Secure workspaces

As an administrator, you can choose to have your subscribers (end users) authenticate to their workspaces using one of the following authentication methods:

  • Active Directory
  • Active Directory plus token
  • Azure Active Directory
  • Citrix Gateway
  • Okta (Technical Preview)

These authentication options are available to any Citrix Cloud service, including access control.

Access control is a feature that delivers access for end users to SaaS, web, and virtual apps with a single sign-on (SSO) experience.

Change authentication methods

Change how subscribers authenticate to their workspace in Workspace Configuration > Authentication > Workspace Authentication.

Workspace authentication settings

Important:

Switching authentication modes can take up to five minutes and causes an outage to your subscribers during that time. Citrix recommends limiting changes to the authentication methods to periods of low usage. If you do have subscribers logged on to Citrix Workspace using a browser or Citrix Workspace app, please advise them to close the browser or exit the app. After waiting approximately five minutes, they can log back on again using the new authentication method.

Active Directory

By default, Citrix Cloud uses Active Directory to manage subscriber authentication to workspaces. Using Active Directory requires that you have at least two Citrix Cloud Connectors installed in the on-premises Active Directory domain. For more information about installing the Cloud Connector, see Cloud Connector Installation.

Active Directory plus token

For additional security, Citrix Workspace supports a token as a second factor of authentication in addition to Active Directory sign-in.

When you use Active Directory plus token authentication, Workspace prompts all subscribers during every sign-in to enter a token from their enrolled device. Subscribers can enroll their devices by following the steps in Register devices for two-factor authentication. Currently, subscribers can enroll only one device at a time.

Active Directory plus token authentication has the following requirements:

  • A connection between Active Directory and Citrix Cloud, with at least two Cloud Connectors installed in your on-premises environment. For requirements and instructions, see Connect Active Directory to Citrix Cloud.
  • In the Citrix Cloud console, Active Directory + Token authentication enabled on the Identity and Access Management page. For more information, see To enable Active Directory plus token authentication.
  • Subscribers need access to email to enroll devices.
  • During first-time sign-in to Workspace, subscribers follow the prompts to download the Citrix SSO app. The Citrix SSO app generates a unique one-time password on an enrolled device every 30 seconds.

To re-enroll devices

If a subscriber no longer has their enrolled device or needs to re-enroll it (for example, after erasing all content from the device), Workspace provides the following options:

  • Subscribers can re-enroll their devices using the same enrollment process described in Register devices for two-factor authentication. Because subscribers can enroll only one device at a time, enrolling a new device or re-enrolling an existing device removes the previous device registration. Device removed message

  • Administrators can search for subscribers by Active Directory name and reset their device. To do that, go to Identity and Access Management > Recovery. Recovery tab During the next sign-on to Workspace, the subscriber experiences the first-time enrollment steps described in Register devices for two-factor authentication.

Azure Active Directory

Use of Azure Active Directory (AD) to manage subscriber authentication to workspaces has the following requirements:

  • Azure AD with a user who has global administrator permissions.
  • A Citrix Cloud Connector installed in the on-premises Active Directory domain. The machine must also be joined to the domain that is syncing to Azure AD.
  • VDA version 7.15.2000 LTSR CU VDA or 7.18 current release VDA or higher.
  • A connection between Azure AD and Citrix Cloud. For information, see Connect Azure Active Directory to Citrix Cloud. When syncing your Active Directory to Azure AD, the UPN and SID entries must be included in the sync. If these entries are not synchronized, certain workflows in Citrix Workspace will fail.

Warning:

  • If you are using Azure AD, do not make the registry change described in CTX225819. Making this change may cause session launch failures for Azure AD users.
  • Adding a group as a member of another group (nesting) is not supported for federated authentication using Azure AD. If you do assign a nested group to a catalog, members of that group can’t access apps from the catalog.

After enabling Azure AD authentication:

  • Manage users and user groups by using Citrix Cloud Library: Use only the Citrix Cloud Library to manage users and user groups. (Do not specify users and user groups when creating or editing Delivery Groups.)
  • Added security: Users are prompted to sign in again when launching an app or a desktop. This is intentional and provides more security, because the password information flows directly from user’s device to the VDA that is hosting the session.
  • Sign-in experience: Users have a different sign-in experience in Azure AD. Selecting Azure AD authentication provides federated sign-in, not single sign-on. Users sign in to workspace from an Azure sign-in page, however they may have to authenticate a second time when opening an app or desktop from the Citrix Virtual Apps and Desktops service. To achieve single sign-on and prevent a second logon prompt, you need to enable the Citrix Federated Authentication Service in Citrix Cloud. See Enable single sign-on for workspaces with Citrix Federated Authentication Service for more information.

    You can customize the sign-in experience for Azure AD. For information, see the Microsoft documentation. Any sign-in customizations (the logo) made in Workspace Configuration do not affect the Azure AD sign-in experience.

The following diagram shows the sequence of Azure AD authentication.

Diagram of Azure AD authentication sequence

Citrix Gateway

Citrix Workspace supports using an on-premises Citrix Gateway as an identity provider to manage subscriber authentication to workspaces.

