Identity and access management
Identity providers are used for the following purposes:
- Authenticate administrators when they sign in to Citrix Cloud Japan
- Provide access to user lists for assigning Library offerings to workspace subscribers
- Authenticate workspace subscribers when they sign in through Citrix Workspace app.
Citrix Cloud Japan supports the following identity providers. These identity providers can be used to authenticate Citrix Cloud administrators, workspace subscribers, or both.
| Identity provider | Administrator authentication | Subscriber authentication |
|---|---|---|
| Citrix identity provider (default) | Yes | No |
| On-premises Active Directory (AD) | No | Yes |
| Azure Active Directory | Yes | Yes |
| On-premises Citrix Gateway | No | Yes |
| Okta | No | Yes |
| SAML 2.0 | Yes (AD groups only - preview) | Yes |
Administrator authentication
By default, Citrix Cloud Japan uses the built-in Citrix identity provider to authenticate administrators when they sign in. Alternatively, you can connect your Azure AD as an identity provider to authenticate Citrix Cloud Japan administrators. You can also use SAML 2.0 to authenticate administrator groups in your AD.
If you use your Azure AD or SAML 2.0 for administrator authentication, administrators can sign in to Citrix Cloud Japan using a unique URL. To sign in, administrators enter the identifier for the Citrix Cloud Japan account.
Note:
If using Azure AD for administrator authentication, Citrix recommends maintaining at least one full access account under the Citrix identity provider. This ensures that:
- You are not locked out of your Citrix Cloud Japan account in the event you disconnect Azure AD from the management console before setting up an alternative identity provider.
- You can access your Citrix Cloud Japan account to perform certain operations that can’t be completed when signed in as an administrator through Azure AD. For example, if Citrix updates the Azure AD application that completes the connection with your Azure AD, you might need to ensure this application is updated in your Citrix Cloud Japan account. Only a full access administrator under the Citrix identity provider can perform this update.
Workspace authentication
With the exception of the Citrix identity provider, you can use all supported identity providers for authenticating workspace subscribers when they sign in through Citrix Workspace app.
Prerequisites for identity providers
The following supported identity providers require the Citrix Cloud Connector to be installed in your on-premises environment before connecting with Citrix Cloud Japan:
- Active Directory
- On-premises Citrix Gateway
- Okta
- SAML 2.0
To learn more about the prerequisites for each supported identity provider, refer to the articles in More information in this article.
Application and desktop delivery to users
When delivering applications and desktops through Citrix DaaS (formerly Virtual Apps and Desktops service), you can assign users and groups from your AD or Azure AD to those resources using one of the following methods:
- Create a delivery group in Studio that includes the applications and desktops you want to deliver and specifies the users from your AD who are authorized to access them.
- Create a delivery group in Studio that includes the applications and desktops you want to deliver and make it available as an offering in the Library. Then, use the Library to select the users from your AD or Azure AD who are authorized to access the resources in the delivery group. This method requires connecting your AD or Azure AD to Citrix Cloud Japan as an identity provider.
More information
For instructions for connecting identity providers to Citrix Cloud Japan, refer to the following articles: