Domain pass-through to Citrix Workspace using Azure Active Directory as the identity provider

You can implement single sign-on (SSO) to Citrix Workspace using Azure Active Directory (AAD) as an identity provider with Domain joined, Hybrid, and Azure AD enrolled endpoints/VMs.

With this configuration, you can also use Windows Hello to SSO to Citrix Workspace using AAD enrolled endpoints.

  • You can authenticate to Citrix Workspace app using Windows Hello.
  • FIDO2 based Authentication with the Citrix Workspace app.
  • Single sign-on to Citrix Workspace app from Microsoft AAD joined machines (AAD as IdP) and conditional access with AAD.

To achieve SSO to virtual apps and desktops, you can either deploy FAS or configure Citrix Workspace app as follows.

Note:

You can achieve SSO to the Citrix Workspace resources only when using Windows Hello. However, you’re prompted for user name and password when accessing your published virtual apps and desktops. To solve this prompt, you can deploy FAS and SSO to virtual apps and desktops.

Prerequisites:

  1. Connect Azure Active Directory to Citrix Cloud. For more information, see Connect Azure Active Directory to Citrix Cloud in the Citrix Cloud documentation.
  2. Enable Azure AD authentication to access workspace. For more information, see Enable Azure AD authentication for workspaces in the Citrix Cloud documentation.

To achieve single sign-on to Citrix Workspace:

  1. Configure Citrix Workspace app with includeSSON.
  2. Disable prompt=login attribute in Citrix Cloud.
  3. Configure Azure Active Directory pass-through with Azure Active Directory Connect.

Configure Citrix Workspace app to support SSO

Prerequisites:

  • Citrix Workspace version 2109 or higher.

Note:

If you’re using FAS for SSO, Citrix Workspace configuration isn’t needed.

  1. Install Citrix Workspace app from administrative command line with option includeSSON:

    CitrixWorkspaceApp.exe /includeSSON

  2. Sign out from the Windows client and sign in to start the SSON server.
  3. Click Computer configuration > Administrative templates > Citrix Components > Citrix Workspace > User Authentication to change Citrix Workspace GPO to allow Local username and password.

    Note:

    These policies can be pushed to the client device via Active Directory. This step is required only when accessing Citrix Workspace from the web browser.

  4. Enable the setting as per the screenshot.

    User authentication

  5. Add the following trusted sites via GPO:

    • https://aadg.windows.net.nsatc.net
    • https://autologon.microsoftazuread-sso.com
    • https://xxxtenantxxx.cloud.com: Workspace URL

Adding trusted site

Disable prompt=login parameter in Citrix Cloud

By default prompt=login is enabled for Citrix Workspace that forces the authentication even if the user opted to stay signed in or if the device is Azure AD joined.

Contact Citrix Technical Support to disable the prompt=login parameter in your Citrix Workspace to achieve single sign-on. For more information, see Citrix Knowledge Center article CTX253779.

Configure Azure Active Directory pass-through with Azure Active Directory Connect

  • If you’re installing Azure Active Directory Connect for the first time, on the User sign-in page, select Pass-through Authentication as the sign On method. For more information, see Azure Active Directory Pass-through Authentication: Quickstart in the Microsoft documentation.
  • If Microsoft Azure Active Directory Connect exists:

    1. Select the Change user sign-in task and click Next.
    2. Select Pass-through Authentication as the sign-in method.

Note:

You can skip this step if the client device is Azure AD joined, or hybrid joined. If the device is AD joined, domain pass-through authentication works using kerberos authentication.

Domain pass-through to Citrix Workspace using Azure Active Directory as the identity provider