Manage single sign‑on for Web and SaaS apps through the Global App Configuration service

Note:

We recommend you to restart Citrix Workspace app when you modify the Citrix Enterprise Browser settings in GACS. However, you can also wait for the automatic refresh to complete. For more information on the sync duration of policies fetched from GACS, refer Frequency of settings update.

Single sign‑on (SSO) is an authentication capability that enables you to access multiple applications using a single set of sign-in credentials. Enterprises typically use SSO authentication to simplify access to various web, on‑premises, and cloud applications for a better user experience.

The SSO feature gives administrators more control over:

• User access management.
• Reduction of password‑related support calls.
• Enhancement of security and compliance.

Previously, SSO was configured using either the PowerShell Module for Citrix Workspace Configuration or Workspace single sign-on via SPA.

From this version, the feature aims at reducing the SSO configuration to a single setting within the Global App Configuration service (GACS). This feature applies to all web and SaaS apps across platforms, without configuring the Gateway Service in the identity providers (IdPs) chain. This feature also improves the user experience, provided the same IdP is used for authentication to both the Citrix Workspace app and the web or SaaS app.

Prerequisites

• To configure this feature for Windows StoreFront, make sure to enable Microsoft Edge WebView For StoreFront Authentication using the steps provided in either the Using Global App Config service or Using GPO.
• Use the same identity provider (IdP) for authenticating to the Citrix Workspace app and a particular web or SaaS app.
• Enable persistent cookies within the third-party IdP configuration for a seamless SSO experience.
• The minimum Citrix Workspace app version required is Mac 2311 and Windows 2311.

Configuration through API

To configure, here’s an example JSON file to enable SSO feature:

{
  "serviceURL": {
    "url": "https://workspacestoretest.cloudburrito.com:443"
  },
  "settings": {
    "appSettings": {
      "platform": [
        {
          "category": "Browser",
          "userOverride": false,
          "assignedTo": [
            "AllUsersNoAuthentication"
          ],
          "settings": [
            {
              "name": "Citrix Enterprise Browser SSO",
              "value": {
                "CitrixEnterpriseBrowserSSOEnabled": true,
                "CitrixEnterpriseBrowserSSODomains": [
                  "abc.com",
                  "def.com"
                ]
              }
            }
          ]
        }
      ]
    },
    "name": "Admin UI",
    "description": "Updates from Admin UI",
    "useForAppConfig": true
  }
}
<!--NeedCopy-->

For more information on configuring through API, see the Global App Configuration Service developer documentation.

Configuration through UI

1. Go to the Citrix Cloud portal and sign in using your credentials.
2. Navigate to Workspace Configuration > App Configuration > Enterprise Browser.
3. Select the appropriate operating system under Configure Single Sign-On For Web/SaaS Apps section.
4. Click Edit.
5. On the Manage setting screen, select Enable Single Sign-on (SSO) on Citrix Enterprise Browser.
6. Click Add Domain, and enter the IdP domains you want to enable SSO for.

   Note:

   IdP domain is the authentication domain associated with an Identity Provider (IdP) to validate user credentials and confirm their identity. You can configure SSO to Citrix Workspace app using your organization’s Identity Provider.

7. Click Save draft.
8. On the Save Settings window, click Yes to save the settings.