Citrix Endpoint Management

Authentication with Azure Active Directory through Citrix Cloud (Preview)

This feature is available as a preview. To enable authentication with Azure Active Directory through Citrix Cloud (AAD), contact your Citrix support representative.

Endpoint Management supports authentication with Azure Active Directory credentials for users enrolling through Citrix Secure Hub. Endpoint Management supports authentication with Azure AD for iOS devices and Android devices that run in the legacy Device Administration mode. For more information, see section 3.3.2, Login (Cloud Credentials), in the Public API for REST Services PDF. This authentication method does not support Android Enterprise.

Note:

Endpoint Management doesn’t support authentication through Azure Active Directory for enrollment invitations. If you send users an enrollment invitation containing an enrollment URL, users authenticate through LDAP instead of Azure AD.

Endpoint Management uses the Citrix Cloud service, Citrix identity, to federate with Azure Active Directory.

To set up this service:

  • Configure Citrix Cloud to use AAD as your identity provider in Identity & Access Management.
  • Enable AAD as your authentication method under Workspace configuration in Citrix Cloud.

Domain-joined users can then use Secure Hub to sign on with their AAD credentials. Secure Hub uses client certificate authentication for MAM devices.

For Endpoint Management local accounts, this method of authentication isn’t available.

Citrix recommends that you use the Citrix identity provider instead of a direct connection to Azure Active Directory.

Prerequisites for authentication with Azure Active Directory

  • Citrix Gateway, configured for certificate-based authentication
  • Secure Hub 20.5.0 and later
  • Azure Active Directory user credentials
  • Citrix Cloud account, with Citrix Cloud Connector installed for directory services synchronization

Configure Citrix Cloud to use Azure Active Directory as your identity provider

To configure Azure Active Directory in Citrix Cloud:

  1. Go to https://citrix.cloud.com and sign in to your Citrix Cloud account.

  2. From the Citrix Cloud menu, go to the Identity and Access Management page and connect to Azure Active Directory.

    Citrix Cloud screen

  3. Type your administrator sign-in URL and then click Connect.

    Citrix Cloud screen

  4. After you sign in, your Azure Active Directory account connects to Citrix Cloud. The Identity and Access Management > Authentication page shows which accounts to use to sign in to your Citrix Cloud and Azure AD accounts.

    Citrix Cloud screen

Configure Citrix identity as the IdP type for Endpoint Management

After you configure Azure Active Directory in Citrix Cloud, configure Endpoint Management as follows.

  1. In the Endpoint Management console, go to Settings > Identity Provider (IDP) and then click Add.

  2. In the Identity Provider (IDP) page, configure the following:

    IdP configuration screen

    • IDP Name: Type a unique name to identify the IdP connection that you are creating.
    • IDP Type: Choose Citrix Identity Platform.
    • Authentication Domain: Choose the Citrix Cloud domain. If you aren’t sure which one to choose, your domain appears on the Citrix Cloud Identity and Access Management > Authentication page.
  3. Click Next. In the IDP Claims Usage page, configure the following:

    IdP configuration screen

    • User Identifier type: This field is set to userPrincipalName.
    • User Identifier string: This field is automatically filled.
  4. Click Next, review the Summary page, and then click Save.

    Secure Hub users, Endpoint Management console, and Self-Help Portal users can now sign in with their Azure Active Directory credentials.

Secure Hub authentication flow

With Endpoint Management configured to use Citrix identity as its IdP, the Secure Hub authentication flow is as follows for a device enrolled through Secure Hub:

  1. A user starts Secure Hub.
  2. Secure Hub passes the authentication request to Citrix identity, which passes the request to Azure Active Directory.
  3. The user types their user name and password.
  4. Azure Active Directory validates the user and sends a code to Citrix identity.
  5. Citrix identity sends the code to Secure Hub, which sends the code to the Endpoint Management server.
  6. Endpoint Management obtains an ID token by using the code and secret, and then validates the user information that’s in the ID token. Endpoint Management returns a session ID.

Authentication with Azure Active Directory through Citrix Cloud (Preview)