Duration 43:46
16+
Play
Video

Citrix Synergy TV - SYN131 - Geek's guide to the workspace (part 2): beyond Pa$$w0rds...

Daniel Feller
Lead Workspace Architect at Citrix
+ 1 speaker
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 22, 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN131 - Geek's guide to the workspace (part 2): beyond Pa$$w0rds...
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
401
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

Daniel Feller
Lead Workspace Architect at Citrix
Martin Zugec
Senior Architect - Technical Marketing at Citrix

About the talk

One hundred and seventy-seven and counting. That is how many different identities I have. Each identity has a password. Are they secure passwords? Probably not. Passwords, by nature, are insecure. Securing authentication is not easy because there are so many approaches available. In this session, we will look into many of these options, understand how they work and how they differ, and see how we can incorporate them into our primary Citrix Workspace identity.Note: This session will be live-streamed during the event and available for on-demand viewing post-event on Citrix Synergy TV.

Share

So it's kind of interesting the the restaurants in Virtual desktop take out the sessions happening next door. That's when I used to always do now. I know how all the other co-presenters at Cinergy felt when I was pretending that session cuz everyone's over there. So for those of you who Skip that section to come here, thank you for joining us for part two of the geek's guide. How many were in part 1? Alright, alright, so beyond passwords, you know, we love password. So why would you go beyond it and but there's a lot of reasons why there's a lot of technology that

we're going to we're going to walk you through some of these things and how you can integrate this into work space. But so far what we've done with this whole Geeks guy thing is we built the foundation in the last session that all you were there. We built workspace integrated all the different Services just at a very high level. We didn't do a lot of special configurations. That's what all these sessions are going to be. So in this section, we're going to focus specifically on identity and how we can provide different forms of identity into a workplace environment. So

identity is basically who you are and if you think about things, you know, you end up with a lot of identities in the world. If you think about how many different accounts you've created you have a lot of unique identities. So if I look at my day and how I sign in you start to see where you get a lot of issues with having X. So first thing I do is I go to my home office desk. That is my front yard about a week ago. No place like this is a keep your beer cold Martin your your home office a little different, right? Yeah my whole life,

but we also had some pictures of the time when we don't work outside like the picture you over here. So it's it's interesting that you don't have in this hole in your work from home just different places you can go in and different experiences. You have a way of working but so you go to your office. And then the next thing you're going to do is you're going to sign in to your desktop. Then you going to sign into Gateway or storefront a workspace whatever you're using and then you can stand into different status application identities, cuz my identity on the PC is

different in my identity from work space which is different from my identities from all the different task applications. So it's really hard to keep all these things straightened all the different passwords associated with them. Cuz as you all know we're supposed to have unique passwords for every account that we have and that's not going to be the case because Those are all my identities that I could come up with. So I I counted mine when I saw this light and I came up with number of 1107 identities that I'm using the security guy. So this is like

7800 so bad, but there's a lot of I have all these different password complexity rules. It's really hard to come up with them come up with unique ones and you have a good one. It's like there's some reason or another is not going to allow it for you didn't include a number one of your letters uppercase or you don't have some crazy character. So really gets difficult trying to come up with all these unique passwords. But in the end this whole thing all these things work the same you have an identity. You

have multiple identities each one of those identities is coming for my Den need to be identity provider and then I'll get stored in some datastore and identity datastore to all these different systems you have and you interact with these identity providers all the time, you know when using Technology & Beyond, you know technology. So for example of a passport, that's your identity. Now if you have an American passport identity provider comes from the US State Department. You have a credit card. That's my identity. Your identity provider is Visa Mastercard, Discover,

whoever created that password and then you have a course you're active directory identity, which is coming from Windows Active Directory. And the datastore is you know, that that I did file. So that is how all these things fit together. Now when you talk about when you enter grade Citrix workspace into this would you end up doing is you have a new thing is going identity broker and that's what workspaces doing. It's broke ring the identities for you. So you don't have to have that Citrix identity. You could use a different identity provider to log into your sisters environment.

