Enable single sign-on for workspaces with Citrix Federated Authentication Service

Citrix Federated Authentication Service (FAS) supports single sign-on (SSO) to DaaS in Citrix Workspace. FAS is typically adopted if you’re using one of the following identity providers for Citrix Workspace authentication:

  • Azure Active Directory
  • Okta
  • SAML 2.0
  • Citrix Gateway
  • Google Cloud Identity

With FAS, subscribers enter their credentials only once to access their DaaS apps and desktops.

FAS isn’t needed for SSO to DaaS if you’re using Active Directory (AD), AD plus Token, or specific configurations of Citrix Gateway. For more information on configuring Citrix Gateway, visit Create an OAuth IdP policy on the on-premises Citrix Gateway.

FAS servers

Within each resource location, you can connect multiple FAS servers to Citrix Cloud for load balancing and failover purposes.

Citrix Cloud supports using FAS servers in the following scenarios.

In both scenarios, subscribers signing in to their workspaces through a federated identity provider enter their credentials only once to access apps and desktops.

FAS servers connected with a single resource location

If your resource locations contain varied infrastructure (for example, different resource locations contain different AD forests), deploy FAS servers to the resource location where your VDAs are. SSO is active only in resource locations where one or more FAS servers are connected.

FAS servers connected with multiple resource locations

If you have network connectivity between your resource locations and they contain similar infrastructure, you can connect your FAS servers with multiple resource locations. SSO is active for workspace subscribers who connect to apps and desktops in those resource locations. In this scenario, there’s no need to connect separate FAS servers to each resource location.

When subscribers launch a virtual app or desktop, Citrix Cloud selects a FAS server in the same resource location as the app or desktop that is being launched. Citrix Cloud contacts the selected FAS server to obtain a ticket that grants access to a user certificate stored on the FAS server. To authenticate the subscriber, the VDA connects to the FAS server and presents the ticket.

You can use the same FAS server for both on-premises and Citrix Cloud with proper rule configuration.

FAS server request flow with Citrix Cloud

Failover priority for multiple resource locations

When using FAS servers with multiple resource locations, FAS servers in one resource location can provide failover to FAS servers in other resource locations. When you add FAS servers to other resource locations, you designate each server as primary or secondary. When subscribers launch a virtual app or desktop, Citrix Cloud uses this designation in the following manner to select a FAS server:

  • FAS servers that are designated as primary in the given resource location are considered first.
  • If no primary servers are available, FAS servers that are designated as secondary are considered.
  • If no secondary servers are available, the launch continues but single sign-on doesn’t occur.

Video overview

For an overview of the Federated Authentication Service for Citrix Workspace, view this Tech Insight video:

Citrix Federated Authentication Service for Citrix Workspace

Requirements

Connectivity requirements

Use the FAS administration console to connect a FAS server to Citrix Cloud. You can use this console to configure a local or remote FAS server. To enable SSO for workspaces with FAS, the FAS administration console and FAS service access the following addresses using the console user’s account and Network Service account, respectively.

  • FAS administration console, using the console user’s account:
    • *.cloud.com
    • *.citrixworkspacesapi.net
    • Addresses required by a third party identity provider, if one is used in your environment
  • FAS service, using the Network Service account:
    • *.citrixworkspacesapi.net
    • https://*.citrixnetworkapi.net/

If your environment includes proxy servers, configure the user proxy with the addresses for the FAS administration console. Also, ensure that the address for the Network Service Account is configured as appropriate for your environment.

FAS system requirements

The requirements in this section apply to all FAS servers that you plan to connect with Citrix Cloud.

Complete system requirements for the FAS server are described in the System Requirements section of the FAS product documentation.

FAS servers in your on-premises Citrix Virtual Apps and Desktops environment must have Federated Authentication Service 2003 (Version 10.1) or later installed.

If your existing FAS server is older than Version 10, you can download the latest FAS software from Citrix and upgrade the server in-place before creating this connection. When you create the connection, you select the resource location for your FAS server. SSO is active for subscribers only in the resource locations where FAS servers are present.

For more information about upgrading an existing FAS server, see Install and configure in the FAS product documentation. The same FAS server can be used for Workspace and on-premises deployments.

Citrix Workspace

You must have Citrix DaaS provisioned and enabled in Workspace. By default, the DaaS is enabled in Workspace Configuration after you subscribe to the service. However, the service requires that you deploy Citrix Cloud Connectors to allow Citrix Cloud to communicate with your on-premises environment.

Cloud Connectors

Citrix Cloud Connectors enable communication between your resource location (where the VDAs are) and Citrix Cloud. Deploy at least two Cloud Connectors to ensure high availability. The servers on which you install the Cloud Connector software must meet the following requirements:

  • System requirements as described in Cloud Connector Technical Details
  • No other Citrix components are installed, the server isn’t an Active Directory domain controller, and isn’t a machine critical to your resource location infrastructure.
  • Joined to the domain where your VDAs are.

For more information about deploying Cloud Connectors, refer to the following articles:

Setup overview

  1. If you’re deploying new FAS servers, review the Requirements and follow the instructions in Install and configure FAS in this article.
  2. Connect your FAS server to Citrix Cloud as described in Connect a FAS server to Citrix Cloud in this article. Completing this task connects your FAS server to a single resource location.
  3. If you plan to connect your FAS server to multiple resource locations, follow the instructions in Add a FAS server to multiple resource locations in this article.

