We have been using SAML Authentication in our Citrix environment for quite some time now. I have a good document on setting that up here: https://www.citrixirc.com/the-complete-guide-azuread-saml-authentication/
We have been putting more and more security measures in place over the years, and a new requirement was to have any administrative access to these VDAs have MFA on at the console level (and RDP). We are using Duo for this.
When I installed Duo, I immediately started seeing a problem. Even though I had the Duo policy set to BYPASS non-administrative users, I was still getting an extra authentication prompt upon login.
The login process looked as follows:
It was this extra authentication that was throwing me for a loop. I opened a ticket with Duo, and they were able to point me to a registry key. HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv\ProvidersWhitelist – https://help.duo.com/s/article/4041?language=en_US
This was great, but the problem was there are 20 or so authentication providers. So, I tried many combinations without success. I reached out to WorldOfEUC, and of course, the amazing community came back with a hit. Dennis Parker told me to try a couple of entries. {1D7BE727-4560-4adf-9ED8-5EEC78C6ECFF} and {81C8E4DC-B376-4D88-BCCD-BD0DD65BEE2B}
After adding these two, it started working!