So here we like the passport the identity broker in this scenario is TSA. When you go to the airport there looking pets one example of an identity broker in the credit card environment you go to the grocery store. So there's no credit card readers. That's not any broker looking at looking at your I'd done in validating at Neil battling it with with the identity provider. And then with work space we had this identity broker micro service for a while. It's just been Windows Active Directory and Azure active directory, but now and includes you

lock the Citrix Gateway Iran from diplomatic Source Gateway. It could be Google ID. It could be paying in a lot of different. I didn't even virus that are out there that were able to use to have you do that initial login to work space. And then from there it's single signs going to all your other applications weather is fast web applications whether to know the Citrix protraction desktops published after publish desktop. So that is the high level of identity but the second part sew identities who you are then you move into authentication and it's proving you are who

you say you are and this is where you start getting the challenges you authentication factors and you hear about this all the time in the toys what you know, or what you have or what you are. These are the three main factors that we use to prove you are who you say you are Tenille for authentication. So what do you know could be something like a pin or password what you have a token could be a physical token could be a virtual token could be a certificate know something that you will physically have on your device or in your hand or you know with you and then what you are,

you know could be Biometrics retina scans face recognition new with Windows. Hello, but all these things together are the different factors that you can have when you authenticate Now one of the one I think is interesting right learn more about this is I always hear people talk about multi-factor authentication. Like you're the best princess movie in the whole world is inconceivable is people say multi-factor authentication thinking it's a product you can buy it's not it's a concept. So NSA is basically taking two of these taking either

what you know, and what you have or what you have and what you are and combined together and some multi-factor using multiple factors to authenticate into the environment. So So we talked about multi-factor. We talked about integrating malt, you know multiple approaches just to authenticate you into the environment and then that takes us to the next stage is authorizing. Yes. So old-fashioned the theme of the day is beyond password. So what we've been talking about so far. It's mostly the stuff that most of you know, so I have a quick question how many of

you are using Windows? Okay, the next question that I have how many of you got something to complain about Microsoft Windows and I want to see all the hands now my big complaint about stop talking about security is that thanks for the Microsoft. Most of the windows administrator don't understand the difference between authentication and authorization. No one outside of the windows work is going to understand. What do you mean? So what we are doing in Windows is that we log on to domain controller and we are the same time now how

this will look like in the year life. I'm going through the same example with the passport and state department. So imagine that you go to the airport and you wait in the line. You just need to pick up with your luggage. When is the only thing you give them the passport you weigh to be authenticated then you can leave the luggage you go to TSA wait in the line hand them over the phone. Ford wait for your authentication and authorization. Then you can go you go to the gate. You have to wait you have to show them the passport again. If you need to be authenticated and other guy said the same time

you go to board the plane. You have to show them the passport you need to wait to get authenticated Daniel Poltergeist about the flight. That's not how it's not going to be one. So what we are doing and he life is been we are combining authentication and authorization you go to the UTSA you show them the passport photo of Education. You got the token in the skateboarding fast and you are just going to show this everywhere I can quickly go to because you are an old lady authenticated you are just authorizing to board

the plane. Now and I see the concept that I'm going to talk about. This is pretty much based on the two point O or open ID connect and secured organization. This is beyond phosphoric. This is something that allows us to Piedmont bypass this conditional passports. And what I want to do is that I'm using some of the applications and even like this but replication to get the documents that I have on the Google gas how the modern organization works is that the web application is going directly to Google and it's going to request

access to this document. The Next Step Google is Jack going to attend case mean if I'm already signed in it. Just going to ask me. Do you want to be the one that says to this document when I click? Yes, the next step is that the Google is going to directly contact the vendor application and provided with the dates on this is simplified version, but this is how the organization works. Now they got a few interesting things about this concept. The first one is that delegation you are saying

