it's it's interesting that 01:52 you don't have in this hole in your work from home just different places you can go in and different experiences. You have a way of working but so you 02:02 go to your office. And then the next thing you're going to do is you're going to sign in to your desktop. Then you going to sign into Gateway or 02:10 storefront a workspace whatever you're using and then you can stand into different status application identities, cuz my identity on the PC is 02:19

different in my identity from work space which is different from my identities from all the different task applications. So it's really hard to keep 02:28 all these things straightened all the different passwords associated with them. Cuz as you all know we're supposed to have unique passwords for every 02:35 account that we have and that's not going to be the case because Those are all my identities that I could come up with. So I I counted mine when I saw 02:41 this light and I came up with number of 1107 identities that I'm using the security guy. So this is like 02:50

7800 so bad, but there's a lot of I have all these different 02:59 password complexity rules. It's really hard to come up with them come up with unique ones and you have a good one. It's like there's some reason or 03:09 another is not going to allow it for you didn't include a number one of your letters uppercase or you don't have some crazy character. So really gets 03:17 difficult trying to come up with all these unique passwords. But in the end this whole thing all these things work the same you have an identity. You 03:24

have multiple identities each one of those identities is coming for my Den need to be identity provider and then I'll get stored in some datastore and 03:33 identity datastore to all these different systems you have and you interact with these identity providers all the time, you know when using Technology 03:40 & Beyond, you know technology. So for example of a passport, that's your identity. Now if you have an American passport identity 03:47 provider comes from the US State Department. You have a credit card. That's my identity. Your identity provider is Visa Mastercard, Discover, 03:57

whoever created that password and then you have a course you're active directory identity, which is coming from Windows Active Directory. And the 04:06 datastore is you know, that that I did file. So that is how all these things fit together. Now when you talk about when you enter grade Citrix 04:15 workspace into this would you end up doing is you have a new thing is going identity broker and that's what workspaces doing. It's broke ring the 04:25 identities for you. So you don't have to have that Citrix identity. You could use a different identity provider to log into your sisters environment. 04:32

So here we like the passport the identity broker in this scenario is TSA. When you go to the airport 04:41 there looking pets one example of an identity broker in the credit card environment you go to the grocery store. So there's no credit card readers. 04:51 That's not any broker looking at looking at your I'd done in validating at Neil battling it with with the identity provider. And then with work space 05:00 we had this identity broker micro service for a while. It's just been Windows Active Directory and Azure active directory, but now and includes you 05:07

lock the Citrix Gateway Iran from diplomatic Source Gateway. It could be Google ID. It could be paying in a lot of different. I didn't even virus that 05:16 are out there that were able to use to have you do that initial login to work space. And then from there it's single signs going to all your other 05:25 applications weather is fast web applications whether to know the Citrix protraction desktops published after publish desktop. So 05:34 that is the high level of identity but the second part sew identities who you are then you move into authentication and it's proving you are who 05:44

you say you are and this is where you start getting the challenges you authentication factors and you hear about this all the time in the toys what 05:54 you know, or what you have or what you are. These are the three main factors that we use to prove you are who you say you are Tenille 06:02 for authentication. So what do you know could be something like a pin or password what you have a token could be a physical token could be a virtual 06:11 token could be a certificate know something that you will physically have on your device or in your hand or you know with you and then what you are, 06:20

you know could be Biometrics retina scans face recognition new with Windows. Hello, but all these things together are 06:28 the different factors that you can have when you authenticate Now one of the one I think is interesting right learn more about this is I always hear 06:38 people talk about multi-factor authentication. Like you're the best princess movie in the whole world is inconceivable is people say 06:47 multi-factor authentication thinking it's a product you can buy it's not it's a concept. So NSA is basically taking two of these taking either 06:56

what you know, and what you have or what you have and what you are and combined together and some multi-factor using multiple factors to authenticate 07:06 into the environment. So So we talked about multi-factor. We talked about integrating malt, you know multiple approaches just to authenticate you into 07:13 the environment and then that takes us to the next stage is authorizing. Yes. So old-fashioned the theme of the 07:23 day is beyond password. So what we've been talking about so far. It's mostly the stuff that most of you know, so I have a quick question how many of 07:33

