Domain pass-through access matrix
If you are using Citrix Workspace and want to achieve domain pass-through, the tables in the sub-sections describe the different scenarios and whether you can achieve domain pass-through for each scenario or not.
The different header elements in the tables and the additional information about the header elements are as follows:
- End Point joined to: Indicates the directory to which the endpoint is joined. The directory provides access control to on-premises resources. This can be on-premises Active Directory (AD), Azure Active Directory (AAD) or hybrid.
- Identity Provider (IdP): Entity used to provide authentication services to Citrix Workspace. It allows you to connect to the resources.
- Federated Authentication Service (FAS): For more information, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.
- Virtual Delivery Agent (VDA): For more information, see Install VDAs.
- VDA Joined to: Indicates the directory to which the VDA device is joined. For more information, see Identity and access management.
- Single sign-on (SSO) to Citrix Workspace/VDA: Yes or No value indicates if domain pass-through to Citrix Workspace or VDA is supported.
- Citrix Workspace app: To achieve single sign-on, see Configure single sign-on during fresh installation in Domain pass-through authentication.
Note:
You might require latest version of Citrix Workspace app to get domain pass-through support for some of the following scenarios.
Domain pass-through support for Citrix Workspace
| End Point Joined to | IdP | VDA Joined to | SSO to Citrix Workspace | SSO to VDA | Documentation |
|---|---|---|---|---|---|
| AD | On-premises Citrix Gateway | AD | Yes | Citrix Workspace app/FAS | Domain pass-through to Citrix Workspace using on-premises Citrix Gateway as the identity provider. |
| AD | Adaptive Authentication | AD | Yes | Citrix Workspace app/FAS | To configure adaptive authentication, see Adaptive Authentication service and follow the instruction in Domain pass-through to Citrix Workspace using on-premises Citrix Gateway as the identity provider. |
| AD | Citrix Gateway federated to another IdP (AAD/Okta) | AD | Yes | Citrix Workspace app/FAS | Configure IdP using Configure SAML single sign-on and refer to the documentation for the IdP used to configure domain pass-through. |
| AD | Okta | AD | Yes | Citrix Workspace app/FAS | Domain pass-through to Citrix Workspace using Okta as identity provider. |
| AD/Hybrid Joined | AAD (AD with AAD Connect) | AD | Yes | Citrix Workspace app/FAS ** | Domain pass-through to Citrix Workspace using Azure Active Directory as the identity provider. |
| AD | Any SAML based IdP (ex ADFS) | AD | Yes | Citrix Workspace app/FAS | See Connect SAML as an identity provider to Citrix Cloud and refer to the documentation for the IdP used to configure the domain pass-through. |
| AD | AD | AD | No | Not supported | NA |
| AD | AD+OTP | AD | No | Not supported | NA |
| AD | AAD | AAD | No | Not supported | NA |
| AAD | AAD without on-premises AD | AD | Yes | FAS | Citrix Workspace uses Microsoft Edge WebView which allows SSO to workspace. SSO to VDA is supported via FAS. For more information, see Enable single sign-on for workspaces with Citrix Federated Authentication Service. |
| AAD | AAD | AAD | Yes | User must enter credentials. | Citrix Workspace uses Microsoft Edge WebView which allows SSO to Workspace. SSO to VDA isn’t supported. |
| Non-Domain Joined | IdP that supports password less authentication - link | AD | No | FAS | Citrix Workspace uses Microsoft Edge WebView which allows SSO to Workspace. SSO to VDA is supported via FAS. For more information, see Other ways to authenticate to Citrix Workspace. |
Notes:
- Client must be reachable to AD for Kerberos to work.
- **Citrix Single Sign-on (SSONSVR.exe) works only with the user name or password on the client. If the user is using Windows Hello to sign in, then FAS is required.
- Authentication might not be fully silent in cloud if LLT is enabled or if the end user acceptance policy is configured.
- It is recommended to configure FAS as it applies to non-windows platforms.
Domain pass-through support for StoreFront
| End Point Joined to | IdP | VDA Joined to | SSO to Citrix Workspace | SSO to VDA | Documentation |
|---|---|---|---|---|---|
| AD | StoreFront | AD | Yes | Citrix Workspace app | Domain pass-through authentication |
| AD/Hybrid joined/Windows Hello for Business | StoreFront | AD | Yes(1) | Citrix Workspace app /FAS(2) | Domain pass-through authentication and Enable single sign-on for workspaces with Citrix Federated Authentication Service. |
| AD | Citrix Gateway - Advanced Authentication | AD | Yes | Citrix Workspace app(3)) | |
| AD | Citrix Gateway - Basic authentication | AD | Yes | Citrix Workspace app(4) | Domain pass-through authentication. |
Notes:
In the Registry editor, navigate to the following path and set the
SSONCheckEnabledstring toFalseif you have not installed the single sign-on component.
HKEY_LOCAL_MACHINE\Software{Wow6432}\Citrix\AuthManager\protocols\integratedwindows\The key prevents the Citrix Workspace app authentication manager from checking for the single sign-on component and allows Citrix Workspace app to authenticate to StoreFront.
- If you are using Windows Hello to sign in, FAS is required and registry configuration to enable SSO.
- Needs client to be reachable to AD as it uses Kerberos.
- Works even if client is not reachable to AD. Not using Kerberos.
Domain pass-through access matrix
Copied!
Failed!