Single sign in with Azure Active Directory

Endpoint Management supports single sign-in with Azure Active Directory credentials for the following scenarios:

  • User enrollment through Citrix Secure Hub (Android or iOS)
  • For the RBAC User role, authentication to the Endpoint Management Self Help Portal
  • Administrator authentication to the Endpoint Management console
  • For Endpoint Management, administrator authentication to the Public API for REST Services by using a token retrieved through the Citrix Cloud API.
  • For more information, see section 3.3.2, Login (Cloud Credentials), in the Public API for REST Services PDF.

Endpoint Management uses the Citrix Cloud service, Citrix Identity Platform, to federate with Azure Active Directory. Citrix Identity Platform is an identity provider (IDP) service.

To set up this service, you configure Citrix Cloud to use Azure Active Directory as your Identity Provider. Then, configure Citrix Identity Platform as the IDP type for Endpoint Management. Users can then log on to Secure Hub with their Azure Active Directory credentials. Secure Hub uses client certificate authentication for MAM devices.

Citrix recommends that you use Citrix Identity Platform instead of a direct connection to Azure Active Directory.

Prerequisites for single sign in with Azure Active Directory

  • NetScaler Gateway, configured for certificate-based authentication
  • Secure Hub 10.7.20 (minimum version)
  • Azure Active Directory user credentials

Configure Citrix Cloud to use Azure Active Directory as your Identity Provider

To configure Azure Active Directory in Citrix Cloud:

  1. Go to https://citrix.cloud.com and sign in to your Citrix Cloud account.

  2. From the Citrix Cloud menu, go to the Identity and Access Management page and connect to Azure Active Directory.

    Image of Citrix Cloud screen

  3. Type your administrator sign-in URL and then click Connect.

    Image of Citrix Cloud screen

  4. After you sign in, your Azure Active Directory account connects to Citrix Cloud. The Identity and Access Management > Authentication page shows which accounts to use to sign in to your Citrix Cloud and Azure AD accounts.

    Image of Citrix Cloud screen

Configure Citrix Identity Platform as the IDP type for Endpoint Management

After you configure Azure Active Directory in Citrix Cloud, configure Endpoint Management as follows.

  1. In the Endpoint Management console, go to Settings > Identity Provider (IDP) and then click Add.

  2. In the Identity Provider (IDP) page, configure the following:

    Image of IDP configuration screen

    • IDP Name: Type a unique name to identify the IDP connection that you are creating.
    • IDP Type: Choose Citrix Identity Platform.
    • Auth Domain: Choose the Citrix Cloud domain. If you aren’t sure which one to choose, your domain appears on the Citrix Cloud Identity and Access Management > Authentication page.
  3. Click Next. In the IDP Claims Usage page, configure the following:

    Image of IDP configuration screen

    • User Identifier type: This field is set to userPrincipalName.
    • User Identifier string: This field is automatically filled.
  4. Click Next, review the Summary page, and then click Save.

    Secure Hub users, Endpoint Management console, and Self Help Portal users can now sign in with their Azure Active Directory credentials.

Endpoint Management administrator and user authentication flow

The sign-in screen for the Endpoint Management console and the Endpoint Management Self Help Portal includes the link Sign in with my company credentials.

Image of Endpoint Management sign in

Click that link to enter your Azure Active Directory credentials. After successfully authenticating you, Endpoint Management doesn’t require you to sign in for future access.

If you sign in to the Endpoint Management console or self-help portal from domain joined devices and click the Sign in with my company credentials link: Endpoint Management provides a single sign-on experience. No authentication prompt appears.

Secure Hub authentication flow

With Endpoint Management configured to use Citrix Identity Platform as its IDP, the Secure Hub authentication flow is as follows for a device enrolled through Secure Hub:

  1. A user starts Secure Hub.
  2. Secure Hub passes the authentication request to Citrix Identity Platform, which passes the request to Azure Active Directory.
  3. The user types their user name and password.
  4. Azure Active Directory validates the user and sends a code to Citrix Identity Platform.
  5. Citrix Identity Platform sends the code to Secure Hub, which sends the code to the Endpoint Management server.
  6. Endpoint Management obtains an ID token by using the code and secret, and then validates the user information that’s in the ID token. Endpoint Management returns a session ID.

Users of domain-joined devices can use their Azure Active Directory credentials for a single sign-on experience. For Endpoint Management local accounts, single sign-on isn’t available.