you are using Windows? Okay, the next question that I have how many of you got something to complain about Microsoft Windows and I want to see all the 07:40 hands now my big complaint about stop talking about security is that thanks for the Microsoft. Most of the windows administrator don't 07:50 understand the difference between authentication and authorization. No one outside of the windows work is going to 08:00 understand. What do you mean? So what we are doing in Windows is that we log on to domain controller and we are the same time now how 08:10

this will look like in the year life. I'm going through the same example with the passport and state department. So imagine that you go to the airport 08:20 and you wait in the line. You just need to pick up with your luggage. When is the only thing you give them the passport you weigh to be authenticated 08:28 then you can leave the luggage you go to TSA wait in the line hand them over the phone. Ford wait for your authentication and authorization. Then you 08:37 can go you go to the gate. You have to wait you have to show them the passport again. If you need to be authenticated and other guy said the same time 08:46

you go to board the plane. You have to show them the passport you need to wait to get authenticated Daniel Poltergeist about the flight. That's not 08:53 how it's not going to be one. So what we are doing and he life is been we are combining authentication and authorization 09:03 you go to the UTSA you show them the passport photo of Education. You got the token in the skateboarding 09:12 fast and you are just going to show this everywhere I can quickly go to because you are an old lady authenticated you are just authorizing to board 09:22

the plane. Now and I see the concept that I'm going to talk about. This is pretty much based on the two point O or open ID connect 09:29 and secured organization. This is beyond phosphoric. This is something that allows us to Piedmont bypass this conditional passports. 09:39 And what I want to do is that I'm using some of the applications and even like this but replication to get the documents 09:48 that I have on the Google gas how the modern organization works is that the web application is going directly to Google and it's going to request 09:58

access to this document. The Next Step Google is Jack going to attend case mean if I'm already signed in it. Just going to ask me. Do you want to be 10:07 the one that says to this document when I click? Yes, the next step is that the Google is going to directly contact the vendor application and 10:17 provided with the dates on this is simplified version, but this is how the organization works. Now they got a few interesting things 10:26 about this concept. The first one is that delegation you are saying 10:36

I would like to give permission for this. Application to extend its 1 and I don't want to sit in the middle. I just want to delegate the express to 10:46 give you another example of something that you are doing pretty much every day. Whether y'all using discount concept I'm using Xbox one. I'm using the 10:55 Netflix application Netflix application is flying when I look on FaceTime and I authenticate is the Netflix client that is authentic a thing against 11:04 the Netflix service and from that moment. I'm delegating access to the client to use the content that I had told the fact that I'm Higgins energy. It 11:14

doesn't mean that my family cannot watch the Netflix because I'm able to completely Bill Gate live such that I music. Now I was also saying that this 11:24 is a huge. Why is this the Q? There are two reasons and notice that all this communication is completely bypassing do using 11:33 so if you would like to have the men in the middle of tag that is listening to the cafe, he would need to stay between Google and the web application 11:42 and not on my endpoint. It's really easy to infect my endpoint but infecting Google as company that definitely the last reason 11:51

why we are going this morning then secured is let's say that this data is highly sensitive. What is my Social Security number? 12:01 Notice what the social security number is never going to the end-user. It's never going to be the endpoint. So even though I'm delegating access I'm 12:12 saying this application can expose these dates on that I have to do my identity of the data itself will never leave my endpoint. So that's why we call 12:21 this morning and secure and this is the modern concept that slowly coming to the windows work and this is something that pretty much allows us to 12:31

start stop using the password in the future. Now, there are a couple of molding 12:39 authorization. One of them really good example is the totp So this is a lot of you probably seen something like totp before you get the 12:48 numbers that changes every 30 or 60 seconds and we used to have those physical tokens. And now they're there virtual tokens you on you on your mobile 12:58 device So within workspace we can do is there's this ability to turn this on in a for users so they can use this to help provide the 13:05

multi-factor authentication into work space instead of just username and password so we can look at it and we think about this is just makes things a 13:15 little a little more secure to our environment because you have you have that number to changing. So let's let's look a little deeper on how this 13:22 actually works how to TP actually works within the environment. So first thing is there's all of these different authenticator applications you got 13:32 Microsoft authenticator Google you got the Citrix SSO and there's tons more and he going to you on the app stores are tons of them. These are all 13:41

