Configuring Single sign-on to Workspace app

Single sign-on using Azure Active Directory

This section explains how you can implement single sign-on (SSO) using Azure Active Directory (AAD) as an identity provider with domain joined workloads in hybrid or AAD-only enrolled endpoints. With this configuration, you can authenticate to Workspace using Windows Hello or FIDO2 on endpoints that are enrolled to AAD.

Note:

If you use Windows Hello, as a standalone authentication, you can achieve SSO to Citrix Workspace app, but are prompted for user name and password while accessing published virtual apps or desktops. As a workaround, you can deploy a Federated Authentication Service (FAS) that allows you to achieve SSO to Citrix Virtual Apps and Desktops.

Prerequisites

Configuration

Perform the following steps to configure SSO on your device:

  1. Install the Citrix Workspace app using the Windows command line with the includeSSON option:

CitrixWorkspaceApp.exe /includeSSON

  1. Reboot your device.

  2. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.

  3. Go to Administrative Templates > Citrix Components > Citrix Workspace > User Authentication > Local user name and password.

  4. Select Enable pass-through authentication. Depending on the configuration and security settings, select Allow pass-through authentication for all ICA option for pass-through authentication to work.

  5. Modify the User Authentication settings in Internet Explorer by performing the following steps:

    • Open Internet Properties from the Control panel, navigate to General Properties > Local Intranet and click Sites.

    • In the Local Intanet window, click Advanced, add trusted sites, add the following trusted sites, and click Close:

      • https://aadg.windows.net.nsatc.net
      • https://autologon.microsoftazuread-sso.com
      • The name of your tenant, for example: https://xxxtenantxxx.cloud.com
  6. Disable additional authentication prompts by disabling the prompt=login attribute in your tenant. For more information, see User Prompted for Additional Credentials on Workspace URLs When Using Federated Authentication Providers. You can contact Citrix technical support to disable prompt=login attribute in your tenant to succesfully configure Single sign-on.

  7. Enable domain pass-through authentication on the Citrix Workspace app client. For more information, see Domain pass-through authentication.

  8. Restart the Citrix Workspace app for the changes to take effect.

Configuring Single sign-on to Workspace app