I had the same challenge with setting up RADIUS/MFA using the UAG/Horizon. I didn't find a way around it. I wish there was better support for radius / federation in UAG.
As you mention, IDM is the route I went. With IDM (Workspace), I have it configured to auth with an 3rd party IDP. Users are sent to Shibboleth to do the authentication (MFA/AD auth). Using this method, I had to setup TrueSSO for the single signin experience.
It depends on your RADIUS server and what it's configured or capable of doing. We use Duo, it first prompts for AD username/password and then the user receives a MFA push to their device/SMS/phone call.
Thanks for the response.
We use Symantec VIP for radius auth which provides a numeric token that doesn't match a users AD password, so still get challenged at the connection server end.
I'll head down the IDM route then. Was hoping not to increase the infrastructure to support remote access to desktops but I'm sure we'll end up leveraging other features of Workspace in the future.