based on industry standard, so it doesn't matter within Citrix workspace. Castillo TP in time this one time password. You don't have to use Citrix 13:49 SSO. You can use Microsoft authenticator Google Authenticator cuz it's all a standard. It's all just industry standards on on setting this up. So we 13:57 go back two factors now and let me show you why this is now considered multi-factor user. Is there any point they launched it after they launched a 14:07 web application? So the web app is now going to provide you with a password prompt asking to provide you with the totp prompt and then Based on 14:15

you putting those incorrectly you get authenticated a dental provider authenticate you so the password prompt is something you know, cuz it's it's 14:25 just a password that you created. You should know it be it's something you have and we will show you why in a little bit. Why is something you have? 14:34 What is that piece of information that you have to mix to a TV a different factor for the environment. This is how we end up getting multi-factor 14:43 authentication with totp. So with you TV, it's all based on a pre-shared key and you get this key from the infrastructure. So what 14:50

happens is when you register for a token. Ikea peers and the key gets stored on your end point device you on your mobile device and it gets stored on 15:00 the infrastructure what happens then is when you launch the authenticator app and trying to authenticate with this the system takes that key and 15:10 uses a uses an algorithm against the current time and comes up with a 6 digit number that changes every 30 seconds now because the on the back and 15:20 infrastructure has the exact same key and hopefully the time is synchronized. It should get the exact same number and then when you enter that in is 15:29

just a simple comparison. Is this number match this number? Yes. Okay, then you have the right you have that pre-shared key. So that pre-shared key is 15:38 the something, you know, that's what gives you the multi-factor authentication within the environment. So I when I when we start adding to your Tepee 15:48 into the you know, I work space environment. I heard a lot of people dropping the TV cuz there is also a OTP no one time password and there's also 15:57 time-based one-time password. So we're talking about a time-based one-time password, but they're almost identical but there are some unique 16:04

differences on it. So there really isn't the same underlying infrastructure except with with Ott. This is when you 16:13 go to website to authenticate with your username and password and it comes up with something like this and it says we are sending you a a token. We're 16:22 sending you the six digit number you need to enter and you can pick do you want to be SMS to you or if you don't have access SMS it could email it to 16:32 you. So here's the problem email you're sending me with a password. So it's no longer. This OTP. No longer is an additional 16:40

factor. It's not something, you know, because I can access the email with something, you know, get that token and entered in their cycle emanated that 16:50 something you have Factor. There is no something you have SMS would be the something you have cuz it's time your phone. But if I can bypass that in a 16:59 lot of these do let you bypass the SMS cuz you might not have cell phone connectivity. It was in it was an email you instead and email is just 17:07 a password. Whereas totp it's a local app. You have a pre-shared key on the local device, which is something you have to give you the 17:17

multi-factor. The reason why one could be better than the other is OTP requires conductivity. You have to have conductivity either 17:27 mobile kind of giving us through cell phones, or you have to have access to your email to be able to get that code that they sent you. Whereas the two 17:37 TV. It's completely offline. It'll work whether you're on airplane mode or not. Whether you have a Wi-Fi connection Auto always work just because it's 17:46 a local application using a local key that you've installed as part of the token registration process. So it conceptually if we look at you the 17:54

first time user when is it happening as new user connect to workspace app from your device and connect up to the workspace experience running in 18:03 Citrus clouds. And this is going to go ahead and go to this whole identity broker microservice and the users going to say hey, I don't have a token 18:11 register me. I need I need to register a token. So it's going to work space going to talk to this email registration email microservice and it's going 18:19 to email you a verification code near to the email is associated with it into work space app. And then it's going to verify 18:29

the code that it sent you an email and then is going to verify your credential, you know back to active directory. And 18:38 once you have that it's been going to give you this token that you'll be able to scan within the authenticator app. And now you have that token. You 18:48 have your time base one time password setup. So then when you actually want to go ahead and authenticate using this You go ahead and log into work 18:55 space app talks to work space experience microservice now provides you with username password in the totp prompt. So you enter 19:03

username and password then you launch the you lost your token you enter the prompt and it goes ahead and authenticate the token first and then goes 19:12 back to the backend identity provider that you've selected and authenticate you again soon in this case. And then once that's done it talk to his 19:19 whole resource speed microservice and then gathered all the resources that you are authorized to access which were chillaxing desktop switch sassy 19:28 weather applications. Are you authorized to access? So take a look at how this actually works within workspace app or the other workspace environment 19:35

