APM Step-up authentication when clicking a specific webtop item
We use APM for our SSLVPN Service. Some users just use the VPN client, whilst others use a combination of VPN and Webtop to access services such as RDS and Citrix that we've integrated into APM.
We're in the process of migrating over to SAML authentication for the access policy which provides SSO and MFA capacility via AzureAD. The one downside is that we don't have user credentials to pass to the integrated RDS/Citrix.
We've implemented a workaround which works but is still clunky. At present the SSO/MFA process completes, they are then prompted to enter their password which is then avialable for RDS/Citrix.
Whilst this is a much improved experience that the prevsious setup, we'd ideally like to be able to only as for the user's password if they click RDS/Citrix icons on the webtop. This would mean that the VPN users are SSO's without interuption.
I've looked at step-up authentication but can't figure out if it's possible to achieve this as part of the interation with the webtop. My other thought was to create a link on the webtop to open a specific URL which would be caught by a per-request policy which would run the logon box, set a session variable which would be tied to the advanced resource assign for Citrix/RDP.
Does anyone know if it's possible to achieve such functionality?