Citrix Cloud

Identity and access management

Identity and Access Management defines the identity providers and accounts used for Citrix Cloud administrators and workspace subscribers.

Identity providers

Identity providers supported for Citrix Cloud can be used to authenticate Citrix Cloud administrators, workspace subscribers, or both.

Identity provider Administrators Subscribers
Citrix identity provider Yes No
On-premises Active Directory No Yes
Active Directory plus token No Yes
Azure Active Directory Yes Yes
Citrix Gateway No Yes
Okta No Yes
SAML 2.0 No Yes

By default, Citrix Cloud uses the Citrix identity provider to manage your Citrix Cloud account. Citrix identity provider authenticates Citrix Cloud administrators only.

You can add the following identity providers to your Citrix Cloud account:

Citrix Cloud also supports using the Citrix Federated Authentication Service to provide single sign-on access for workspace subscribers. For more information, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.


Learn more about supported identity providers with the Introduction to Citrix Identity and Authentication education course. Each module provides short videos that walk you through connecting each identity provider to Citrix Cloud and enabling authentication for Citrix Workspace.


Administrators use their identity to access Citrix Cloud, perform management activities, and install the Citrix Cloud Connector.

A Citrix identity mechanism provides authentication for administrators using an email address and password. Administrators can also use their My Citrix credentials to sign in to Citrix Cloud.

Add new administrators

During the account onboarding process, an initial administrator is created. As the initial administrator, you can then invite other administrators to join Citrix Cloud. These new administrators can use their existing Citrix account credentials or set up a new account if needed. You can also fine-tune the access permissions of the administrators you invite. Setting these access permissions allows you to define access that’s aligned with the administrator’s role in your organization.

To invite other administrators and define their access to Citrix Cloud, see Manage Citrix Cloud administrators.

Reset your password

If you forget or want to reset your password, click Forgot your username or password? on the Citrix Cloud sign in page. After you enter your email address or username to find your account, Citrix sends you an email with a link to reset your password.

Citrix requires you to reset your password under certain conditions to help you keep your account password safe and secure. For more information about these conditions, see Changing your password.


Add to your list of allowed email addresses to ensure that Citrix Cloud emails don’t land in your spam or trash folders.

Remove administrators

You can remove administrators from your Citrix Cloud account on the Administrators tab. When you remove an administrator, they can no longer sign-in to Citrix Cloud.

If an administrator is logged in when you remove the account, the administrator stays active for a maximum of one minute. Afterward, access to Citrix Cloud is denied.


  • If there’s only one administrator in the account, you can’t remove that administrator. Citrix Cloud requires at least one administrator for each customer account.
  • Citrix Cloud Connectors are not linked to administrator accounts. So, Cloud Connectors continue operating even if you remove the administrator who installed them.


A subscriber’s identity defines the services to which they have access in Citrix Cloud. This identity comes from Active Directory domain accounts provided from the domains within the resource location. Assigning a subscriber to a Library offering authorizes the subscriber to access that offering.

Administrators can control which domains are used to provide these identities on the Domains tab. If you plan to use domains from multiple forests, install at least two Citrix Cloud Connectors in each forest. Citrix recommends at least two Citrix Cloud Connectors to maintain a high availability environment. For more information about deploying Cloud Connectors in Active Directory, see Deployment scenarios for Cloud Connectors in Active Directory.


  • Disabling domains prevents new identities only from being selected. It does not prevent subscribers from using identities that are already allocated.
  • Each Citrix Cloud Connector can enumerate and use all the domains from the single forest in which it is installed.

Manage subscriber usage

You can add subscribers to offerings using individual accounts or Active Directory groups. Using Active Directory groups does not require management through Citrix Cloud after you assign the group to an offering.

When an administrator removes an individual subscriber or group of subscribers from an offering, those subscribers can no longer access the service. For more information about removing subscribers from specific services, refer to the service’s documentation on the Citrix Product Documentation website.

Primary resource locations

A primary resource location is a resource location that you designate as “most preferred” for communications between your domain and Citrix Cloud. For your primary resource locations, select the resource location that has Citrix Cloud Connectors that have the best performance and connectivity to your domain. Making this resource location your primary resource location enables your users to log on quickly to Citrix Cloud.

For more information, see Select a primary resource location.

Identity and access management