So within such as Cloud what we're going to do is me identity section. There's a section your active directory in token. So go ahead and turn it on. 19:45 So this is basically saying we will allow this within the environment to authenticate. It's one of our approved authentication 19:55 method. So for this particular workspace deployment now, we're going to go ahead and turn it on for all the users. So basically was it was to radio 20:05 button. So we enabled it. So now alright, so 20:15

We can go in here and look to see if users have a token already registered. So in case you have a token registered already 20:24 know you're the city already had this thing going you can go in there and delete them and they'll Force the user to re-register their token from the 20:34 user perspective. What you end up having is Your lunch is workspace app and here. I don't have a token yet the admin reset it 20:42 cuz I had one of my device was stolen so I can go in here and enter my pastor and in my email address at the Sochi with this account. So it's now 20:52

emailing me this verification code. I enter that in along with my password for my account. So it's verifying it and here's 21:02 my token. So you scan this with your phone or you enter in that code after you download the authenticator app, of course, and then you now have 21:12 that 6-digit token that changes. So that QR code is your key. If you can't scan it. 21:21 There's a whole string of alphanumeric characters. You can enter manually, but this was going to go ahead and scan it and there's a token all set up. 21:30

so once asked on the user can then go back and redo their authentication into work space using their 21:40 username using their password and using that that token and it goes ahead and authenticate you into the environment and you'll be able to access 21:49 different applications some considerations on this is at least from the workspace workspace perspectivism. 21:56 There's this whole thing called replay attack if they can I get your password. How long can I Can I use that to break in the system using something 22:06

like this? You have 30 seconds so I can give Martin my my token in his Thirty Seconds to login. And after that he will no longer be able to use that 22:15 to answer somebody's looking over your shoulder and they see the number they have 30 seconds to hurry up and enter that something they have your 22:23 username and password. From the workspace. It only supports one device. You can only have one token associate for user 22:30 but there's nothing for there's nothing preventing you from taking this thing and scanning across multiple devices and this is something really stupid 22:39

to do is to put your token on a screen and you know in a presentation, I guess where you have a lot of technical people who are going to try to start 22:48 scanning this I see you with your phone out. So just so you know, I have modified the QR code and the numbers because I don't trust anyone in this is 22:56 actually for a test app or text you through this not even alive anymore. But if you use this and you're putting out documentation for your 23:04 users and how to do this don't put your real key in there because it's not going to work so you could actually stand this with one of his offending 23:14

cater. Ask and you will get a token. It's just not the right token. I'm you will get numbers, but it's not the right numbers associated with that 23:23 account. So that is how you start adding multi-factor authentication into into a workspace. So 23:31 let me show me life story that happened to me we do to kind of open this section and it happened recently because it happened to me on Friday 23:43 last week. So I'm doing the deed that monitoring for my whole family. I'm a bit paranoid and I found out that my wife account has been hacked 23:52

and pretty much every single fact that she's using is available on the Deep Web if anyone wants to buy a 24:02 beautiful weekend before Synergy trying to find all the identities that she's using slang to find directions using why duplicate account with the most 24:11 doing kind of Assessments of what's happening. And then she asked me which fossil should I use to make sure that it is so cute and it was really 24:21 stupid question to ask because I started giving her to the list of how the possible should be how it should be long how it should start using like the 24:30

local slang in her Navy native language English. And she came back to me after 2 hours and she just told me I I forgot password 24:38 that that you just told me so we actually spent I showed her this one because I was trying to explain to her that you 24:47 can actually have access to the vet advice and to services without using any force winds at all. And one of the ways how you can do it is 24:57 Confederation. So I told him that she's not on any social media, but I told her you should create the Facebook accounts that you are going to use only 25:05