Install and configure FAS

Follow the FAS installation and configuration process described in the FAS product documentation. The configuration steps for StoreFront and the Delivery Controller aren’t required.

Tip:

You can also download the Federated Authentication Service installer from the Citrix Cloud console:

  1. From the Citrix Cloud menu, select Resource Locations.
  2. Select the FAS Servers tile and then click Download.

Connect FAS servers to Citrix Cloud

Use the FAS administration console to connect your FAS server to Citrix Cloud as described in Install and configure in the FAS product documentation.

After you complete the Connect to Citrix Cloud configuration step, Citrix Cloud registers the FAS server and displays it on the Resource Locations page in your Citrix Cloud account.

Resource Locations page with FAS server added

If you already have the Resource Locations page loaded in your browser, refresh the page to display the registered FAS server.

Support for Cloud notifications

FAS now supports Cloud notifications. With the new Cloud notifications for FAS servers, you receive notifications in the following instances:

  • A FAS server is down or unavailable.
  • A FAS server’s Registry Authority (RA) certificate has expired or is about to expire.
  • A new version of FAS is available to download.

Raising notifications

A periodic check for new notifications is done and raised in the Citrix Cloud management console. The notifications appear under the bell icon on the upper right corner of the Citrix Cloud management console. Select View All on the notification icon to view all the notifications. For more information, see Notifications.

FAS Cloud notifications

Note:

Once a notification is raised, it will be raised again periodically only if the issue is not resolved.

All notifications contain the FQDN of the impacted FAS server. The RA certificate expiry notification is displayed only for the FAS servers with version 10.10.0.14 and later.

Add a FAS server to multiple resource locations

  1. From the Citrix Cloud menu, select Resource Locations and then select the FAS Servers tab.
  2. Locate the FAS server you want to manage, click the ellipsis (…) at the right side of the entry, and then select Manage Server. FAS Servers tab with Manage server menu option highlighted
  3. Select Add to a resource location and then select the resource locations that you want. Manage Servers dialog with Add to resource location option highlighted
  4. Select Primary or Secondary for the FAS server’s failover priority in each selected resource location.
  5. Select Save Changes.

To view the added FAS server, select Resource Locations from the Citrix Cloud menu and then select the FAS Servers tab. A list of all FAS servers for all connected resource locations appears. To display FAS servers for a specific resource location, select the resource location from the drop-down list.

Change a FAS server’s failover priority

  1. From the Resource Locations page, select the FAS Servers tile for the resource location you want to manage.
  2. Select the FAS Servers tab.
  3. Locate the FAS server you want to manage, click the ellipsis at the right side of the entry, and then select Manage server.
  4. Locate the resource location with the priority you want to change and select the new priority from the drop-down list. Manage FAS Servers with priority drop-down highlighted
  5. Select Save Changes.

Enable federated authentication for workspaces

  1. From the Citrix Cloud menu, select Workspace Configuration and then select Authentication.
  2. Click Enable FAS. This change might take up to five minutes to be applied to subscriber sessions.

Workspace Configuration page with Enable FAS button highlighted

Afterward, the Federated Authentication Service is active for all virtual app and desktop launches from Citrix Workspace.

Workspace Configuration page with FAS enabled

When subscribers sign in to their workspace and launch a virtual app or desktop in the same resource location as the FAS server, the app or desktop starts without prompting for credentials.

Note:

If all FAS servers in a resource location are down or in maintenance mode, application launches succeed, but single sign-on isn’t active. Subscribers are prompted for their AD credentials to access each application or desktop.

Remove a FAS server

To remove a FAS server from a single resource location:

  1. From the Resource Locations page, select the FAS Servers tile for the resource location you want to manage.
  2. Select the FAS Servers tab.
  3. Locate the FAS server you want to manage, click the ellipsis at the right side of the entry, and then select Manage server.
  4. Locate the resource location you want to remove and then click the X icon. Manage FAS Servers with remove icons highlighted

To remove a FAS server from all connected resource locations:

  1. From the Citrix Cloud menu, select Resource Locations.
  2. Locate the resource location you want to manage and then select the FAS Servers tile.
  3. Locate the FAS server you want to remove, click the ellipsis at the right side of the entry, and then select Remove FAS Server. Remove FAS Server menu command
  4. On the FAS administration console (on your on-premises FAS server), in Connect to Citrix Cloud, select Disconnect. Alternatively, you can uninstall FAS. FAS Administration console with Disable command highlighted

Troubleshooting

If the FAS server isn’t available, a warning message appears on the FAS Servers page.

FAS Servers console page

To diagnose the problem, open the FAS administration console on your on-premises FAS server and inspect the status. For example, the FAS server isn’t present in the FAS server GPO:

FAS Server not available in FAS Server Administrator console

If the FAS administration console indicates that the server is operating properly, but there are still VDA logon problems, consult the FAS Troubleshooting Guide.

More information

Configuring Single sign-on to Workspace app

Enable single sign-on for workspaces with Citrix Federated Authentication Service