Resolution

Awingu has several layers of authentication, which are briefly summarized below.

LDAP / LDAPS

The most basic implementation is by relying on an LDAP servers, which are for most customers their Active Directory Domain Controllers. 
This becomes more secure when these servers have an SSL/TLS certificate and when the Awingu appliance is set to communicate with those servers in an encrypted way. This more secure implementation is referred to as LDAPS.

Multi-Factor Authentication (MFA)

This makes authentication more secure by adding at least one other way to authenticate the user. 
For instance, besides their password, the users must additionally be able to provide a second way to prove their identity. This is typically a six-digit code, generated by an authenticator app.

Awingu also offers two built-in mechanisms: counter-based and time-based authentication. When relying on the built-in MFA options, time-based is preferred.

There are also external mechanisms which are supported:

• RADIUS (Note: CHAP v2 is not supported).
• Duo Security
• SMS PASSCODE

Federated Authentication

As soon as this federated authentication is enabled, Awingu no longer handles the authentication of the user. Instead, it is handled by an external Identity Provider (IdP). 
Support for SAML and OpenID has implemented.

As the external IdP doesn't expose the passwords and the Microsoft Remote Desktop Protocol (RDP) doesn't support ticket/token based logins, this means users still need to enter their password in Awingu in order to be able to connect to application servers.

This first phase is called pre-authentication. 

So in a second phase, the credential-based (username/password) authentication towards back-end systems (remote app, VDI, storage, ...) is replaced by a user certificate-based login mechanism to enable Single Sign-On (SSO).