photo tent acacian and nothing else. You don't need to add any family member nothing and when you go to the website and you see all these options sign 25:15 in with Google sign in with Facebook, what do you are looking at is called Federation and its face when people believe that's kinda gation allows you 25:24 to use one account. If you have multiple system that that's not really how it works with Federation allows you to do is that you have your 25:34 account. Yes one Anthony viudo that account and use these Anthony view to link multiple accounts together to kind of chain the 25:42

accounts together. Game, this is not about using one account because multiple systems is about linking these accounts together 25:52 for the any experience. It look like it's one technically speaking. It's again multiple accounts that are linked together. 26:01 So now to show you again. This is going to be very similar example as I was showing for the authorization because this is the same technology pretty 26:13 much. Let's play that song. I'm going to log on to this job application and I don't want to get dressed and I don't want to see a new identity and I 26:22

know this they have an option sign in with Google. So I love it and I would like to use it. So I click on the sign in with Google account. And what 26:31 is multiplication is going to do is that it is going to ask Google as identity. I would like to have access to following attributes. The 26:41 list goes on a picture full name email address. That's the difficulty that are being requested. This could be space between us could be anything. 26:51 Now the next thing that I do as the user is I authenticate against the identity provider and I blew this request again 27:02

as the modern organization experience the music down some healing know how this is happening. All they say is 27:11 that they click on sign in and they are asked by Google. Do you want to be my best to this information from your account? Yes or no? 27:21 Now when I approve this Google is going to contact back the weather application and it's going to provide it with all the data. That would be trusted. 27:31 Asian film this moment can't see my picture my full name my email address. The next step is going to look at the local identity 27:41

story and it's going to find Dimensions account that is using the same email address if it doesn't exist and it's automatically going to forget it. 27:50 If you can find it on 158 it I'm allowed to login. I'm going to see my name. I'm going to see my picture. I'm going 28:00 to see everything and my experience is that I just logged on to this application without using any possible at all. 28:09 I went out an example that I'm showing you he is this is this is the local bakery that's next to my house and David like to 28:19

they don't want to handle the boss with we have all the new regulations. We have GDP are so many companies is actually not as easy to be dealing with 28:29 a sensitive data is before you so what they would like to do in this hypothetical scenario. Is that David like two alone constantly to log on using 28:38 the Facebook account and make an order the way how this would be implemented is that this medication that they use but as for the first name last name 28:47 email as soon as I authenticate to do the Facebook that I going to find the matching account, which is just some uid, and they will match 28:56

it based on email and then they are going to have in this account also information about the only thing that I'm using the game I use experience is 29:06 I'm just using my Facebook You are using to sepideh, just completely seamless experience for the Andes. So again, 29:16 no purpose in this case that is no problem at all. It's completely possible glass how I can log onto old is how I can use 29:26 them. Now. The thing is that you need to have some component that is going to do this authentic Asian and it's making false allegations. And that's 29:36

why we are using the city's Gateway week we talked about and it says it's a component or so capability you can add with 29:44 within workspace experiencing / cloud service, but a lot of people who have a like a Citrix virtual app and desktop deployment on camera ready. You 29:54 may already have Gateway running there and you might have complex authentication policies are in a multi-factor authentication policies in place. So 30:02 now we're able to do is have you log into work space. Using your own from Gateway using your own from Gateway cidp. 30:10

So if we look at how this architecture will look like as user logs into work space the identity broker microservice is then going to talk to your on 30:21 Prime Gateway and bass nopales as you have set. This could be talking to on your own from active directory a radius. If you wanted to you could be 30:29 using Google as the ITP the Gateway. We just use Google up to the IEP you could use you could use OCTA and you can pretty much use anything 30:37 that the on front gate will be able to be able to do they handle the the authentication for you what this would look like from you use your 30:47

perspective would be so here are the users going to log into the Citrix Cloud, County of this particular customer you see is loading workspace, but 30:56 instead of saying that traditional workspace login now, we're back down to you know, that the Citrus kateway. So here I'm not using my username. I'll 31:05 use a password and I have a you know a token. It's running on Tramp on the way. The server so you'll be able to enter this in and 31:13 once you authenticate it didn't send you back to your work space environment and it's fully logs you in and you get that whole workspace 31:23

