Simplified single sign-on for web and SaaS apps

Note:

The configuration of single sign-on (SSO) using the PowerShell module deprecates soon. Therefore, we recommend you to configure SSO through the Global App Configuration service. For more information, see Manage single sign‑on for Web and SaaS apps through the Global App Configuration service.

Single sign-on is an authentication capability that lets users access multiple applications with one set of sign-in credentials. Enterprises typically use SSO authentication to provide simpler access to various web, on-premises, and cloud applications for a better user experience.

SSO feature gives administrators more control over:

  • user access
  • reduce password-related support calls
  • improve security and compliance.

Previously, SSO was required to be configured for every web or SaaS app that was deployed. For more information, see Workspace Single Sign-On.

This feature aims at reducing the SSO configuration to a single PowerShell command. This feature applies to all web and SaaS apps across platforms, without configuring the Gateway Service in the identity providers (IdPs) chain. This feature also improves the user experience, provided the same IdP is used for authentication to both Citrix Workspace app and the web or SaaS app.

The PowerShell module uses the StoreFrontConfiguration service that runs in Citrix Cloud to get and set the configurations for your workspace. This module helps you to configure certain properties for your Citrix Workspace.

To download, click PowerShell Module for Citrix Workspace Configuration.

Prerequisites

  • Use the same identity provider (IdP) for authenticating to the Citrix Workspace app and a particular web or SaaS app.
  • Enable persistent cookies within the third-party IdP configuration for a seamless SSO experience.
  • The minimum Citrix Workspace app version required on the native operating systems is:

    • Citrix Workspace app for Win 2204.1
    • Citrix Workspace app for macOS 2203.1
    • Citrix Workspace app for Android 22.3.5
    • Citrix Workspace app for iOS 22.3.5
  • This feature is not supported on Android and iOS if Google IdP is used.

Note:

  • The simplified SSO feature changes the web view that is required for authenticating the Citrix Workspace app for Android to Android WebView and Citrix Workspace app for iOS to WKWebView. Citrix recommends administrator to test Android WebView and WKWebView to verify limitations that might affect when using other Endpoint Management configurations like conditional access with Intune.
  • You can disable the SSO feature for a particular operating system if necessary. For more information, see the Set-WorkspaceCustomConfigurations  section in this article.

Before you begin

To configure SSO, you must have the following:

  • ClientID
  • ClientSecret
  • PowerShell command syntax

Get ClientId and ClientSecret

To generate the ID and the Secret values, do the following:

  1. Sign in to the Citrix Cloud console with your Citrix Cloud credentials.
  2. Navigate to Identity and Access Management.
  3. Go to the API Access tab > Secure Clients > enter the secure client’s name in the Name your Secure Client field > click Create Client.

    Client ID

    The ID and Secret have been created successfully message appears.

  4. (Optional) Download the ID and the Secret values in a .csv file format for future use. For more information, see Get started with Citrix Cloud APIs.

PowerShell module syntax

The PowerShell module consists of the following two commands:

  • Get-WorkspaceCustomConfigurations
  • Set-WorkspaceCustomConfigurations

Get-WorkspaceCustomConfigurations

The syntax is as follows:

Get-WorkspaceCustomConfigurations [-WorkspaceUrl] <String> [-ClientId] <String> [-ClientSecret] <String>

Example:

Get-WorkspaceCustomConfigurations -WorkspaceUrl `https://xyz.cloud.com` -ClientId `abc-0000-xyz00` -ClientSecret `abcdefg12345`
<!--NeedCopy-->

Get

Note:

The client secret has been redacted.

Set-WorkspaceCustomConfigurations

The syntax is as follows:

Set-WorkspaceCustomConfigurations [-WorkspaceUrl] <URL> [-ClientId] <String> [-ClientSecret] <String> IdpDomains <string[]> [[-IosWebViewType] <String>] [[-AndroidWebViewType] <String>] [[-WindowsShareIdpSessions] <Boolean>] [[-MacShareIdpSessions] <Boolean>] [[-LinuxShareIdpSessions] <Boolean>]

Example:

Set-WorkspaceCustomConfigurations -WorkspaceUrl `https://xyz.cloud.com` -ClientId `abc-0000-xyz00` -ClientSecret `abcdefg12345` -IdpDomains @('abc.okta.com', 'xyz.okta.com') -IosWebViewType "wkwebview" -AndroidWebViewType "webview" -WindowsShareIdpSessions $true -MacShareIdpSessions $true -LinuxShareIdpSessions $true
<!--NeedCopy-->

Set

Note:

The client secret has been redacted.

The following table describes the key-value pair:

Key Value
IdPDomains List of IdP domains. The list depends on the identity provider used in the environment.
WindowsShareIdpSessions Boolean value to toggle the functionality on the Citrix Workspace app for Windows. The accepted values are either true or false.
MacShareIdpSessions Boolean value to toggle the functionality on the Citrix Workspace app for macOS. The accepted values are either true or false.
LinuxShareIdpSessions Boolean value to toggle the functionality on the Citrix Workspace app for Linux. This functionality is not available for Citrix Workspace app for the Linux operating system. The accepted values are either true or false.
IosWebViewType The WKWebView is used to authenticate when you sign in to the Citrix Workspace app for iOS. The accepted values are either wkwebview (WKWebView) to enable SSO or safari (SafariViewController) to disable SSO. The SafariViewController is the default authentication web view for the Citrix Workspace app for iOS.
AndroidWebViewType The WebView is used to authenticate when you sign in to the Citrix Workspace app for Android. The accepted values are either webview (WebView) to enable SSO or cctab (ChromeCustomTab) to disable SSO. The ChromeCustomTab is the default authentication web view for the Citrix Workspace app for Android.

How to configure SSO

To configure SSO using the PowerShell module, do the following:

  1. Download and save the PowerShell Module for Citrix Workspace Configuration.
  2. Open PowerShell.
  3. Navigate to the Citrix.Workspace.StoreConfigs folder.
  4. Import the PowerShell module. The syntax is as follows: Import-Module ./Citrix.Workspace.StoreConfigs
  5. Run the Get-WorkspaceCustomConfigurations command to check the existing values.
  6. Run the Set-WorkspaceCustomConfigurations command to apply SSO.
Simplified single sign-on for web and SaaS apps