I would like to give permission for this. Application to extend its 1 and I don't want to sit in the middle. I just want to delegate the express to give you another example of something that you are doing pretty much every day. Whether y'all using discount concept I'm using Xbox one. I'm using the Netflix application Netflix application is flying when I look on FaceTime and I authenticate is the Netflix client that is authentic a thing against the Netflix service and from that moment. I'm delegating access to the client to use the content that I had told the fact that I'm Higgins energy. It

doesn't mean that my family cannot watch the Netflix because I'm able to completely Bill Gate live such that I music. Now I was also saying that this is a huge. Why is this the Q? There are two reasons and notice that all this communication is completely bypassing do using so if you would like to have the men in the middle of tag that is listening to the cafe, he would need to stay between Google and the web application and not on my endpoint. It's really easy to infect my endpoint but infecting Google as company that definitely the last reason

why we are going this morning then secured is let's say that this data is highly sensitive. What is my Social Security number? Notice what the social security number is never going to the end-user. It's never going to be the endpoint. So even though I'm delegating access I'm saying this application can expose these dates on that I have to do my identity of the data itself will never leave my endpoint. So that's why we call this morning and secure and this is the modern concept that slowly coming to the windows work and this is something that pretty much allows us to

start stop using the password in the future. Now, there are a couple of molding authorization. One of them really good example is the totp So this is a lot of you probably seen something like totp before you get the numbers that changes every 30 or 60 seconds and we used to have those physical tokens. And now they're there virtual tokens you on you on your mobile device So within workspace we can do is there's this ability to turn this on in a for users so they can use this to help provide the

multi-factor authentication into work space instead of just username and password so we can look at it and we think about this is just makes things a little a little more secure to our environment because you have you have that number to changing. So let's let's look a little deeper on how this actually works how to TP actually works within the environment. So first thing is there's all of these different authenticator applications you got Microsoft authenticator Google you got the Citrix SSO and there's tons more and he going to you on the app stores are tons of them. These are all

based on industry standard, so it doesn't matter within Citrix workspace. Castillo TP in time this one time password. You don't have to use Citrix SSO. You can use Microsoft authenticator Google Authenticator cuz it's all a standard. It's all just industry standards on on setting this up. So we go back two factors now and let me show you why this is now considered multi-factor user. Is there any point they launched it after they launched a web application? So the web app is now going to provide you with a password prompt asking to provide you with the totp prompt and then Based on

you putting those incorrectly you get authenticated a dental provider authenticate you so the password prompt is something you know, cuz it's it's just a password that you created. You should know it be it's something you have and we will show you why in a little bit. Why is something you have? What is that piece of information that you have to mix to a TV a different factor for the environment. This is how we end up getting multi-factor authentication with totp. So with you TV, it's all based on a pre-shared key and you get this key from the infrastructure. So what

happens is when you register for a token. Ikea peers and the key gets stored on your end point device you on your mobile device and it gets stored on the infrastructure what happens then is when you launch the authenticator app and trying to authenticate with this the system takes that key and uses a uses an algorithm against the current time and comes up with a 6 digit number that changes every 30 seconds now because the on the back and infrastructure has the exact same key and hopefully the time is synchronized. It should get the exact same number and then when you enter that in is

just a simple comparison. Is this number match this number? Yes. Okay, then you have the right you have that pre-shared key. So that pre-shared key is the something, you know, that's what gives you the multi-factor authentication within the environment. So I when I when we start adding to your Tepee into the you know, I work space environment. I heard a lot of people dropping the TV cuz there is also a OTP no one time password and there's also time-based one-time password. So we're talking about a time-based one-time password, but they're almost identical but there are some unique

differences on it. So there really isn't the same underlying infrastructure except with with Ott. This is when you go to website to authenticate with your username and password and it comes up with something like this and it says we are sending you a a token. We're sending you the six digit number you need to enter and you can pick do you want to be SMS to you or if you don't have access SMS it could email it to you. So here's the problem email you're sending me with a password. So it's no longer. This OTP. No longer is an additional

factor. It's not something, you know, because I can access the email with something, you know, get that token and entered in their cycle emanated that something you have Factor. There is no something you have SMS would be the something you have cuz it's time your phone. But if I can bypass that in a lot of these do let you bypass the SMS cuz you might not have cell phone connectivity. It was in it was an email you instead and email is just a password. Whereas totp it's a local app. You have a pre-shared key on the local device, which is something you have to give you the

