Feb 282023

We have been using SAML Authentication in our Citrix environment for quite some time now.   I have a good document on setting that up here:  https://www.citrixirc.com/the-complete-guide-azuread-saml-authentication/

We have been putting more and more security measures in place over the years, and a new requirement was to have any administrative access to these VDAs have MFA on at the console level (and RDP).  We are using Duo for this. 

When I installed Duo, I immediately started seeing a problem.   Even though I had the Duo policy set to BYPASS non-administrative users, I was still getting an extra authentication prompt upon login. 

The login process looked as follows: 

It was this extra authentication that was throwing me for a loop. I opened a ticket with Duo, and they were able to point me to a registry key.  HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv\ProvidersWhitelist – https://help.duo.com/s/article/4041?language=en_US

This was great, but the problem was there are 20 or so authentication providers.  So, I tried many combinations without success.  I reached out to WorldOfEUC, and of course, the amazing community came back with a hit.  Dennis Parker told me to try a couple of entries.  {1D7BE727-4560-4adf-9ED8-5EEC78C6ECFF} and {81C8E4DC-B376-4D88-BCCD-BD0DD65BEE2B}

After adding these two, it started working!