experience know what the different apps and desktops and and files. So this is using what you might already have running on Prime 31:33 and it again integrating this up into into into Citrix workspace. So a lot of people have gone down to the 31:43 unclaimed Gateway router because of something called and factor in this allows you to do different authentications from like a single entry point and 31:53 something about trying to understand because networking is so not my area and so I I I finally figure out how I can explain this pretty well. So here 32:02

you having a pretty handsome guy was external very smart and intelligent I think so and 32:09 he's going to get better is very trustworthy a corporate device that has such a certificate on there. So, you know, we only need him to 32:19 login with with an ID and password on a trusted device. We trust this person. Not here. I got somebody who has a funny accent and coming from 32:29 some Eastern European countries. He says his insecurities. That means he knows how to hack the system. We don't trust them as much. So this type of 32:39

person watch on trusted device. We're going to make sure the radius know how the token make sure he has none of this token and use I didn't, you know 32:49 user username and password as well. And then we got that we have a third user. So this guy's got his own identity provider. So we just let him in so 32:58 he's fully completely trust this guy, but you could have this being like a Google identity provider or being so from a single 33:08 from a single experience for the user in like a single URL based on who you are what device you're using with n Factor, we could automatically do 33:17

different forms of authentication challenges if we trusted device and might be easier if we trusted device near a certain location to can be easier if 33:27 you're in an untrusted device and depending on the content we can change the different ways you authenticate into this particular environment. But all 33:35 these type of thing, so it's interesting about this is is if you use Google is IDP or not ep, the challenge becomes integrating this with the 33:43 Citrix virtual desktops, and that's how we get in the Federated authentication Service. The windows. 33:53

The only thing that Windows understand is the symbol passwords Windows is completely based on the text Page password 34:03 and the only other real authentication method that is supposed is using the small talk. So Windows is the only problem is 34:12 that your message because it doesn't seek Federation at all. You cannot use. Let's 34:22 save your Facebook account to sign into window. That's not possible. Now we do have one technology 34:32 which we called first Federated authentication Service when we are doing this. And if you think about all the examples that we gave you before how the 34:42

Federation work how the Gateway Works. What do you want to achieve is whoever comes in at the end. You want to have a mission on top of Windows 34:51 operating system so that he want to be able to take this user use active directory account and get him in the system. 35:01 Now, how can you actually do this when the music is actually using the Google account? How do you technically implemented? How do you link this 35:11 together that that's the really big question and windows cannot be deleted Windows doesn't have any support for the Federation at all. 35:20

Now the Federated authentication Service fast. What we are doing here and I really love this product because it's holding so many different 35:30 issues. Is following location now using single account using multiple accounts and just linking them together to achieve, you 35:40 know, if you have your identity stored in the Google, what do you need to do is that first you need to create Messenger account in active directory, 35:50 you can use to 80 sing. For example, you can skip this or if you are dealing with individual contact, for example, you just to get it manually doesn't 35:59

matter what you need to have matching physical Shadow account inactive list of number one. The number to window 36:09 using external use a Conex for the Gateway. The Gateway is going to authenticate him with identity provider that you are using Google Voice 36:19 example. And I can tell you the information that is exchanged between Google and Gateway. This is completely bypassing the endpoints. The 36:29 Google is going to confirm and is going to say this music that you just sent to me. I can confirm that his email address is Martyn. Don't do that at 36:39

gmail.com. That's the only inflammation pretty much dead. The Gateway is going to get back. The next Gateway is going to do active 36:48 directory lookup is going to find any active directory account weather using principal name. That's not the email address that they use a principal 36:58 name is the same as the Gmail is yet. So he's going to find Martin go to gmail.com voice speaking you could use email but you don't 37:07 want to do it because email it's going to be considered a constant you actually do so you want to use one of the stick you at give you such as using 37:17

principal night. Now at this moment. What the Gateway nose is this user owns the Gmail gas 37:25 and I've been able to find the matching active directory account. I don't have inspected. I just know this is the name of the 37:34 matching account. So how do you go from this information to the fully functional Windows session? Gateway is going to take this information 37:44 and it will forward it to stalk them is going to say to stalk me on this music that just moved on. This is his Adia Council display all the 37:54