multi-factor. The reason why one could be better than the other is OTP requires conductivity. You have to have conductivity either mobile kind of giving us through cell phones, or you have to have access to your email to be able to get that code that they sent you. Whereas the two TV. It's completely offline. It'll work whether you're on airplane mode or not. Whether you have a Wi-Fi connection Auto always work just because it's a local application using a local key that you've installed as part of the token registration process. So it conceptually if we look at you the

first time user when is it happening as new user connect to workspace app from your device and connect up to the workspace experience running in Citrus clouds. And this is going to go ahead and go to this whole identity broker microservice and the users going to say hey, I don't have a token register me. I need I need to register a token. So it's going to work space going to talk to this email registration email microservice and it's going to email you a verification code near to the email is associated with it into work space app. And then it's going to verify

the code that it sent you an email and then is going to verify your credential, you know back to active directory. And once you have that it's been going to give you this token that you'll be able to scan within the authenticator app. And now you have that token. You have your time base one time password setup. So then when you actually want to go ahead and authenticate using this You go ahead and log into work space app talks to work space experience microservice now provides you with username password in the totp prompt. So you enter

username and password then you launch the you lost your token you enter the prompt and it goes ahead and authenticate the token first and then goes back to the backend identity provider that you've selected and authenticate you again soon in this case. And then once that's done it talk to his whole resource speed microservice and then gathered all the resources that you are authorized to access which were chillaxing desktop switch sassy weather applications. Are you authorized to access? So take a look at how this actually works within workspace app or the other workspace environment

So within such as Cloud what we're going to do is me identity section. There's a section your active directory in token. So go ahead and turn it on. So this is basically saying we will allow this within the environment to authenticate. It's one of our approved authentication method. So for this particular workspace deployment now, we're going to go ahead and turn it on for all the users. So basically was it was to radio button. So we enabled it. So now alright, so

We can go in here and look to see if users have a token already registered. So in case you have a token registered already know you're the city already had this thing going you can go in there and delete them and they'll Force the user to re-register their token from the user perspective. What you end up having is Your lunch is workspace app and here. I don't have a token yet the admin reset it cuz I had one of my device was stolen so I can go in here and enter my pastor and in my email address at the Sochi with this account. So it's now

emailing me this verification code. I enter that in along with my password for my account. So it's verifying it and here's my token. So you scan this with your phone or you enter in that code after you download the authenticator app, of course, and then you now have that 6-digit token that changes. So that QR code is your key. If you can't scan it. There's a whole string of alphanumeric characters. You can enter manually, but this was going to go ahead and scan it and there's a token all set up.

so once asked on the user can then go back and redo their authentication into work space using their username using their password and using that that token and it goes ahead and authenticate you into the environment and you'll be able to access different applications some considerations on this is at least from the workspace workspace perspectivism. There's this whole thing called replay attack if they can I get your password. How long can I Can I use that to break in the system using something

like this? You have 30 seconds so I can give Martin my my token in his Thirty Seconds to login. And after that he will no longer be able to use that to answer somebody's looking over your shoulder and they see the number they have 30 seconds to hurry up and enter that something they have your username and password. From the workspace. It only supports one device. You can only have one token associate for user but there's nothing for there's nothing preventing you from taking this thing and scanning across multiple devices and this is something really stupid

to do is to put your token on a screen and you know in a presentation, I guess where you have a lot of technical people who are going to try to start scanning this I see you with your phone out. So just so you know, I have modified the QR code and the numbers because I don't trust anyone in this is actually for a test app or text you through this not even alive anymore. But if you use this and you're putting out documentation for your users and how to do this don't put your real key in there because it's not going to work so you could actually stand this with one of his offending

cater. Ask and you will get a token. It's just not the right token. I'm you will get numbers, but it's not the right numbers associated with that account. So that is how you start adding multi-factor authentication into into a workspace. So let me show me life story that happened to me we do to kind of open this section and it happened recently because it happened to me on Friday last week. So I'm doing the deed that monitoring for my whole family. I'm a bit paranoid and I found out that my wife account has been hacked

