Product documentation
Citrix Cloud™
View PDF

SAML using Entra ID and AD identities for Workspace authentication

January 29, 2026
Author:  Mark Dear

This article describes how you can configure SAML for workspace authentication using Active Directory (AD) identities. The default behavior for Citrix Cloud™ and SAML authentication to Citrix Workspace™ or Citrix Cloud, regardless of the SAML provider used, is to assert against an AD user identity. For the configuration described in this article, using Entra ID Connect to import your AD identities to your Entra ID is required.

Important:

It is crucial to determine the appropriate SAML flow for your Workspace end users, as it directly impacts their sign-in process and resource visibility. The chosen identity influences the types of resources accessible to a Workspace end user. There is an associated article that provides instructions on utilizing Entra ID as the SAML provider for authenticating into Workspace using AAD identities. You can find detailed instructions in SAML using Entra ID and AAD identities for workspace authentication. Usually, Workspace end users typically need to open apps and desktops provided by AD domain joined VDAs. It is essential to carefully review the use cases outlined in both articles before deciding on the most suitable SAML flow for your organization. If uncertain, Citrix® recommends using the AD SAML flow and following the instructions in this article, as it aligns with the most common DaaS scenario.

Feature scope

This article applies to users who use the following combination of Citrix Cloud and Azure features:

  • SAML for workspace authentication using AD identities
  • SAML for Citrix Cloud admin login using AD identities
  • Citrix DaaS™ and HDX resource enumeration of resources published using AD domain-joined VDAs
  • AD domain-joined VDA resource enumeration

What’s best: AD identities or Entra ID identities?

To determine whether your workspace users should authenticate using either SAML AD or SAML Entra ID identities:

  1. Decide which combination of resources you intend to make available to your users in Citrix Workspace.

  2. Use the following table to determine which type of user identity is appropriate for each resource type.

    Resource type (VDA) User identity when signing in to Citrix Workspace Needs SAML identity using Entra ID? FAS provides single sign-on (SSO) to VDA?
    AD joined AD, Entra ID imported from AD (contains SID) No. Use default SAML. Yes

Configure the custom Entra ID Enterprise SAML application

By default, the behavior for SAML sign-in to workspaces is to assert against an AD user identity.

  1. Sign in to the Azure portal.
  2. From the portal menu, select Entra ID.
  3. From the left pane, under Manage, select Enterprise Applications.
  4. From the command bar in the working pane, select New Application.
  5. From the command bar, select Create your own application. Don’t use the Citrix Cloud SAML SSO enterprise application template. The template doesn’t allow you to modify the list of claims and SAML attributes.
  6. Enter a name for the application and then select Integrate any other application you don’t find in the gallery (Non-gallery). Click Create. The application overview page appears.
  7. From the left pane, select Single sign-on. From the working pane, select SAML.
  8. In the Basic SAML Configuration section, select Edit and configure the following settings:
    1. In the Identifier (Entity ID) section, select Add identifier and then enter the value associated with the region in which your Citrix Cloud tenant is located:
      • For European Union, United States, and Asia-Pacific South regions, enter https://saml.cloud.com.
      • For the Japan region, enter https://saml.citrixcloud.jp.
      • For the Citrix Cloud Government region, enter https://saml.cloud.us.
    2. In the Reply URL (Assertion Consumer Service URL) section, select Add reply URL and then enter the value associated with the region in which your Citrix Cloud tenant is located:
      • For European Union, United States, and Asia-Pacific South regions, enter https://saml.cloud.com/saml/acs.
      • For the Japan region, enter https://saml.citrixcloud.jp/saml/acs.
      • For the Citrix Cloud Government region, enter https://saml.cloud.us/saml/acs.
    3. In the Logout URL (Optional) section, enter the value associated with the region in which your Citrix Cloud tenant is located:
      • For European Union, United States, and Asia-Pacific South regions, enter https://saml.cloud.com/saml/logout/callback.
      • For the Japan region, enter https://saml.citrixcloud.jp/saml/logout/callback.
      • For the Citrix Cloud Government region, enter https://saml.cloud.us/saml/logout/callback.
    4. From the command bar, select Save.

  9. In the Attributes & Claims section, click Edit to configure the following claims. These claims appear in the SAML assertion within the SAML response. After SAML app creation, configure the following attributes.

    1. For the Unique User Identifier (Name ID) claim, update the default value to be user.localuserprincipalname.
    2. For cip_upn claim, update the default value to be user.localuserprincipalname.

    Manage Claim

    1. For displayName, leave the default value of user.displayname.
    2. For givenName claim, update the default value to be user.givenname.
    3. For familyName claim, update the default value to be user.surname.
    4. In the Additional claims section, for any remaining claims with the http://schemas.xmlsoap.org/ws/2005/05/identity/claims namespace, click the ellipsis (…) button and click Delete. No need to include these claims as they are duplicates of the above user attributes.

    When finished, the Attributes & Claims section appears as illustrated below:

    Delete menu highlighted

  10. Obtain a copy of the Citrix Cloud SAML signing certificate using this third party online tool.
    1. Enter https://saml.cloud.com/saml/metadata in the URL field and click Load.

    Delete menu highlighted

    1. Scroll to the bottom of the page and click Download.

    Download Metadata Certificate

    Download certificate

  11. Configure the Entra ID SAML application Signing Settings.
    1. Upload the production SAML signing certificate obtained in step 9 within the Entra ID SAML application.
    2. Enable Require verification certificates.

    Verification certificate

    Verification certificate

Troubleshooting

  1. Verify your SAML assertions contain the correct user attributes using a SAML networking tool, such as the SAML-tracer browser extension.

SAML-tracer browser extension

  1. Locate the SAML response shown in yellow and compare to this example:

    Example of SAML response from networking tool

  2. Click on the SAML tab in the bottom pane to decode the SAML response and view as XML.

  3. Scroll to the bottom of the response and verify that the SAML assertion contains the correct SAML attributes and user values.

    XML file with SAML assertion value highlighted

If your subscribers still can’t sign in to their workspace or they can’t see their Citrix HDX™ Plus for Windows 365 desktops, contact Citrix Support and provide the following information:

  • SAML-tracer capture
  • Date and time the sign-in to Citrix Workspace failed
  • The affected user name
  • The caller IP address of the client computer that you used to sign in to Citrix Workspace. You can use a tool like https://whatismyip.com to get this IP address.

Configure the Citrix Cloud SAML Connection

All Citrix logon flows need to be Service Provider initiated using either a Workspace URL or a Citrix Cloud GO URL.

Use the default recommended values for the SAML connection within Identity and Access Management > Authentication > Add an identity provider > SAML.

Obtain the Entra ID SAML application SAML endpoints from your Entra ID portal to enter into Citrix Cloud.

AAD SAML endpoints

Entra ID SAML endpoint examples to be used within the Citrix Cloud SAML connection

Important:

EntraID SSO and Logout SAML endpoints are the same URL.

In this field in Citrix Cloud Enter this value
Entity ID https://sts.windows.net/<yourEntraIDTenantID>
Sign Authentication Request Yes
SSO Service URL https://login.microsoftonline.com/<yourEntraIDTenantID>/saml2
SSO Binding Mechanism HTTP Post
SAML Response Sign Either Response Or Assertion
Authentication Context Unspecified, Exact
Logout URL https://login.microsoftonline.com/<yourEntraIDTenantID>/saml2
Sign Logout Request Yes
SLO Binding Mechanism HTTP Post
SAML using Entra ID and AD identities for Workspace authentication
January 29, 2026
Author:  Mark Dear
January 29, 2026
Author:  Mark Dear

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.