resources that are for this a t account so we are going to see all the icons applications best of everything. And as soon as the user clicks on the 38:04 icon. We go to the big opening and we find a Windows server on Windows desktop where his session should be opened. Stop going is 38:13 going to forward this information to fast and technically What fast is fast have nothing to do with medication. The name is a little bit confusing but 38:23 fast is is that is ventral smodcast divided in Windows. You can do a split username and password or you can do smog fast is the 38:33

storage of the big truck small dogs. So the next thing is fast know that this user is wants to go to this Windows session and he's going to check 38:43 if the smog which of my account has been already generated for this user or not. If not, it's going to ask certificate services to channel the 38:53 smartguard for it and he's going to throw it in the local day. Toad. The last step is the fast is literally going to open the door is going to take 39:02 the Venture smart plug to the ventral pause start the windows session. And then the start feeling is just going to spend the user over to the 39:12

section. That was actually technically love down by the fast itself. So this way and if you think about it, and this is actually quite important. 39:22 The only Authority for the fast is the Stonefield the fast never knew about any Google account that was 39:32 used to be the only information that fast ever received is I would like you for me to log on using this to you. So 39:42 film security perspective. We are always welcome and it's please pass the same way as you would do the domain controllers, for example, this is 39:52

potentially where he found four component that you have in your volume. And so we want to make sure that it's probably too cute. So now let me show 40:00 you how this look like in real life. And what do you got going to see this demo? Think about what I was showing you before you how many moving fonts 40:09 that I actually involved. So. Is that using is going to type in the URL for the Gateway? As soon 40:17 as he gets in the Gateway the Gateway will see that his not authenticated and it's going to be direct him automatically to the Google if I would be 40:27

already logged on to Google before I was completely skip this and I would just be at do you want this gateway to access your information stored on the 40:36 Google email with my password? Now the Google send back the information for the Gateway saying yes, he 40:45 owns this email address the Gateway forwarded this to the Stars beyond the stars beyond the fast to China Gates and use the victim of March 40:55 1st log me on and then just allowed me into this Windows machine. I want interesting note that I would like to make a big 41:04

is note is the username that I'm using hate this damn nothing to do with the original Gmail has guess that was used. So I was able to take two 41:14 accounts that I completely separate one on Google one in active directory and I was able to use the fast to actually link them together and at the end 41:22 to get this Windows II. I so we looked at hiding go beyond passwords. You're not 41:31 just using the standard password new note8. I get access to all the different resources. But location near how do you incorporate something like UTP 41:41

or how do you use a on from Gateway with Factor authentication to do you know more custom authentication challenges 41:51 for the environment based on the unique characteristics unique snare that you have. So we we built that Foundation a workspace in the last section 42:01 here. We show you how you can just don't have to standardize on a d or a gray. Do you have option to use different identity providers now the next 42:10 episode of the next section that we have in this hole in your cheeks guide to work space series again in this room is looking at the 42:19

single sign-on to sastun web applications as well as providing enhanced security an overview of that in the first section for this next. A lot more 42:28 detail looking at SAS SAS. We're looking at web apps looking at mobile apps how to do that single sign-on to all these different applications and 42:37 doing that an enhanced security capabilities. And before we leave I will leave you with one more demo because we've been using Google a lot and cuz 42:45 you know how much I love Chuck Norris Chuck Norris. I'm feeling lucky and you got an interesting response there that Google actually 42:54

will not find Chuck Norris for you cuz it's afraid as well. And with that thank you. We're going to get off stage Viva questions. Come on outside when 43:03 you get the next group up here time to prepare but you a question and one last note how many how many of you have heard about the city expects volume? 43:13 Okay, so anyone who haven't heard about it and would like to get some stickers just stop by here. I have plenty of tickets to hand over today. 43:25 Thank you very much. 43:32

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN131 - Geek's guide to the workspace (part 2): beyond Pa$$w0rds...”
Available
In cart
Free
Free
Free
Free
Free
Free

Video

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “IT”?

You might be interested in videos from this event

September 28 2018
Moscow
16
122
app store, apps, development, google play, mobile, soft

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN131 - Geek's guide to the workspace (part 2): beyond Pa$$w0rds...”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
505 conferences
19653 speakers
7164 hours of content