and pretty much every single fact that she's using is available on the Deep Web if anyone wants to buy a beautiful weekend before Synergy trying to find all the identities that she's using slang to find directions using why duplicate account with the most doing kind of Assessments of what's happening. And then she asked me which fossil should I use to make sure that it is so cute and it was really stupid question to ask because I started giving her to the list of how the possible should be how it should be long how it should start using like the

local slang in her Navy native language English. And she came back to me after 2 hours and she just told me I I forgot password that that you just told me so we actually spent I showed her this one because I was trying to explain to her that you can actually have access to the vet advice and to services without using any force winds at all. And one of the ways how you can do it is Confederation. So I told him that she's not on any social media, but I told her you should create the Facebook accounts that you are going to use only

photo tent acacian and nothing else. You don't need to add any family member nothing and when you go to the website and you see all these options sign in with Google sign in with Facebook, what do you are looking at is called Federation and its face when people believe that's kinda gation allows you to use one account. If you have multiple system that that's not really how it works with Federation allows you to do is that you have your account. Yes one Anthony viudo that account and use these Anthony view to link multiple accounts together to kind of chain the

accounts together. Game, this is not about using one account because multiple systems is about linking these accounts together for the any experience. It look like it's one technically speaking. It's again multiple accounts that are linked together. So now to show you again. This is going to be very similar example as I was showing for the authorization because this is the same technology pretty much. Let's play that song. I'm going to log on to this job application and I don't want to get dressed and I don't want to see a new identity and I

know this they have an option sign in with Google. So I love it and I would like to use it. So I click on the sign in with Google account. And what is multiplication is going to do is that it is going to ask Google as identity. I would like to have access to following attributes. The list goes on a picture full name email address. That's the difficulty that are being requested. This could be space between us could be anything. Now the next thing that I do as the user is I authenticate against the identity provider and I blew this request again

as the modern organization experience the music down some healing know how this is happening. All they say is that they click on sign in and they are asked by Google. Do you want to be my best to this information from your account? Yes or no? Now when I approve this Google is going to contact back the weather application and it's going to provide it with all the data. That would be trusted. Asian film this moment can't see my picture my full name my email address. The next step is going to look at the local identity

story and it's going to find Dimensions account that is using the same email address if it doesn't exist and it's automatically going to forget it. If you can find it on 158 it I'm allowed to login. I'm going to see my name. I'm going to see my picture. I'm going to see everything and my experience is that I just logged on to this application without using any possible at all. I went out an example that I'm showing you he is this is this is the local bakery that's next to my house and David like to

they don't want to handle the boss with we have all the new regulations. We have GDP are so many companies is actually not as easy to be dealing with a sensitive data is before you so what they would like to do in this hypothetical scenario. Is that David like two alone constantly to log on using the Facebook account and make an order the way how this would be implemented is that this medication that they use but as for the first name last name email as soon as I authenticate to do the Facebook that I going to find the matching account, which is just some uid, and they will match

it based on email and then they are going to have in this account also information about the only thing that I'm using the game I use experience is I'm just using my Facebook You are using to sepideh, just completely seamless experience for the Andes. So again, no purpose in this case that is no problem at all. It's completely possible glass how I can log onto old is how I can use them. Now. The thing is that you need to have some component that is going to do this authentic Asian and it's making false allegations. And that's

why we are using the city's Gateway week we talked about and it says it's a component or so capability you can add with within workspace experiencing / cloud service, but a lot of people who have a like a Citrix virtual app and desktop deployment on camera ready. You may already have Gateway running there and you might have complex authentication policies are in a multi-factor authentication policies in place. So now we're able to do is have you log into work space. Using your own from Gateway using your own from Gateway cidp.