Citrix Gateway authentication has the following requirements:

  • A connection between your Active Directory and Citrix Cloud. For requirements and instructions, see Connect Active Directory to Citrix Cloud.
  • Subscribers must be Active Directory users to sign in to their workspaces.
  • If you are performing federation, your AD users must be synchronized to the federation provider. Citrix Cloud requires the AD attributes to allow your users to sign in successfully.
  • An on-premises Citrix Gateway:
    • Citrix Gateway 12.1 54.13 Advanced edition or later
    • Citrix Gateway 13.0 41.20 Advanced edition or later
  • Citrix Gateway authentication is enabled on the Identity and Access Management page. This action generates the client ID, secret, and redirect URL required to create the connection between Citrix Cloud and your on-premises Gateway.
  • On the Gateway, an OAuth IDP authentication policy is configured using the generated client ID, secret, and redirect URL.

For more information, see Connect an on-premises Citrix Gateway as an identity provider to Citrix Cloud.

Subscriber experience with Citrix Gateway

When authentication with Citrix Gateway is enabled, subscribers experience the following workflow:

  1. The subscriber navigates to the Workspace URL in their browser or launches Workspace app.
  2. The subscriber is redirected to the Citrix Gateway logon page and is authenticated using any method configured on the Gateway (for example, RADIUS MFA, smart card, federation, conditional access policies, and so on). You can customize the Gateway logon page so that it looks the same as the Workspace sign-in page using the steps described in CTX258331.
  3. After successful authentication, the subscriber’s workspace appears.

Okta (Technical Preview)

Citrix Workspace supports using Okta as an identity provider to manage subscriber authentication to workspaces.

Note:

Okta authentication is currently in Technical Preview. Citrix recommends using technical preview features only in test environments.

Okta authentication has the following requirements:

  • A connection between your on-premises Active Directory and your Okta organization.
  • An Okta OIDC web application configured for use with Citrix Cloud. To connect Citrix Cloud to your Okta organization, you need to supply the Client ID and Client Secret associated with this application.
  • A connection between your on-premises Active Directory domain and Citrix Cloud, with Okta authentication enabled on the Identity and Access Management page.

For more information, see Connect Okta as an identity provider to Citrix Cloud.

After enabling Okta authentication, subscribers have a different sign-in experience. Selecting Okta authentication provides federated sign-in, not single sign-on. Subscribers sign in to workspace from an Okta sign-in page, but they may have to authenticate a second time when opening an app or desktop from the Citrix Virtual Apps and Desktops service. To enable single sign-on and prevent a second logon prompt, you need to use the Citrix Federated Authentication Service with Citrix Cloud. See Enable single sign-on for workspaces with Citrix Federated Authentication Service for more information.

Subscriber experience with Okta

When authentication with Okta is enabled, subscribers experience the following workflow:

  1. The subscriber navigates to the Workspace URL in their browser or launches the Workspace app.
  2. The subscriber is redirected to the Okta sign-in page and is authenticated using the method configured in Okta (for example, multifactor authentication, conditional access policies, and so on).
  3. After successful authentication, the subscriber’s workspace appears.

Note:

Enabling Okta authentication provides federated sign-in, not single sign-on. Subscribers sign in to workspaces from an Okta sign-in page, but they may have to authenticate a second time when opening an app or desktop from the Citrix Virtual Apps and Desktops service. To enable single sign-on and prevent a second logon prompt, you need to use the Citrix Federated Authentication Service with Citrix Cloud. See Enable single sign-on for workspaces with Citrix Federated Authentication Service for more information.

Citrix Federated Authentication Service (Technical Preview)

Citrix Workspace supports using Citrix Federated Authentication Service (FAS) to provide single sign-on to virtual apps and desktops. Subscribers signing in to their workspaces through Azure AD enter their credentials only once to access their apps and desktops.

Note:

Using Federation Authentication Service with Citrix Cloud is currently in Technical Preview. Citrix recommends using technical preview features only in test environments.

Using FAS with Workspace has the following requirements:

  • A FAS server configured as described in the Requirements section of the FAS product documentation.
  • A connection between your FAS server and Citrix Cloud. This connection is created through the Connect to Citrix Cloud option in the FAS installer. If your existing FAS server is older than Version 10, you can download the latest FAS software from Citrix and upgrade the server in-place before creating this connection. When you create the connection, you select the resource location where you want your FAS server to reside. Single sign-on is active for subscribers only in the resource locations where FAS servers are present.
  • A connection between your on-premises Active Directory domain and Citrix Cloud, with FAS enabled in Workspace Configuration.

For more information about using FAS with Citrix Cloud, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.

Subscriber sign-out experience

Important:

If Citrix Workspace times out in the browser due to inactivity, subscribers remain signed in to Azure AD. This is by design, to prevent a Citrix Workspace time out from forcing other Azure AD applications to close.

To close Citrix Workspace, use Settings > Log Off. That option completes the sign-out process from the workspace and Azure AD. If subscribers close the browser instead of using the Log Off option, they might remain signed in to Azure AD.