Let me introduce you to FIDO2 Virtual Channel in Citrix Workspace App for Linux 2209 on IGEL OS!

By Fredrik Brattstig @virtualbrat

22nd September 2022
Citrix recently launched a public tech preview of Citrix Workspace App for Linux (CWAL) version 2209, and I have an IGEL OS version including it. I wanted to have a look at the new FIDO2 Virtual Channel, as the Yubikey FIDO2 key gives a quite good security addition when it comes to Auth! Citrix has now introduced a new Virtual Channel (VC) for FIDO2 hardware token devices. The VC will, through the HDX protocol, within the Citrix HDX session access to your FIDO2 key connected to your USB port in the IGEL OS endpoint.

As in my previous blog post on FIDO2 functionality just a few days ago, here:
https://virtualbrat.com/2022/09/17/igel-os-and-fido2-auth-using-yubikey-for-passwordless-login-to-azuread-here-is-the-how/
I showcased using the IGEL OS built-in Chromium browser to access the FIDO2 key and authenticate my user to Azure Active Directory. In this blog, I’ll show you how to do the same thing but within a Citrix session in Citrix Cloud using the Citrix FIDO2 VC.

The IGEL development team provided me with a new firmware containing the tech preview of Citrix Workspace App 2209, where the VC wasn’t enabled, due to time constraints. To enable the virtual channel, I modified the CWAL module.ini according to the below settings:

VirtualDriver = Thinwire3.0, Clipboard, ClientDrive, ClientPrinterQueue, ClientAudio, ClientComm, TWI, ZL_FONT, ZLC, ICACTL, SmartCard, UserExperience, KeyboardSync, MultiMedia, WebPageRedirection, PortForward, VDTUI, NSAP, VDWEBRTC, MobileReceiver, FIDO2, GenericUSB

FIDO2=On

[FIDO2]
DriverName = VDFIDO.DLL


The highlighted pieces were the things I added, and that made the VC to be enabled and fully functional. This will of course be part of the final release of an IGEL OS firmware going forward when the CWAL 2209 is ready for production release (or if it doesn’t make it to 2209, then the next upcoming version, this is up to Citrix to decide in their release plans)

Before you get too excited, the new addition of the FIDO2 VC does NOT allow you to Authenticate in CWAL to get access to your eg Citrix Cloud published resources. It will “just” make the FIDO2 key available within the Citrix session. I’m really curious about Citrix HDX future-wise extending the capabilities to service a complete FIDO2 Auth end to end.

As you can see in the video below, while in session, accessing the FIDO2 Yubikey, CWAL opens an overlay for the interaction of the FIDO2 key, where it prompts the user to insert the FIDO2 key, Enter the Pin and touch the FIDO2 key (to prove user presence). The rest of the FIDO2 auth process is then passed through the VC to allow the application in session to benefit from the Authentication.

That’s about it! Let’s have a look at the user experience of the tech preview of the FIDO2 Virtual Channel in Citrix sessions!

Stay well and see you soon again!

/Fred