So if we look at how this architecture will look like as user logs into work space the identity broker microservice is then going to talk to your on Prime Gateway and bass nopales as you have set. This could be talking to on your own from active directory a radius. If you wanted to you could be using Google as the ITP the Gateway. We just use Google up to the IEP you could use you could use OCTA and you can pretty much use anything that the on front gate will be able to be able to do they handle the the authentication for you what this would look like from you use your

perspective would be so here are the users going to log into the Citrix Cloud, County of this particular customer you see is loading workspace, but instead of saying that traditional workspace login now, we're back down to you know, that the Citrus kateway. So here I'm not using my username. I'll use a password and I have a you know a token. It's running on Tramp on the way. The server so you'll be able to enter this in and once you authenticate it didn't send you back to your work space environment and it's fully logs you in and you get that whole workspace

experience know what the different apps and desktops and and files. So this is using what you might already have running on Prime and it again integrating this up into into into Citrix workspace. So a lot of people have gone down to the unclaimed Gateway router because of something called and factor in this allows you to do different authentications from like a single entry point and something about trying to understand because networking is so not my area and so I I I finally figure out how I can explain this pretty well. So here

you having a pretty handsome guy was external very smart and intelligent I think so and he's going to get better is very trustworthy a corporate device that has such a certificate on there. So, you know, we only need him to login with with an ID and password on a trusted device. We trust this person. Not here. I got somebody who has a funny accent and coming from some Eastern European countries. He says his insecurities. That means he knows how to hack the system. We don't trust them as much. So this type of

person watch on trusted device. We're going to make sure the radius know how the token make sure he has none of this token and use I didn't, you know user username and password as well. And then we got that we have a third user. So this guy's got his own identity provider. So we just let him in so he's fully completely trust this guy, but you could have this being like a Google identity provider or being so from a single from a single experience for the user in like a single URL based on who you are what device you're using with n Factor, we could automatically do

different forms of authentication challenges if we trusted device and might be easier if we trusted device near a certain location to can be easier if you're in an untrusted device and depending on the content we can change the different ways you authenticate into this particular environment. But all these type of thing, so it's interesting about this is is if you use Google is IDP or not ep, the challenge becomes integrating this with the Citrix virtual desktops, and that's how we get in the Federated authentication Service. The windows.

The only thing that Windows understand is the symbol passwords Windows is completely based on the text Page password and the only other real authentication method that is supposed is using the small talk. So Windows is the only problem is that your message because it doesn't seek Federation at all. You cannot use. Let's save your Facebook account to sign into window. That's not possible. Now we do have one technology which we called first Federated authentication Service when we are doing this. And if you think about all the examples that we gave you before how the

Federation work how the Gateway Works. What do you want to achieve is whoever comes in at the end. You want to have a mission on top of Windows operating system so that he want to be able to take this user use active directory account and get him in the system. Now, how can you actually do this when the music is actually using the Google account? How do you technically implemented? How do you link this together that that's the really big question and windows cannot be deleted Windows doesn't have any support for the Federation at all.

Now the Federated authentication Service fast. What we are doing here and I really love this product because it's holding so many different issues. Is following location now using single account using multiple accounts and just linking them together to achieve, you know, if you have your identity stored in the Google, what do you need to do is that first you need to create Messenger account in active directory, you can use to 80 sing. For example, you can skip this or if you are dealing with individual contact, for example, you just to get it manually doesn't

matter what you need to have matching physical Shadow account inactive list of number one. The number to window using external use a Conex for the Gateway. The Gateway is going to authenticate him with identity provider that you are using Google Voice example. And I can tell you the information that is exchanged between Google and Gateway. This is completely bypassing the endpoints. The Google is going to confirm and is going to say this music that you just sent to me. I can confirm that his email address is Martyn. Don't do that at

gmail.com. That's the only inflammation pretty much dead. The Gateway is going to get back. The next Gateway is going to do active directory lookup is going to find any active directory account weather using principal name. That's not the email address that they use a principal name is the same as the Gmail is yet. So he's going to find Martin go to gmail.com voice speaking you could use email but you don't want to do it because email it's going to be considered a constant you actually do so you want to use one of the stick you at give you such as using

principal night. Now at this moment. What the Gateway nose is this user owns the Gmail gas and I've been able to find the matching active directory account. I don't have inspected. I just know this is the name of the matching account. So how do you go from this information to the fully functional Windows session? Gateway is going to take this information and it will forward it to stalk them is going to say to stalk me on this music that just moved on. This is his Adia Council display all the

resources that are for this a t account so we are going to see all the icons applications best of everything. And as soon as the user clicks on the icon. We go to the big opening and we find a Windows server on Windows desktop where his session should be opened. Stop going is going to forward this information to fast and technically What fast is fast have nothing to do with medication. The name is a little bit confusing but fast is is that is ventral smodcast divided in Windows. You can do a split username and password or you can do smog fast is the

storage of the big truck small dogs. So the next thing is fast know that this user is wants to go to this Windows session and he's going to check if the smog which of my account has been already generated for this user or not. If not, it's going to ask certificate services to channel the smartguard for it and he's going to throw it in the local day. Toad. The last step is the fast is literally going to open the door is going to take the Venture smart plug to the ventral pause start the windows session. And then the start feeling is just going to spend the user over to the

section. That was actually technically love down by the fast itself. So this way and if you think about it, and this is actually quite important. The only Authority for the fast is the Stonefield the fast never knew about any Google account that was used to be the only information that fast ever received is I would like you for me to log on using this to you. So film security perspective. We are always welcome and it's please pass the same way as you would do the domain controllers, for example, this is

potentially where he found four component that you have in your volume. And so we want to make sure that it's probably too cute. So now let me show you how this look like in real life. And what do you got going to see this demo? Think about what I was showing you before you how many moving fonts that I actually involved. So. Is that using is going to type in the URL for the Gateway? As soon as he gets in the Gateway the Gateway will see that his not authenticated and it's going to be direct him automatically to the Google if I would be

already logged on to Google before I was completely skip this and I would just be at do you want this gateway to access your information stored on the Google email with my password? Now the Google send back the information for the Gateway saying yes, he owns this email address the Gateway forwarded this to the Stars beyond the stars beyond the fast to China Gates and use the victim of March 1st log me on and then just allowed me into this Windows machine. I want interesting note that I would like to make a big

is note is the username that I'm using hate this damn nothing to do with the original Gmail has guess that was used. So I was able to take two accounts that I completely separate one on Google one in active directory and I was able to use the fast to actually link them together and at the end to get this Windows II. I so we looked at hiding go beyond passwords. You're not just using the standard password new note8. I get access to all the different resources. But location near how do you incorporate something like UTP

or how do you use a on from Gateway with Factor authentication to do you know more custom authentication challenges for the environment based on the unique characteristics unique snare that you have. So we we built that Foundation a workspace in the last section here. We show you how you can just don't have to standardize on a d or a gray. Do you have option to use different identity providers now the next episode of the next section that we have in this hole in your cheeks guide to work space series again in this room is looking at the

single sign-on to sastun web applications as well as providing enhanced security an overview of that in the first section for this next. A lot more detail looking at SAS SAS. We're looking at web apps looking at mobile apps how to do that single sign-on to all these different applications and doing that an enhanced security capabilities. And before we leave I will leave you with one more demo because we've been using Google a lot and cuz you know how much I love Chuck Norris Chuck Norris. I'm feeling lucky and you got an interesting response there that Google actually

will not find Chuck Norris for you cuz it's afraid as well. And with that thank you. We're going to get off stage Viva questions. Come on outside when you get the next group up here time to prepare but you a question and one last note how many how many of you have heard about the city expects volume? Okay, so anyone who haven't heard about it and would like to get some stickers just stop by here. I have plenty of tickets to hand over today. Thank you very much.

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN131 - Geek's guide to the workspace (part 2): beyond Pa$$w0rds...”
Available
In cart
Free
Free
Free
Free
Free
Free

Access to all the recordings of the event

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “Software development”?

You might be interested in videos from this event

September 28, 2018
Moscow
16
157
app store, apps, development, google play, mobile, soft

Similar talks

Daniel L'Hommedieu
Director of Product Management at Citrix
+ 1 speaker
Bryan Smoltz
Senior Director, Business Development at Okta, Inc.
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Ricardo Feijoo
Distinguished Engineer at Citrix
+ 1 speaker
Oscar Day
Product Manager at Citrix
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Shane O'Neill
Senior Solutions Architect at Enterprise Solutions Ltd
+ 1 speaker
Paul Stansel
Director, National EUC Practice at Presidio
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN131 - Geek's guide to the workspace (part 2): beyond Pa$$w0rds...”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
551 conferences
21656 speakers
8016 hours of content